2023/03/22-23
8. Detailed explanation of command execution vulnerabilities and code execution vulnerabilities
Detailed explanation of code execution & command execution_A Little Bai Baixiao’s Blog-CSDN Blog
Detailed explanation of command execution vulnerability and code execution vulnerability
- Code execution actually calls the server website code for execution.
- Command execution is to call operating system commands for execution.
8.1 Command execution vulnerability:
1. Command execution: RCE
The script code of the web application is not strictly filtered when executing commands, thereby injecting a piece of code that the attacker can control, and remotely executing malicious instructions on the server with the background permissions of the web service.
- Lack of strict filtering at the code level
- System vulnerabilities cause command injection
- The third-party component called has a code execution vulnerability
Common command execution functions
PHP:exec、shell_exec、system、passthru、popen、proc_open等
ASP.NET:System.Diagnostics.Start.Process、System.Diagnostics.Start.ProcessStartInfo等
Java:java.lang.runtime.Runtime.getRuntime、java.lang.runtime.Runtime.exec等
2. Commonly used command execution functions
- system —Execute an external program and display the output
This function will output the execution result and return the last line of the output result as a string. If the execution fails, it returns false.
<?php
highlight_file(__FILE__);
system('pwd');
system('whoami');
?>
- exec—execute an external program
Does not output the result and returns the last line of the execution result. You can use output for output.
<?php
highlight_file(__FILE__);
exec('pwd',$b);
var_dump($b);
?>
- passthru—Execute an external program and display the raw output
The function only calls the command and outputs the running results directly without returning a value.
<?php
highlight_file(__FILE__);
passthru('ls');
?>
- shell_exec—Execute commands through the shell environment and return the complete output as a string
No result is output, but the execution result is returned. This function is called when backticks (``) are used.
<?php
highlight_file(__FILE__);
var_dump(shell_exec('ls'));
?>
- ob_start
The function will turn on output buffering. When output buffering is activated, the script will not output content (except http headers). Instead, the content to be output is stored in the internal buffer.
The contents of the internal buffer can be copied to a string variable using the ob_get_contents() function. If you want to output the contents stored in the internal buffer, you can use the ob_end_flush() function. In addition, using the ob_end_clean() function will silently discard the contents of the buffer.
<?php
ob_start("system");
echo "whoami";
ob_end_flush();
?>
3. Command connector
Command connectors supported by both windows and linux:
cmd1 | cmd2 :只执行cmd2
cmd1 || cmd2: 只有当cmd1执行失败后,cmd2才被执行
cmd1 & cmd2 :先执行cmd1,不论成功与否,都会执行cmd2
cmd1 && cmd2:先执行cmd1,cmd1成功执行后执行cmd2,否则不执行cmd2
Linux supports semicolons;
cmd1 ; cmd2 :按照顺序依次执行,先执行cmd1,再执行cmd2
4. Dangerous function exploitation
- system:
<?php
highlight_file(__FILE__);
if(isset($_REQUEST['url'])){
$url = ($_REQUEST['url']);
$b = system($url, $a);
echo $a.PHP_EOL;
echo $b.PHP_EOL;
}
?>
Malicious code execution:
?url = dir
File writing:
? url = echo 11111 > flag.php
- passthru:
Execute external program and display raw output
<?php
highlight_file(__FILE__);
if(isset($_REQUEST['url'])){
$url = ($_REQUEST['url']);
passthru($url,$a);
echo $a.PHP_EOL;
}
?>
Call the system command and write the information to 22.txt
- exec:
Execute the command specified by the command parameter
需要注意的一点exec要有echo才有回显
<?php
highlight_file(__FILE__);
if(isset($_REQUEST['url'])){
$url = ($_REQUEST['url']);
echo exec($url);
}
?>
- shell_exec is basically similar to exec
Execute commands through shell environment