Command Execution Vulnerability (Command Injection)
Preface:
Actually speaking, with SQL injection attack is somewhat similar, in simple terms, is through the loopholes, you can perform some instructions that should not be executed! Need to be familiar with the CMD command, I also need to strengthen this area.
&, &&, |, || command difference stitching breaks:
A & B: no restrictive relationship between AB;
A && B: After A executed successfully, before performing B;
A | B: A is output as an input of B;
A || B: A failed before it can execute B;
low:
1. Observation:
Enter ip: 127.0.0.1 test, a normal return, but this time there is a garbled,
Pot belonging browser, Firefox: View -> Text Encoding -> Simplified Chinese, you can solve
2. vulnerability testing:
Enter 127.0.0.1 && help
Description vulnerabilities exist, and apparently without any protection
3. View source code:
<?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $target = $_REQUEST[ 'ip' ]; // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { // Windows $cmd = shell_exec( 'ping ' . $target ); } else { // *nix $cmd = shell_exec( 'ping -c 4 ' . $target ); } // Feedback for the end user echo "<pre>{$cmd}</pre>"; } ?>
果然没有进行任何防护!
medium:
1.测试观察:
输入127.0.0.1提交,正常;
输入127.0.0.1&&help提交,返回如图;
2.猜测:
对&&进行了过滤,换指令拼接符:输入help||help,返回如图:
猜测正确,过滤了&&,然后我们让||前的命令失效,这样就会执行之后的指令,图中【1】就是第一个help的失效返回,【2】是第二个help命令的返回
3.查看源码:
<?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $target = $_REQUEST[ 'ip' ]; // Set blacklist $substitutions = array( '&&' => '', ';' => '', ); // Remove any of the charactars in the array (blacklist). $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { // Windows $cmd = shell_exec( 'ping ' . $target ); } else { // *nix $cmd = shell_exec( 'ping -c 4 ' . $target ); } // Feedback for the end user echo "<pre>{$cmd}</pre>"; } ?>
过滤了“&&”和“;”
high:
1.先看源码
<?php if( isset( $_POST[ 'Submit' ] ) ) { // Get input $target = trim($_REQUEST[ 'ip' ]); // Set blacklist $substitutions = array( '&' => '', ';' => '', '| ' => '', '-' => '', '$' => '', '(' => '', ')' => '', '`' => '', '||' => '', ); // Remove any of the charactars in the array (blacklist). $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if( stristr( php_uname( 's' ), 'Windows NT' ) ) { // Windows $cmd = shell_exec( 'ping ' . $target ); } else { // *nix $cmd = shell_exec( 'ping -c 4 ' . $target ); } // Feedback for the end user echo "<pre>{$cmd}</pre>"; } ?>
这里有一段过滤,基本要赶尽杀绝了,但是存在一个'| ',也就是说'|'还可以用(其实这里不太明白为什么要有这么明显的地方,难道是故意的?要不然没法攻击)
2.测试:
输入:127.0.0.1|help,测试成功
impossible:
对ip输入的格式进行了限制,没有办法绕过了!
后记:
对于此类的漏洞利用,暂时没有想到怎么用。