low

Use:

; ls ../../

Source analysis:

? < PHP 

IF ( isset ( $ _POST [ 'Submit' ])) 
{ 
    // Copy ip value corresponding to the target 
    $ target = $ _REQUEST [ 'ip' ]; 
    
    IF ( stristr ( php_uname ( 'S'), ' NT the Windows' )) 
    { 
        // if it is directly winds of ping 
    
        $ cmd = shell_exec ( 'of ping'. $ target );
         echo ''. <pre> $ cmd . '</ pre>' ;
        
    } 
    The else  
    { 
        // If the default on Linux ping 3 packages 
        $ cmd = shell_exec( 'ping  -c 3 ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    }
    
}
?>

$ _REQUEST [] with a $ _POST [] $ _GET [] function, but $ _REQUEST [] slower. All data submitted by post and get methods are available through $ _REQUEST array
php_uname - return system running PHP information
stristr () function of the search string in the first occurrence of another string
php_uname ( 's'): Returns the name of the operating system

Medium

Use:

|| or &; &, or &

Source analysis:

Filter it a little more, but did not complete filter

<?php

if( isset( $_POST[ 'submit'] ) ) 
{

    $target = $_REQUEST[ 'ip' ];

    // 过滤了 &&,;命令分割符
    $substitutions = array(
        '&&' => '',
        ';' => '',
    );

    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );
    
    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
    
        $cmd = shell_exec( 'ping  ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    } else { 
    
        $cmd = shell_exec( 'ping  -c 3 ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    }
}

?>

High

Powerless Orz, only such as "digital . Digital . Digital . Digital" input will be received executed.

? < PHP 

IF ( isset ( $ _POST [ 'Submit' ])) 
{ 

    $ target = $ _REQUEST [ "IP" ]; 
    
    / * 
        stripslashes () function to remove a backslash addslashes () function added. 
     * / 
    
    $ Target = stripslashes ( $ target ); 
    
    
    // Split The octects the IP. 4 INTO 
    $ OCTET = the explode (,. "" $ Target ); 
    
    // the Check each OCTET IS AN Integer the IF 
    IF (( is_numeric ( $ OCTET [0 ])) && ( is_numeric ($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4)  ) 
    {
    
    // If all 4 octets are int's put the IP back together.
    $target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
    
    
        // Determine OS and execute the ping command.
        if (stristr(php_uname('s'), 'Windows NT')) 
        { 
    
            $cmd = shell_exec( 'ping  ' . $target );
            echo '<pre>'.$cmd.'</pre>';
        
        } 
        else 
        { 
    
            $cmd = shell_exec( 'ping  -c 3 ' . $target );
            echo '<pre>'.$cmd.'</pre>';
        
        }
    
    }
    else
    {
        echo '<pre>ERROR: You have entered an invalid IP</pre>';
    }
    
}

?>

[Range] Command Execution training _DVWA

low

Use:

Source analysis:

Medium

Use:

Source analysis:

High

Guess you like