When your talent
When you can not afford to hang on ambition
Then you should stop learning
Code audit online learning experiment, while CE are practical operation, while finishing notes later when convenient to look for quick reference.
table of Contents
The reason command injection vulnerability results
Command injection vulnerability prevention
The reason command injection vulnerability results
Command injection attacks may be used by attackers to import a specific code into a computer program, to change the operating process or program object. PHP command injection is due to the data submitted by the user to the Web application filter is not critical and can lead a hacker embodiment is configured by a special command string, the data submitted to the Web application, and using the ways of running external programs or system commands embodiment attacks, illegal access to data or network resources
Brief introduction
PHP command injection vulnerabilities is a common PHP application vulnerabilities
Famous PHP applications, such as discuz!, Dedecms other large programs in the network were published before there is a command injection vulnerabilities, hackers can quickly access to the Web permissions from the command injection vulnerabilities, and then the implementation of hanging horse, phishing and other malicious attacks, the impact and the harm is huge.
Meanwhile, the current PHP Web application development language used in a larger proportion, Web application programmers should be aware of the harm command injection attack vulnerability.
Note that PHP command injection and Sql injection, the difference between PHP code execution vulnerabilities:
-
Sql Sql injection vulnerability is injected into the back-end database statement parsing and execution
-
PHP code execution vulnerability is the PHP code injected into Web applications executed by the Web container
-
It refers to the command injection vulnerability injection system commands (such as windows that may be performed in
CMDorder, linux inBashcommand) and executes
related functions:
system()、exec()、passthru()、shell_exec()、popen()、proc_open()、pcntl_exec()A total of seven function.
Command injection function, divided into three categories
The first function
Including system()、exec()、shell_exec()、passthru()can be passed directly to the command execution and returns the result, which the system () the most simple, no output functions, the results will automatically print command, so here we first explain the system () function
The following code, the variable $ id Get get passed by the variable name bash variable values (a string value), then pass system () function as a command to be executed:
-
<?php
-
$id = $_GET[
'bash'];
-
system(
"$id");
-
?>
Through code analysis, we constructed the payload is:? When bash = pwd, the page will be able to successfully return to current directory of the current .php file Address
Several other similar functions the same token, such as exec (), shell_exec (), passthru () function, try it yourself manually.
exec () function
-
<?php
-
$id = $_GET[
'bash'];
-
$get = exec(
"$id");
-
echo $get;
sehll_exec function
-
<?php
-
$id = $_GET['bash'];
-
$get = shell_exec(
"$id");
-
echo
$get;
passthru function
-
<?php
-
$id = $_GET['bash'];
-
$get = passthru(
"$id");
-
echo
$get;
The second class of functions
Description:
resource popen ( string $command , string $mode )
Open pointing to a pipeline process, the process is derived from the given command command execution generated
- The first parameter $ command will be executed as a command
- The second parameter $ mode decision execution mode, there are two values
rorwto indicate whether读or写
Including popen()、proc_open(), when using these functions incoming commands, command execution, but does not return the results.
code show as below,
-
<?php
-
$bash = $_GET[
'bash'];
-
popen(
"$bash",
'r');
Through code analysis, we constructed the payload is:? Bash = when ifconfig >> /tmp/popen.txt, the page does not return information, but the meaning is our line of command information ifconfig output writes path / temp under the popen.txt years.
The third class of functions
Description:
• void pcntl_exec ( string $path [, array $args [, array $envs ]] )
-
Given parameters execute the program:
-
-
• path: path must be executable binary file path or a script specifies a path to the executable file header in the first line of the file
-
(Such as the first line of the file is #! / Usr / local / bin / perl perl script)
-
-
• args: args is a parameter to be passed to the program's string array
-
-
• envs: envs is an array of strings to be passed to the program as environment variables, this array is a key => value name format, to be delivered on behalf of key environmental variables, represents the value of the environment variable value
$ path is the path of the executable program, or if a perl script Bash, you need to add in the file header #!/bin/bashto identify the executable path, args represents the transfer to the args represents the arguments passed to, $ envs path program is the implementation of this program environment variables.
Reference Links: https://www.shiyanlou.com/courses/895
Command injection vulnerability prevention
Usually we can use a white list to filter user input, which is a universal means.
In addition there are several specific recommendations:
-
Or a custom function using the function library to replace an external command
-
Use escapeshellarg () function to process the command parameters
-
Use safe_mode_exec_dir specified executable path
I do not need freedom, just carrying her dream
Move forward one step to go, she's never heavy