command execution
The key skim some blog, command injection is to bypass the filter and familiarity with linux commands, only familiar with its possible injection
1、low
<?php if( isset( $_POST[ 'submit' ] ) ) { $target = $_REQUEST[ 'ip' ]; // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.$cmd.'</pre>'; } } ?>
Command separator comprises a newline (\ n-), the semicolon (;), and logic (&&, &), logic, or (||, |), also when used in batch script% 1A win
127.0.0.1;cat /proc/version
2、medium
<?php if( isset( $_POST[ 'submit'] ) ) { $target = $_REQUEST[ 'ip' ]; // Remove any of the charactars in the array (blacklist). $substitutions = array( '&&' => '', ';' => '', ); $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.$cmd.'</pre>'; } } ?>
&& only filtered,;, it may be logical or (||, |), linefeed (\ n)
3、high
<?php if( isset( $_POST[ 'submit' ] ) ) { $target = $_REQUEST["ip"]; $target = stripslashes( $target ); // Split the IP into 4 octects $octet = explode(".", $target); // Check IF each octet is an integer if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) { // If all 4 octets are int's put the IP back together. $target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3]; // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.$cmd.'</pre>'; } } else { echo '<pre>ERROR: You have entered an invalid IP</pre>'; } } ?>
ip address 4 inputted into the part, each part detects whether a digital
The results Baidu does not exist here Command Injection Vulnerability
4, the use of tools
Commix tool can be used to command injection.
5, protection
Filter parameters
Whitelist protection
If the parameter of the command is characteristic of recommendations for the use of white list input parameters for protection
Such as allowing [az] [AZ] [0-9] _- limited character, etc.
Blacklist protection
|;! & $> < `\ These characters directly as blacklist
\ T \ \ r \ f \ u0000 these characters requires n as blacklist filter, especially the null character truncated \ u0000 (in this there is no protection JVM6)
6, knowledge summary
Using substantially the process:
1) to bypass the filter
Whether to use the multi-line mode modifier (/ foo / m), if the end of the matched objects missing newline (/ ^ \ d + $ /), whether to allow a blank character (\ s), whether erroneous write mode matching backslash (/ \ /).
Quotes escape (the source code of the input data with quotation marks, it can not be executed), the evasion mode roughly: closing quotation marks, followed by the annotation quotes, or with \ escape effect for escape
2) Command Injection
Options command injection, my dear friend tql, cooked to order for Linux
Reference links: