DVWA V1.9: Command Injection (Command Injection)

Command Injection Introduction

The purpose is to inject command injection attacks and the execution of arbitrary commands on a vulnerable application.
In this case, the application does not need to perform system commands like pseudo-shell system, an attacker can use it as any authorized system users.
However, command and Web services have the same privileges and environmental performance.

Command injection attacks in most cases is possible because the lack of proper validation of input data, which can be manipulated by an attacker (form, cookie, HTTP headers, etc.).

Operating system (OS), such as Linux and Windows, its syntax and commands might be different, depending on their desired operation.

This attack can also be referred to as "remote command execution (RCE)".

Low level

Core code

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

Correlation function introduction

stristr (string, search, before_search)
of stristr search string within another function of the occurrence, returns the remaining portion of the string (from matching point), if the search string is not found, return FALSE.
Parameters string Specifies the string to be searched with a character string search provisions to search (if the parameter is a number, the search match the value of the ASCII character corresponding digital), before_true optional parameter is a Boolean type, the default is "false" If set to "true", the function will return the search parameter string before the first occurrence.

php_uname (mode)
This function returns the related description of the operating system running php, mode parameter values can be "a" (this is the default, comprising the sequence "snrvm" in all modes), "s" (return to the operating system name) , "n" (return host name), "r" (return version name), "v" (return version information), "m" (return machine type).

It can be seen performing different server ping command to determine the operating system, but did not do any of the parameters ip filter, leading to serious command injection vulnerability.

Official Tips

This allows direct entry of one of them. Many PHP function that will execute commands on the operating system. It is possible to escape from a command designed and executed unintentional actions.

This can be done by adding a request, "Once the command is successful, run this command."

Spoiler: To add a command "&&". 
Example: 127.0.0.1 && dir.

Exploit

window and linux systems can be used to perform multiple commands &&

43.247.91.228&&ifconfig

Linux, you can even read the shadow file, we can see the great harm.

43.247.91.228&&cat /etc/shadow

Medium level

Core code

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Set blacklist
    $substitutions = array(
        '&&' => '',
        ';'  => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

It can be seen compared to the Low-level code, the server ip to do some filtering parameters, namely the "&&", ";" delete, using essentially a blacklist mechanism, so there is still security problems.

Official Tips

Developers have read some of the problems of command injection, and placed in various modes patches to filter input. However, this is not enough.

You can use a variety of other systems necessary to interrupt the syntax of the command.

Spoiler: e.g. background the ping command.

Exploit

Method a:
because the filter only the "&&" and ";", the "&" will not be affected.

43.247.91.228&ifconfig

It should be noted that the "&&" and the distinction between "&" is:

Command 1&&Command 2
先执行Command 1，执行成功后执行Command 2，否则不执行Command 2
Command 1&Command 2
先执行Command 1，不管是否成功，都会执行Command 2

Method Two:
The use of the str_replace the "&&", ";" with the null character, and therefore may be such that bypassed

43.247.91.228&;&ifconfig

This is because "43.247.91.228 &; & ifconfig" in ";" will be replaced by a null character, so that it becomes a "43.247.91.228 && ifconfig", it will be executed successfully.

High level

Core code

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = trim($_REQUEST[ 'ip' ]);

    // Set blacklist
    $substitutions = array(
        '&'  => '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

Compared Medium-level code, High-level code to further improve the blacklist, but because of the limitations of blacklisting mechanism, we can still bypass.

Official Tips

At a high level, the developer back to the drawing board, and put more of pattern matching. But even that is not enough.

Developers or filters do a simple typing, and believe that a PHP command will save them from this error.

Spoiler: trim()			removes all leading & trailing spaces, right?.

Exploit

Blacklist filtering seemingly all illegal characters, but on closer inspection to be the "|" (note here | there is a space after) is replaced with a null character, so "|" become "slip through the net."

43.247.91.228 |ifconfig

Command 1 | Command 2
“|”是管道符，表示将Command 1的输出作为Command 2的输入，并且只打印Command 2执行的结果。

Impossible Level

Core code

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $target = $_REQUEST[ 'ip' ];
    $target = stripslashes( $target );

    // Split the IP into 4 octects
    $octet = explode( ".", $target );

    // Check IF each octet is an integer
    if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
        // If all 4 octets are int's put the IP back together.
        $target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];

        // Determine OS and execute the ping command.
        if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
            // Windows
            $cmd = shell_exec( 'ping  ' . $target );
        }
        else {
            // *nix
            $cmd = shell_exec( 'ping  -c 4 ' . $target );
        }

        // Feedback for the end user
        echo "<pre>{$cmd}</pre>";
    }
    else {
        // Ops. Let the user name theres a mistake
        echo '<pre>ERROR: You have entered an invalid IP.</pre>';
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

Correlation function introduction

stripslashes (string)
stripslashes function removes backslash characters from string, it returns a string peeled backslash.

explode (separator, string, limit)
to break the string array and returns an array of strings. Separator where the predetermined segmentation parameter string, the string to the parameter string is split, optional number of array elements returned by a predetermined limit parameter.

is_numeric (string)
detects whether the number string or numeric string, a return TRUE, otherwise it returns FALSE.

You can see, Impossible-level code to join the Anti-CSRF token, while ip parameters were strictly limited, and only such as "Digital Digital Digital Digital," the input will be received to perform, so there is no command injection vulnerability .

Official Tips

In the unlikely level, the challenge has been rewritten to allow only a very strict input.
If this does not match and does not produce a result, it will be allowed to perform.
Rather than "black list" Filter (allow any input and remove unnecessary), which use a "white list" (only allows certain value).

Range Address:
username admin, password password.
DVWA V1.9 online shooting range
reference links:
Beginner's Guide: Full-level tutorial DVWA-1.9 Command Injection