DVWA - Command Injection (command injection)

Command injection (Command Injection):

It refers to some need to enter the location of the data, but also malicious code from disrupting the structure of the original sentence structure. The lack of effective filtration system, and ultimately to destroy data, information leaks and even control purpose computer. Many content management systems CMS command injection vulnerability exists.

 

Connector command:

&&: First, on behalf of a command execution in the execution command b, but with the proviso that a command will be executed correctly execute the command b, b does not execute the command in case of a failure to execute. It is also known shorted operator.

&: On behalf of a command is executed first in the execution command b, if a failed, or will continue to execute the command b. That command b executed command will not be a disturbance in the execution efficiency is "&&" more efficient.

||: First execute a command on behalf of the b command execution, if a command is executed successfully, the command will not be executed b, on the contrary, if a command is not successful, it will execute the command b.

|: First, on behalf of the implementation of a command, the command execution b, regardless of the success or failure of a command, the command will go to execute b

 

Solve the garbage problem:

When we entered garbled text when,

 

 

Found under DVWA-master \ dvwa \ includes all the files directory dvwaPage.inc.php "charset = utf-8", modify "charset = gb2312", can be.

 

 

low level:

Source:

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?>

 We found that by looking at the source code, without any filtering, we just use "&&", "&", "|" to complete the injection.

 

 

 1. Use the ping 192.168.35.132 && dir, get a result (in front of my host address)

 

 

 2. ping 192.168.35.132 & net user, the result is obtained

 

 

 3. Use ping 192.168.35.132 | dir, 192.168.35.132 | net user to get a result

 

 

 

 Medium level:

Source:

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = $_REQUEST[ 'ip' ];

    // Set blacklist
    $substitutions = array(
        '&&' => '',
        ';'  => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?> 

我们通过观察代码发现，medium等级的命令行注入增加了一些过滤，通过查看源码可以看到，他将&&和：过滤成了空字符，所以我们依然可以进行注入。

 

输入”192.168.35.132 & dir”时，同样可以攻击，表明没有对”&”过滤。

 

但是”&&”和”&”是有区别的，”&&”是短路运算符，只有前一步执行成功才会执行后一步，而”&”则两个表达式都会执行。

我们输入”192.168.35.132&;& net view”时，也是可以的，因为过滤一次后相当于”192.168.35.132&& net view”。

 

还有很多方法可以进行命令行输入，比如:“|”、“||”等等

 

High级：

 

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Get input
    $target = trim($_REQUEST[ 'ip' ]);

    // Set blacklist
    $substitutions = array(
        '&'  => '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

    // Remove any of the charactars in the array (blacklist).
    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
        // Windows
        $cmd = shell_exec( 'ping  ' . $target );
    }
    else {
        // *nix
        $cmd = shell_exec( 'ping  -c 4 ' . $target );
    }

    // Feedback for the end user
    echo "<pre>{$cmd}</pre>";
}

?> 

这关看似没什么漏洞了，但是也是有一个小bug的。。引号下多了个空格，所以“|”还是可以用的。

 

 

Impossible级：

<?php 

if( isset( $_POST[ 'Submit' ]  ) ) { 

    // Check Anti-CSRF token 

    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' ); 

    // Get input 

    $target = $_REQUEST[ 'ip' ]; 

    $target = stripslashes( $target ); 

    // Split the IP into 4 octects 

    $octet = explode( ".", $target ); 

    // Check IF each octet is an integer 

    if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) { 

        // If all 4 octets are int's put the IP back together. 

        $target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3]; 

        // Determine OS and execute the ping command. 

        if( stristr( php_uname( 's' ), 'Windows NT' ) ) { 

            // Windows 

            $cmd = shell_exec( 'ping  ' . $target ); 

        } 

        else { 

            // *nix 

            $cmd = shell_exec( 'ping  -c 4 ' . $target ); 

        } 

        // Feedback for the end user 

        echo "<pre>{$cmd}</pre>"; 

    } 

    else { 

        // Ops. Let the user name theres a mistake 

        echo '<pre>ERROR: You have entered an invalid IP.</pre>'; 

    } 

} 

// Generate Anti-CSRF token 

generateSessionToken(); 

?> 

可以看到，Impossible级别的代码加入了Anti-CSRF token，同时对参数ip进行了严格的限制，只有诸如“数字.数字.数字.数字”的输入才会被接收执行，因此不存在命令注入漏洞。