当前位置:网站首页>Getting started with rce
Getting started with rce
2022-07-05 13:54:00 【Cwxh0125】
brief introduction
Command Injection, Command injection , It means to destroy the structure of command statement by submitting maliciously constructed parameters , So as to achieve the purpose of executing malicious commands .PHP The command injection exploit is PHP One of the common scripting vulnerabilities in applications .
When the application needs to call some external programs to process the content , It will use some functions to execute system commands . Such as PHP Medium system,exec,shell_exec etc. , When the user can control the parameters in the command execution function , Inject malicious system commands into normal commands , Cause command execution attacks . ------------ Training documents
Divided into remote command execution ping And remote code execution evel.
The reason for the vulnerability : There is no input processing at the input port .
Our common router 、 A firewall 、 Intrusion detection and other devices web On the management interface
Case study
With pikachu Two lanes of the shooting range RCE As an example
One .exec"ping"
Generally, users will be provided with a ping Operation of the web Interface , User from web Input target on the interface IP, After submission , The backstage will be right for IP Address once ping test , And return the test results . In fact, this is an interface , It allows attackers to inject operating system commands or code directly into the background server , To control the background system , This is it. RCE Loophole . The specific back-end code is as follows :
$result.=shell_exec('ping '.$ip);// Splice variables directly , I didn't deal with it
Try first ping Baidu
Try splicing at the back
Try to view the directory
Two .exec"evel"
Back end code :
if(@!eval($_POST['txt']))
Submit directly phpinfo();
边栏推荐
- [machine learning notes] how to solve over fitting and under fitting
- Address book (linked list implementation)
- LeetCode_3(无重复字符的最长子串)
- What about data leakage? " Watson k'7 moves to eliminate security threats
- 几款分布式数据库的对比
- Kafaka log collection
- 清大科越冲刺科创板:年营收2亿 拟募资7.5亿
- Ueditor + PHP enables Alibaba cloud OSS upload
- Kotlin collaboration uses coroutinecontext to implement the retry logic after a network request fails
- Attack and defense world crypto WP
猜你喜欢
Win10 - lightweight gadget
RK3566添加LED
Liar report query collection network PHP source code
[South China University of technology] information sharing of postgraduate entrance examination and re examination
How to apply the updated fluent 3.0 to applet development
Embedded software architecture design - message interaction
Introduction to Chapter 8 proof problem of njupt "Xin'an numeral base"
PHP basic syntax
嵌入式软件架构设计-消息交互
The development of speech recognition app with uni app is simple and fast.
随机推荐
uplad_ Labs first three levels
Intranet penetration tool NetApp
These 18 websites can make your page background cool
Mmseg - Mutli view time series data inspection and visualization
Blue Bridge Cup study 2022.7.5 (morning)
Scientific running robot pancakeswap clip robot latest detailed tutorial
How to apply the updated fluent 3.0 to applet development
2022 machine fitter (Advanced) test question simulation test question bank simulation test platform operation
How to divide a large 'tar' archive file into multiple files of a specific size
Could not set property 'ID' of 'class xx' with value 'XX' argument type mismatch solution
Wonderful express | Tencent cloud database June issue
Nantong online communication group
Set up a website with a sense of ceremony, and post it to the public 2/2 through the intranet
Assembly language - Beginner's introduction
JS takes key and value from an array object to form a new object
Requests + BS4 crawl Douban top250 movie information
ELFK部署
Brief introduction to revolutionary neural networks
搭建一个仪式感点满的网站,并内网穿透发布到公网 2/2
jasypt配置文件加密|快速入门|实战