brief introduction

Command Injection, Command injection , It means to destroy the structure of command statement by submitting maliciously constructed parameters , So as to achieve the purpose of executing malicious commands .PHP The command injection exploit is PHP One of the common scripting vulnerabilities in applications .

When the application needs to call some external programs to process the content , It will use some functions to execute system commands . Such as PHP Medium system,exec,shell_exec etc. , When the user can control the parameters in the command execution function , Inject malicious system commands into normal commands , Cause command execution attacks .                                                         ------------ Training documents

Divided into remote command execution ping And remote code execution evel.
The reason for the vulnerability ： There is no input processing at the input port .
Our common router 、 A firewall 、 Intrusion detection and other devices web On the management interface

Case study

With pikachu Two lanes of the shooting range RCE As an example

One .exec"ping"

Generally, users will be provided with a ping Operation of the web Interface , User from web Input target on the interface IP, After submission , The backstage will be right for IP Address once ping test , And return the test results . In fact, this is an interface , It allows attackers to inject operating system commands or code directly into the background server , To control the background system , This is it. RCE Loophole . The specific back-end code is as follows ：

$result.=shell_exec('ping '.$ip);// Splice variables directly , I didn't deal with it

Try first ping Baidu

Try splicing at the back

Try to view the directory

Two .exec"evel"

Back end code ：

if(@!eval($_POST['txt']))

  Submit directly phpinfo（）;