Add to Favorites | Login | Register
Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

About us Contact us

Web command execution vulnerability

2025-01-22 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Share

Shulou(Shulou.com)06/01 Report--

First, what is a command execution vulnerability:

Applications sometimes need to call some functions that execute system commands, such as system, exec, shell_exec, passthru, popen, proc_popen in PHP. When users can control the parameters in these functions, malicious system commands can be spliced into normal commands, resulting in command execution *, which is a command execution vulnerability.

Second, the conditions of utilization:

1. Apply the function that calls the command

2, concatenate user input as parameters of the system command into the command

3. User input is not filtered or not strictly filtered.

Third, the harm of vulnerabilities:

The person who uses the command can execute the command to get the information he wants.

(2) those who can take down the server can take down the server.

Fourth, examples:

Example 1:

Code:

Visit: http://127.0.0.1/mingling/simple1.php?cmd=ping%20127.0.0.1

That is, the "ping 127.0.0.1" command was executed.

Example 2:

Visit: http://192.168.25.107/simple2.php?cmd=127.0.0.1;pwd

The pwd command was executed

Example 3:

Visit: http://192.168.25.107/simple3.php?cmd=/home%22;ifconfig%22

The ifconfig command was executed

Example 4:

When visiting: http://192.168.25.107/simple4.php?code=phpinfo();

Pay attention to the semicolon after, of course, it can also be followed by a sentence *.

Example 5:

When visiting: http://192.168.25.107/simple5.php?fun=system&par=whoami

In fact, it is tantamount to execution:

System ("whoami")

Fifth: repair plan:

Minimize the use of functions that execute commands or disable them directly

Use quotation marks for parameter values as far as possible, including

Before using dynamic functions, make sure that the function you use is one of the specified functions

Filter parameters and escape sensitive characters before entering the function / method that executes the command

Such as:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Tag Search: Commands functions examples parameters vulnerabilities characters users systems inputs strings data applications in a word that is code users information semicolons dynamic that is vpn macOS Linux MariaDB MySQL Docker Shulou Information Shulou Technology Shulou Tech Info OPPO Reno Redmi Xiaomi NVidia Microsoft Huawei Apple Xiaomi Shulou Technology OPPO Reno Microsoft NVidia Redmi Shulou Tech Info MariaDB MySQL Docker Apple vpn macOS Shulou Information Linux Huawei Xiaomi Shulou Technology OPPO Reno Microsoft NVidia Redmi Shulou Tech Info MariaDB MySQL Docker Apple vpn macOS Shulou Information Linux Huawei

Share To

Related

Network Security

More Network Security >

Latest Network Security More Network Security >

Latest Internet Technology More Internet Technology >

Latest Development More Development >

Latest Database More Database >

Latest Servers More Servers >

Latest Mobile Phone More Mobile Phone >

Latest Android Software More Android Software >

Latest Apple Software More Apple Software >

Latest Computer Software News More Computer Software News >

Latest IT Information More IT Information >

Wechat

About us Contact us Product review car news thenatureplanet

© 2024 shulou.com SLNews company. All rights reserved.

12
Report