Shulou(Shulou.com)06/01 Report--

Let's start by analyzing the Command Execution command execution vulnerability in DVWA.

First of all, set DVWA Security to Low, select Command Execution, enter an IP in the text box, and click Submmit submit to execute the ping command.

Click "View Source" to view the source code of the page.

As you can see, the data here is submitted as post and assigned to the variable $target.

Next, there is an if statement, the judgment condition is "stristr (php_uname ('s'), 'Windows NT')", which is used to determine whether the current system is Windows, because the ping command execution parameters under Windows and Linux are different.

Next is to assign the value of the function "shell_exec ('ping'. $target)" to the variable $cmd, and output the value of $cmd, which is actually executing the "shell_exec ('ping'. $target)" function, so the shell_exec () function is the core here.

The purpose of the shell_exec () function is to execute operating system commands in PHP, so if you do not filter the commands entered by the user, you can theoretically execute any system command, which is equivalent to directly obtaining the system-level Shell, so the power of the command containing vulnerabilities is much greater than that of SQL injection.

For example, when we type "127.0.0.1 | net user" into the text box, we actually execute the "net user" command through the pipe character "|". Once we understand the principle, we can continue to execute the commands "127.0.0.1 | net user test 123 / add" and "127.0.0.1 | net localgroup administrators test / add" to take down the entire server.

The main symbols that allow multiple commands to be executed at the same time under DOS are as follows:

"|": the output of the previous command is used as the input of the following command

"| |": execute the following command only when the previous command fails

"&": the previous command is executed, followed by the following command

"&": the previous command is executed successfully before the following command is executed.

If it is a Linux system, you can also use a semicolon (;), or you can execute multiple commands at the same time.

You can also use redirection (>) to generate files on the server, or use (

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.