Shulou(Shulou.com)06/01 Report--

Command injection vulnerability

Note: analysis of command injection vulnerabilities and function parsing with command injection vulnerabilities

Functions with command injection vulnerabilities: system (), exec (), passthru (), shell_exec (), ``(same as shell_exec ())

Command injection vulnerability (shell_exec) based on DVWA environment

1. Function usage

String shell_exec (string command)

Commands to be executed by command

2. Low level

Source code:

Source code analysis:

The function first judges the system in the environment, and executes the first command if it is win. If the command executed by linux is added with the-c option, it is assumed that the ping command in linux is executed all the time. It can only be stopped if-c is added to specify the number of hops sent.

You can see that no processing is done to the user's input where the user's input is received. It is not difficult to see that this is a typical command injection loophole. And children are the easiest.

Let's test it normally:

As you can see, the data returned normally is the data returned by ping.

Let's test it with this command execution vulnerability:

Construct our statement: 10.39.1.4 | net user

Explanation: | means that the output of the previous command is used as the input of the following command.

Net user to see which users exist in the current system

Test:

You can see that there are three users in the current system. If you use it as × ×, you can use the command to create a user. It's not in the demonstration.

Vulnerability analysis: execute the commands in the function without processing any input from the user.

Knowledge expansion:

When the semicolon is executed in the linux command, several commands can be executed directly, separated by a semicolon.

& execution of the previous command followed by the execution of the standby command

& & the following command can only be executed after the previous command is executed successfully.

| | the output of the previous command is the input of the latter command |

| the following command will not be executed until the previous command fails to execute |

3. Medium level

Source code:

Source code analysis:

The Str_replace () function, which replaces some characters in the string with other characters (case sensitive).

$target = str_replace (array_keys ($substitutions), $substitutions, $target); replace the contents entered by the user with empty ones containing & & or;.

The other parts are basically the same as low.

The source code here initially filters the user's input, filtering out some symbols that can execute commands at the same time, but we know that there are more than & & and; symbols with the same effect. So command injection can still be done.

Command injection test:

Construction statement: 10.39.1.4 & net user

& the previous command is executed followed by the following command

Test:

The result of the implementation is still obtained.

Vulnerability analysis: although the source code under this level sets filtering on the user's input, it does not filter the special symbols completely. it is not enough to set a blacklist, you do not know what the user will enter, and those who are interested can also take advantage of this loophole.

4. High level

Source code:

Source code analysis:

This level of source code is not much different from the medium level source code, but more symbols are added to the blacklist.

Through such a lot of ideas before it can be effectively defended.

Test:

Enter 10.39.1.4 | net user

Those methods can no longer be used. I didn't find a suitable way to make use of it.

Loophole analysis: it is always not safe to make a blacklist, as long as the blacklist is not complete, it is not very safe. Even if you think the list is complete. There may be things you don't know that can be used.

5. Impossible level

Source code:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.