Common web attacks 2: Command Injection Execution)

Previously, I introduced Brute Force, which is the most common type of web attacks. Today I will introduce command injection attacks.

 

The so-called web command attack means that the data entered by all users in the system is used without strict filtering, thus leaving hackers with a chance.

I am not very familiar with web command attacks. Let me introduce two links to web command attacks.

Https://www.owasp.org/index.php/Testing_for_Command_Injection_ (OWASP-DV-013)

Chinese http://www.bkjia.com/Article/201208/146517.html

1. Let's take a look at the very dangerous code.

Web command attack-Insecure code

This code is used directly without any filtering of data, which is very dangerous. For example, if the ip address entered by the user is not normal (hh. kk. lll. ii), the code is terrible.

II. The following Code provides preliminary data filtering. Let's take a look.

Web command attack-medium-security code

We can see that this Code uses the str_replace function to filter ip addresses. That is, invalid characters are replaced with null characters. But it cannot be handled. ee. ee

Str_replace function Introduction

3. Let's look at the security code below.

Web command attack-Secure Code

This code verifies whether the obtained ip address is composed of numbers and is fully executed by illegal ip addresses. It is the safest code.

Use of stripslaches Functions

Use of explode Functions

Use the stristr Function

Shell_exec function usage