"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat-3. Command injection

command injection: means to destroy the structure of a command statement by committing a maliciously constructed parameter, thus achieving the purpose of executing a malicious command.

In the previous basic course, we mentioned that command injection requires three conditions:

1. Do you want to invoke the system command?

2. Is the function/parameter controllable?

3. Do you want to splice the input?

How to apply, we learn and experience in the actual combat in the next.

DVWA Combat:

1. Open Phpstudy or XAMPP, run Apach and MySQL;

2. The browser enters Dvwa main interface, in the left column Select Dvwa security level is low, then enter command injection;

3. After we enter an IP submission, we find that the result of pinging the IP is returned.

Note: If the return garbled, you can try the following methods:

Find the DVWA directory under the/dvwa/includes dvwaPage.inc.php file, the character set Utf-8 changed to gb2312, save a bit.

// Send Headers + main HTML code Header (' Cache-control:no-cache, Must-revalidate ');   // http/1.1//header (' content-type:text/html;charset=utf-8 ');     Todo-proper XHTML Headers ... Header (' content-type:text/html;charset=gb2312 ');     // todo-proper XHTML Headers ... Header (' Expires:tue, June 12:00:00 GMT ');    // Date in the past

Actually ping is the same as our own in Windows CMD. Therefore, we suspect that the backend is also called the System command, and the input parameters are spliced:

//Get Input    $target=$_request[' IP ' ]; //determine OS and execute the ping command.    if(Stristr(Php_uname(' s '), ' Windows NT ' ) ) {        //Windows        $cmd=shell_exec(' ping '.$target ); }    Else {        //*nix        $cmd=shell_exec(' Ping-c 4 '.$target ); }

Therefore, the commit operation on this side satisfies the three conditions of command injection, and there is a command injection vulnerability.

4. If we enter 123.125.114.144 && net user, we will get the following information:

A simple command injection vulnerability is exploited, requiring only common command connectors (&,&&,|,| |,; etc.) and system commands, which can be more damaging if the input commands are more menacing, such as entering 127.0.0.1 under Linux &&cat/etc/shadow can even read shadow files.

5. Next we transferred the security level to medium, and found an error: wrong parameter net. Let's take a look at the backstage code and find the "&&", ";" Filtering is essentially the way to blacklist.

// Set blacklist $substitutions Array (    ' && ' = ', '    ; '  ) = ",");

But the blacklist filter is limited, we can use & to exploit the vulnerability, enter 123.125.114.144 & net user, and since the key connector will be filtered, why not reverse the use, construct &;& connectors, so when; && has been effective.

6. Next we look at the high level of command injection, found that the above method is also invalid, view the background code, found that more command connectors are filtered.

// Set blacklist $substitutions Array (    ' & '  = ', '    ; '  ) = "',    ' | ' = = ',    '-' +  = ',    ' $ '  = = ',    ' ('  = ' = ',    ')  '    = ', ' '  = ",    ' | | ' = ",");

is still essentially a blacklist, so there are still limitations. For example, in the code ' | ' There is a space behind, so we can enter 123.125.114.144|net user directly.

Also, for non-echo scenarios, you can use the delay command to view the response speed (such as the ping 127.0.0.1-n 5 > nul or Sleep 5 under Linux under Windows) or to build the server to see if there is a request received (Ping under Windows, Telnet or Linux under the Wget,curl, etc.) method;

7. Finally we look at the impossible level of command injection, found that the above method is not feasible, and the error message also changed:Error:you has entered an invalid IP. View the background code, found that the parameter IP is strictly limited, only the "number. Number. Number" input will be received execution, effectively fixed the command injection vulnerability.

//Get Input$target=$_request[' IP ' ];$target=stripslashes($target );//Split the IP into 4 octects$octet=Explode( ".",$target );//Check IF Each octet are an integerif( (Is_numeric($octet[0])) && (Is_numeric($octet[1])) && (Is_numeric($octet[2])) && (Is_numeric($octet[3])) && (sizeof($octet) = = 4 ) ) {//If all 4 octets is int ' s put the IP back together.$target=$octet[0]. ‘.‘ .$octet[1]. ‘.‘ .$octet[2]. ‘.‘ .$octet[3];

Practical experience:

Use the whitelist to limit the user input commands, try not to use the blacklist, it is best to comply with all the input is not trusted principle, the input is strictly verified.

"Notes" NetEase micro-professional-web security Engineer -04.web Security Combat-3. Command injection