Command injection of "Metasploit penetration Test Devil's training camp"

A command injection vulnerability is to have a web app execute a command that was not previously available, which could be an operating system command or a custom script program. In the "Metasploit Penetration Test Devil Training Camp" book, the author of the WordPress plug-in Zingiri the existence of a command injection vulnerability analysis, but the cause of the vulnerability of the explanation is not particularly clear. One, the vulnerability triggers the interaction process

In the process of triggering the vulnerability, using Wireshark to intercept the packet, found that the trigger of the vulnerability has called the Zingiri plug-in four files: ajaxfilemanager.php, ajax_file_cut.php, Ajax_create_ folder.php, ajax_save_name.php. second, the key function explanation

(i) Sessionaction class

The definition of this class is in class.sessionaction.php, and the two functions related to the vulnerability are defined as follows:

Where $selecteddocindex is a variable defined by the class with a value of ' Ajax_selected_doc '.

As you can see, the Seth and get functions of the Sessionaction class are the access functions of the $_session[' Ajax_selected_doc '] variable.

(ii) Displayarray function

The function is defined in function.base.php, as follows:

The function is primarily printed in the $array array that is passed in.

(c) Writeinfo function

The function is also defined in function.base.php, as follows:

The main function of this function is to write the contents of the $data variable passed in to the data.php file.

(iv) Ob_start (), Ob_get_clean () function mechanism

The function is illustrated by the code example below:

When the fourth line of code is commented out, "Hello World" is not output; After the comment is removed, the "Hello World" is output. third, the vulnerability trigger location

Through the analysis of the interactive process intercepted by Wireshark, the four files of the call were analyzed successively. The key code that found the vulnerability trigger is located in ajax_file_cut.php, ajax_save_name.php, and two file key codes are as follows:

ajax_file_cut.php Key Code

ajax_save_name.php Key Code

Call ajax_file_cut.php, which passes the $sessionaction->set () function, which will $_session[' Ajax_sel

Ected_doc '] is assigned a value of $_post[' Selecteddoc ', and there is no restriction or validation on the POST variable.

Call ajax_save_name.php, remove $_session[' Ajax_selected_doc ' through "1", and $_session[' Ajax_selected_doc ' through "2" "3") Output to the data.php file.

Because $_post[' Selecteddoc ' is not checked, the $_post[' Selecteddoc ' is constructed as a Webshell, which is then written to the Webshell file.

The

is a prayer.