Web security first-a fatal blow to the server: Code and command injection

0. Preface

It's been a while since I've been concentrating on web security for a while, but looking at the back is a bit complicated, involving more and more complex middleware, bottom-level security, vulnerability research, and security, so here's a series on web security basics and some flattering payload tips to keep it handy. is not the great God, the blog content is very basic, if someone really looks and is the Daniel, please do not spray me, welcome to correct my mistakes (limited level).

First, the basic principle:

1. The essence of code Injection and command injection:

The executable code snippet that the user input has not been filtered and has been stitched up with the programmer-developed code is executed by the server (the command is also part of the code, but it is stitched in the parameters of the command execution class function or method).

2, command injection For example: Python heavy users (fans)

1@app. Route ("/osinject")2 defosinject ():3Command = Request.args.get ("cmd")4Response =os.popen (command). Read ()5     returnJsonify ({"result": Response})6 7 #This is an example of a flask function:8 """9 command is the inputTen can construct Http://127.0.0.1:5443/osinject?cmd=ping%20-c%205%20192.168.10.135|whoami One we can execute whoami. A """

3, Code injection example:

1 // www.local.com 2 /* 3     /codeinject/code.php4    http://www.local.com/codeinject/code.php?code=phpinfo (); 5 */ 6 <? PHP 7     @eval("$_get[" code] ")8 ?>

4. Functions commonly used in PHP, Java, and Python for command injection or code injection:

(1) PHP: @ Myself, I wrote it myself once. A small log of such functions can be accessed by looking at: http://www.cnblogs.com/KevinGeorge/p/8127054.html

(2) Python:

-*-command:system\popen\subprocess.call\spawn

-*-code:map\filter\reduce\ ...

1 " " 2 A python function name can be used directly as a parameter of a normal function, in theory, if such a function is defined as dangerous 3 " " 4 def myreduce (funcname,param): 5     return funcname (param)

(3) Java:

-*-command:java.lang.runtime.getruntime (). EXEC (command)

_*_code: Not quite understand Java, this aspect of contact is not much, embarrassing.

Second, vulnerability mining:

1. Where the request appears:

(1) in the post and get parameters

(2) URL filepath or filename (pseudo-static similar to thinkphp, or a class of Python url_for constructs)

2, Special OS command injection will often appear in the current business location:

1, System Web Management interface System Information configuration points: hostname, IPAddress, netmask, Gateway, dnsserver, email and so on.

2. Function-type website tools: Ping, tracert, nslookup, etc.

3, File Search or operation function: Find, locate, etc.

4, System Information view class function: Cpuinfo, meminfo, etc.

5. Turn off restart class operation, shutdown, ifconfig up, reboot, Poweroff, etc.

Three, commonly used payload mode:

1, | ,&, &&,| | and other operations

(1) & indicates that the CMD1 is executed first and then the CMD2 is executed, and the CMD1 is not considered successful. Use CMD1 & CMD2 (2) && to execute CMD1 First, execute cmd after success, or do not CMD2. Using CMD1 && CMD2 (3) | | Execution of a cmd1,cmd1 execution succeeds before execution of cmd2,cmd1 execution fails CMD2 execution. Using CMD1 | | CMD2 2, Payload (&/' "Space and other special symbols need to be encoded) (1) cmd = 127.0.0.1 | WHOAMI (2) cmd = 127.0.0.1 & WhoAmI (3) cmd = 127.0.0.1 && whoami (4) cmd = ' WhoAmI ' (5) cmd = '/' |WH Oami (this means to use the '/' quotation mark to close the front/-> representation or) 3, the commonly used command (1) has a echo: WhoAmI ID (Authentication Class) (2) No echo: nslookup wget and other look requests, dnslog httplog, etc. (inspection　　(3) Shell must, refer to my Own (http://www.cnblogs.com/KevinGeorge/p/8120226.html) 4, Code injection: (1) PHP: Detect Phpinfo (), attack code arbitrary.　　(2) Python: Import time;time.sleep (20), attack code arbitrary. (3) Java: I am a weak chicken unexpectedly ah. Four, the defense: 1, prohibit the correlation function 2, filter input 3, the formulation can enter the content

　　

　　　　

　　　　

Web security first-a fatal blow to the server: Code and command injection