dvwa-command execution

command execution

大致浏览了一些博客,命令注入的关键是绕过过滤与对linux的命令的熟悉,只有熟悉才有可能对其进行注入

1、low

 <?php

if( isset( $_POST[ ‘submit‘ ] ) ) {

    $target = $_REQUEST[ ‘ip‘ ];

    // Determine OS and execute the ping command.
    if (stristr(php_uname(‘s‘), ‘Windows NT‘)) { 

        $cmd = shell_exec( ‘ping  ‘ . $target );
        echo ‘<pre>‘.$cmd.‘</pre>‘;

    } else { 

        $cmd = shell_exec( ‘ping  -c 3 ‘ . $target );
        echo ‘<pre>‘.$cmd.‘</pre>‘;

    }

}
?>

命令分隔符包括换行符(\n)、分号(;)、逻辑与(&&、&)、逻辑或(||、|),若在 win 批处理脚本中还能用 %1A

127.0.0.1;cat /proc/version

2、medium

 <?php

if( isset( $_POST[ ‘submit‘] ) ) {

    $target = $_REQUEST[ ‘ip‘ ];

    // Remove any of the charactars in the array (blacklist).
    $substitutions = array(
        ‘&&‘ => ‘‘,
        ‘;‘ => ‘‘,
    );

    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );

    // Determine OS and execute the ping command.
    if (stristr(php_uname(‘s‘), ‘Windows NT‘)) { 

        $cmd = shell_exec( ‘ping  ‘ . $target );
        echo ‘<pre>‘.$cmd.‘</pre>‘;

    } else { 

        $cmd = shell_exec( ‘ping  -c 3 ‘ . $target );
        echo ‘<pre>‘.$cmd.‘</pre>‘;

    }
}

?>

只过滤了&&,;,可以用逻辑或(||、|),换行(\n)

3、high

<?php

if( isset( $_POST[ ‘submit‘ ] ) ) {

    $target = $_REQUEST["ip"];

    $target = stripslashes( $target );

    // Split the IP into 4 octects
    $octet = explode(".", $target);

    // Check IF each octet is an integer
    if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4)  ) {

    // If all 4 octets are int‘s put the IP back together.
    $target = $octet[0].‘.‘.$octet[1].‘.‘.$octet[2].‘.‘.$octet[3];

        // Determine OS and execute the ping command.
        if (stristr(php_uname(‘s‘), ‘Windows NT‘)) { 

            $cmd = shell_exec( ‘ping  ‘ . $target );
            echo ‘<pre>‘.$cmd.‘</pre>‘;

        } else { 

            $cmd = shell_exec( ‘ping  -c 3 ‘ . $target );
            echo ‘<pre>‘.$cmd.‘</pre>‘;

        }

    }

    else {
        echo ‘<pre>ERROR: You have entered an invalid IP</pre>‘;
    }

}

?>

将输入的ip地址分为了4部分,每部分检测是否为数字

百度的结果是这里不存在命令注入漏洞

4、工具的使用

Commix工具可以用来命令注入.

5、防护

参数过滤

白名单保护

如果命令的参数是有特征性的建议使用白名单对输入的参数进行保护

比如允许[a-z][A-Z][0-9] _- 等有限的字符

黑名单保护

|;&$><`\! 可以将这些字符直接作为黑名单过滤

\t\n\r\f \u0000 这些字符需要作为黑名单过滤,特别是空字符截断 \u0000 (这个在JVM6里是没有保护)

6、知识总结

利用的大致过程:

1)绕过过滤

是否使用多行模式修饰符(/foo/m)、是否遗漏匹配对象末尾的换行符(/^\d+$/)、是否允许空白字符(\s)、是否误写反斜杠匹配模式(/\/)。

引号逃逸(源代码里将输入的数据加上引号,使其不可以执行),逃逸方式大致有:闭合引号,注释后面的引号,或者利用\的转义作用进行逃逸

2)命令注入

命令选项注入,那位仁兄tql,对Linux的命令要熟

参考链接:

https://www.cnblogs.com/Antiver/p/10322619.html

https://www.cnblogs.com/aeolian/p/11051361.html

原文地址:https://www.cnblogs.com/dx-yll/p/11963848.html

时间: 2024-11-19 09:28:15

dvwa-command execution的相关文章

struts2 CVE-2012-0392 S2-008 Strict DMI does not work correctly allows remote command execution and arbitrary file overwrite

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description Struts2框架存在一个DevMode模式,方便开发人员调试程序.如果启用该模式,攻击者可以构造特定代码导致OGNL表达式执行,以此对主机进行入侵Remote command execution and arbitrary file overwrite, St

Fatal error encountered during command execution

MySQL + .net + EF 开发环境,调用一处sql语句报错: Fatal error encountered during command execution[sql] view plain copy print?SELECT @r AS cateid,(SELECT @r := b.ParentId FROM cmscontentcategory b WHERE b.id = cateid) AS parentid FROM (SELECT @r := '75422ccd151c48

struts2 CVE-2010-1870 S2-005 XWork ParameterInterceptors bypass allows remote command execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description XWork是一个命令模式框架,用于支持Struts 2及其他应用  在Atlassian Fisheye,Crucible和其他产品中使用的Struts 2.0.0至2.1.8.1版本中的Xwork中的OGNL表达式赋值功能使用许可的白名单,远程攻击者可以借助

PowerShell vs. PsExec for Remote Command Execution

Posted by Jianpeng Mo / January 20, 2014 Monitoring and maintaining large-scale, complex, highly distributed and interconnected systems can be extremely challenging for network administrators. Traditional IT management approaches are ill-equipped to

MYSQL报Fatal error encountered during command execution.错误的解决方法

{MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered during command execution. ---> MySql.Data.MySqlClient.MySqlException (0x80004005): Fatal error encountered attempting to read the resultset. ---> MySql.Data.MySqlClient.MyS

Remote Command Execution via CouchDB

11 Sep 2016 ? Pentest, Database 背景介绍 CouchDB是一个开源的面向文档的数据库管理系统,可以通过 RESTful JavaScript Object Notation (JSON) API 访问.CouchDB可以安装在大部分POSIX系统上,包括Linux和Mac OS X. 漏洞介绍 Couchdb默认会在5984端口开放Restful的API接口,如果使用SSL的话就会监听在6984端口,用于数据库的管理功能.其HTTP Server默认开启时没有进行

struts2 CVE-2013-1965 S2-012 Showcase app vulnerability allows remote command execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description OGNL provides, among other features, extensive expression evaluation capabilities. A request that included a specially crafted requ

【靶场训练_DVWA】Command Execution

low 利用: ;ls ../../ 源码分析: <?php if( isset( $_POST[ 'submit' ] ) ) { //将ip对应的值复制给target $target = $_REQUEST[ 'ip' ]; if (stristr(php_uname('s'), 'Windows NT')) { //如果是winds就直接ping $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre&

DVWA—Command Injection(命令注入)

命令注入攻击的常见模式为:仅仅需要输入数据的场合,却伴随着数据同时输入了恶意代码, 而装载数据的系统对此并未设计良好的过滤过程,导致恶意代码也一并执行,最终导致信息泄露或者正常数据的破坏. PHP命令注入攻击漏洞是PHP应用程序中常见的脚本漏洞之一,国内著名的Web应用程序Discuz!.DedeCMS等都曾经存在过该类型漏洞. ————————————————————————————————————————————————————————————————————————— 在做DVWA攻防练习

struts2 CVE-2013-2251 S2-016 action、redirect code injection remote command execution

catalog 1. Description 2. Effected Scope 3. Exploit Analysis 4. Principle Of Vulnerability 5. Patch Fix 1. Description struts2中有2个导航标签(action.redirect),后面可以直接跟ongl表达式,比如 1. test.action?action:${exp} 2. test.action?redirect:${exp} Struts2的DefaultActio