命令执行漏洞

DVWA中命令执行漏洞

low

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {

	// Get input

	$target = $_REQUEST[ 'ip' ];

	// Determine OS and execute the ping command.
  
	if( stristr( php_uname( 's' ), 'Windows NT' ) ) {

		// Windows

		$cmd = shell_exec( 'ping  ' . $target );

	}

	else {

		// *nix

		$cmd = shell_exec( 'ping  -c 4 ' . $target );

	}

	// Feedback for the end user

	$html .= "<pre>{$cmd}</pre>";

}

?>

可以看到并没有对客户传入的参数进行任何过滤,这时候构造

127.0.0.1 & ls

127.0.0.1 && ls

1 || ls

1 | ls

1;ls

可以来获取当前目录下文件名。并且能通过cat进行任意文件读取

medium

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {

	// Get input

	$target = $_REQUEST[ 'ip' ];

	// Set blacklist

	$substitutions = array(

		'&&' => '',

		';'  => '',

	);

	// Remove any of the charactars in the array (blacklist).

	$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

	// Determine OS and execute the ping command.

	if( stristr( php_uname( 's' ), 'Windows NT' ) ) {

		// Windows

		$cmd = shell_exec( 'ping  ' . $target );

	}

	else {

		// *nix

		$cmd = shell_exec( 'ping  -c 4 ' . $target );

	}

	// Feedback for the end user

	$html .= "<pre>{$cmd}</pre>";

}

?>

medium相对于low,设置了黑名单,但是也就只过滤了;和&&,并没有什么暖用

str_replace( array_keys( $substitutions ), $substitutions, $target ) ,如果在$target匹配到substitutions中的键值,那么就将其替换成substitutions中的值,即''

high

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {

	// Get input

	$target = trim($_REQUEST[ 'ip' ]);

	// Set blacklist

	$substitutions = array(

		'&'  => '',

		';'  => '',

		'| ' => '',

		'-'  => '',

		'$'  => '',

		'('  => '',

		')'  => '',

		'`'  => '',

		'||' => '',

	);

	// Remove any of the charactars in the array (blacklist).

	$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

	// Determine OS and execute the ping command.

	if( stristr( php_uname( 's' ), 'Windows NT' ) ) {

		// Windows

		$cmd = shell_exec( 'ping  ' . $target );

	}

	else {

		// *nix

		$cmd = shell_exec( 'ping  -c 4 ' . $target );

	}

	// Feedback for the end user

	$html .= "<pre>{$cmd}</pre>";

}

?>

相比于medium,过滤了更多的管道符,但我们发现过滤'| '时,跟了个空格,所以构造

127.0.0.1 |ls一样可以执行任意命令

impossible

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {

	// Check Anti-CSRF token

	checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

	// Get input

	$target = $_REQUEST[ 'ip' ];

	$target = stripslashes( $target );

	// Split the IP into 4 octects

	$octet = explode( ".", $target );

	// Check IF each octet is an integer

	if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {

		// If all 4 octets are int's put the IP back together.

		$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];

		// Determine OS and execute the ping command.

		if( stristr( php_uname( 's' ), 'Windows NT' ) ) {

			// Windows

			$cmd = shell_exec( 'ping  ' . $target );

		}

		else {

			// *nix

			$cmd = shell_exec( 'ping  -c 4 ' . $target );

		}

		// Feedback for the end user

		$html .= "<pre>{$cmd}</pre>";

	}

	else {

		// Ops. Let the user name theres a mistake

		$html .= '<pre>ERROR: You have entered an invalid IP.</pre>';

	}

}

// Generate Anti-CSRF token

generateSessionToken();

?>

相比于high级别,加了随机token,防止csrf,用了explode()函数,以.为分割符,将$target字符串分割成了数组的形式,并且对各个部分进行了判定,因为正常的ip地址127.0.0.1,所以分割出来长度是4,并且全部是数字,利用这个特点,进行是否是数字判断,导致我们无法在地址后面动些手脚

【推广】 免费学中医,健康全家人
原文地址:https://www.cnblogs.com/NineOne/p/13733083.html