1.OS commond injection(命令行注入)
描述
Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.
当应用程序将用户控制的数据合并到由shell命令解释器处理的命令中时,会出现操作系统命令注入漏洞。如果用户数据未经过严格验证,者可以使用shell元字符修改执行的命令,并插入将由服务器执行的任意进一步命令。
OS命令注入漏洞通常非常严重,可能会导致承载应用程序的服务器或应用程序自身的数据和功能受损。也可以将服务器用作其他系统的平台。利用的确切可能性取决于执行命令的安全上下文,以及此上下文对服务器上敏感资源的权限。
方案
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
• The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
• The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
如果可能,应用程序应避免将用户控制的数据合并到操作系统命令中。在几乎每种情况下,都有执行服务器级任务的更安全的替代方法,这些方法不能被操纵以执行比预期的更多命令。
如果认为不可避免地将用户提供的数据合并到操作系统命令中,则应使用以下两层防御来防止***:
应严格验证用户数据。理想情况下,应该使用特定可接受值的白名单。否则,只接受短字母数字字符串。应拒绝包含任何其他数据的输入,包括任何可能的shell元字符或空白。应用程序应该使用通过其名称和命令行参数启动特定进程的命令API,而不是将命令字符串传递给支持命令链接和重定向的shell解释器。例如,Java API RunTime.Exc和ASP.NET API进程。Stask不支持shell元字符。这种防御可以减轻的影响,即使在者绕过输入验证防御时也是如此。
转载于:https://blog.51cto.com/11156310/2358604
扫一扫
880
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
