1.OS commond injection(命令行注入)
描述
Operating system command injection vulnerabilities arise when an application incorporates user-controllable data into a command that is processed by a shell command interpreter. If the user data is not strictly validated, an attacker can use shell metacharacters to modify the command that is executed, and inject arbitrary further commands that will be executed by the server.
OS command injection vulnerabilities are usually very serious and may lead to compromise of the server hosting the application, or of the application's own data and functionality. It may also be possible to use the server as a platform for attacks against other systems. The exact potential for exploitation depends upon the security context in which the command is executed, and the privileges that this context has regarding sensitive resources on the server.
當應用程序將用戶控制的數據合併到由shell命令解釋器處理的命令中時,會出現操作系統命令注入漏洞。如果用戶數據未經過嚴格驗證,者可以使用shell元字符修改執行的命令,並插入將由服務器執行的任意進一步命令。
OS命令注入漏洞通常非常嚴重,可能會導致承載應用程序的服務器或應用程序自身的數據和功能受損。也可以將服務器用作其他系統的平臺。利用的確切可能性取決於執行命令的安全上下文,以及此上下文對服務器上敏感資源的權限。
方案
If possible, applications should avoid incorporating user-controllable data into operating system commands. In almost every situation, there are safer alternative methods of performing server-level tasks, which cannot be manipulated to perform additional commands than the one intended.
If it is considered unavoidable to incorporate user-supplied data into operating system commands, the following two layers of defense should be used to prevent attacks:
• The user data should be strictly validated. Ideally, a whitelist of specific accepted values should be used. Otherwise, only short alphanumeric strings should be accepted. Input containing any other data, including any conceivable shell metacharacter or whitespace, should be rejected.
• The application should use command APIs that launch a specific process via its name and command-line parameters, rather than passing a command string to a shell interpreter that supports command chaining and redirection. For example, the Java API Runtime.exec and the ASP.NET API Process.Start do not support shell metacharacters. This defense can mitigate the impact of an attack even in the event that an attacker circumvents the input validation defenses.
如果可能,應用程序應避免將用戶控制的數據合併到操作系統命令中。在幾乎每種情況下,都有執行服務器級任務的更安全的替代方法,這些方法不能被操縱以執行比預期的更多命令。
如果認爲不可避免地將用戶提供的數據合併到操作系統命令中,則應使用以下兩層防禦來防止***:
應嚴格驗證用戶數據。理想情況下,應該使用特定可接受值的白名單。否則,只接受短字母數字字符串。應拒絕包含任何其他數據的輸入,包括任何可能的shell元字符或空白。應用程序應該使用通過其名稱和命令行參數啓動特定進程的命令API,而不是將命令字符串傳遞給支持命令鏈接和重定向的shell解釋器。例如,Java API RunTime.Exc和ASP.NET API進程。Stask不支持shell元字符。這種防禦可以減輕的影響,即使在者繞過輸入驗證防禦時也是如此。