Command Injection(High)
代碼分析
<?php
if( isset( $_POST[ 'Submit' ] ) ) {
// Get input
$target = trim($_REQUEST[ 'ip' ]);
// Set blacklist
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
// Remove any of the charactars in the array (blacklist).
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {
// Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
$html .= "<pre>{$cmd}</pre>";
}
?>
相比Medium級別的代碼,服務器端對ip參數做了更多的過濾
$substitutions = array(
'&' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
$target = str_replace( array_keys( $substitutions ), $substitutions, $target );
漏洞利用
黑名單看似過濾了所有的非法字符,但仔細觀察到是把”| ”(注意這裏|後有一個空格)替換爲空字符,於是 ” |”成了“漏網之魚”。
127.0.0.1|net user
Command 1 | Command 2
“|”是管道符,表示將Command 1的輸出作爲Command 2的輸入,並且只打印Command 2執行的結果。