执行
<!DOCTYPE html>
<html>
<head>
<title>command-low</title>
</head>
<body>
<form action=‘impossible.php‘ method=‘POST‘>
<input type=‘text‘ name=‘ip‘>
<input type=‘submit‘ name=‘exec‘ value=‘exec‘>
</form>
</body>
</html>
low
<?php
if (isset($_POST[‘exec‘])){
$target = $_POST[‘ip‘];
if( stristr( php_uname( ‘s‘ ), ‘Windows NT‘ ) ) {
// Windows
$cmd = shell_exec( ‘ping ‘ . $target );
$cmd1 = system( ‘ping ‘ . $target );
$cmd2 = exec( ‘ping ‘ . $target );
}
else {
// *nix
$cmd = shell_exec( ‘ping -c 4 ‘ . $target );
$cmd1 = system( ‘ping -c 4 ‘ . $target );
$cmd2 = exec( ‘ping -c 4 ‘ . $target );
}
// echo "shell_exec:<br>";
// echo $cmd;
// echo "system:<br>";
// echo $cmd1;
// echo "exec:<br>";
// echo $cmd2;
// echo "<br>";
}
?>
medium
<?php
if (isset($_POST[‘exec‘])){
$target = $_REQUEST[‘ip‘];
$substitutions = array(‘&&‘ => ‘‘,‘;‘ => ‘‘,);
$target = str_replace(array_keys($substitutions),$substitutions,$target);
echo $target;
if( stristr( php_uname( ‘s‘ ), ‘Windows NT‘ ) ) {
// Windows
$cmd = shell_exec( ‘ping ‘ . $target );
// $cmd1 = system( ‘ping ‘ . $target );
// $cmd2 = exec( ‘ping ‘ . $target );
}
else {
// *nix
$cmd = shell_exec( ‘ping -c 4 ‘ . $target );
// $cmd1 = system( ‘ping -c 4 ‘ . $target );
// $cmd2 = exec( ‘ping -c 4 ‘ . $target );
}
echo "shell_exec:<br>";
echo $cmd;
// echo "system:<br>";
// echo $cmd1;
// echo "exec:<br>";
// echo $cmd2;
// echo "<br>";
}
?>
high
<?php
if (isset($_POST[‘exec‘])){
$target = trim($_REQUEST[‘ip‘]);
echo $target;
$substitutions = array(
‘&‘ => ‘‘,
‘;‘ => ‘‘,
‘| ‘ => ‘‘,
‘-‘ => ‘‘,
‘$‘ => ‘‘,
‘(‘ => ‘‘,
‘)‘ => ‘‘,
‘`‘ => ‘‘,
‘||‘ => ‘‘,
);
print_r($substitutions);
print_r(array_keys($substitutions));
$target = str_replace(array_keys($substitutions),$substitutions,$target);
echo $target;
if( stristr( php_uname( ‘s‘ ), ‘Windows NT‘ ) ) {
// Windows
$cmd = shell_exec( ‘ping ‘ . $target );
// $cmd1 = system( ‘ping ‘ . $target );
// $cmd2 = exec( ‘ping ‘ . $target );
}
else {
// *nix
$cmd = shell_exec( ‘ping -c 4 ‘ . $target );
// $cmd1 = system( ‘ping -c 4 ‘ . $target );
// $cmd2 = exec( ‘ping -c 4 ‘ . $target );
}
echo "shell_exec:<br>";
echo $cmd;
// echo "system:<br>";
// echo $cmd1;
// echo "exec:<br>";
// echo $cmd2;
// echo "<br>";
}
?>
impossible
<?php
if (isset($_POST[‘exec‘])){
$target = $_REQUEST[‘ip‘];
$octet = explode(".",$target);
if(is_numeric($octet[0]) && is_numeric($octet[1]) && is_numeric($octet[2]) && is_numeric($octet[3]) && sizeof($octet) == 4){
echo $target;
if( stristr( php_uname( ‘s‘ ), ‘Windows NT‘ ) ) {
// Windows
$cmd = shell_exec( ‘ping ‘ . $target );
// $cmd1 = system( ‘ping ‘ . $target );
// $cmd2 = exec( ‘ping ‘ . $target );
}
else {
// *nix
$cmd = shell_exec( ‘ping -c 4 ‘ . $target );
// $cmd1 = system( ‘ping -c 4 ‘ . $target );
// $cmd2 = exec( ‘ping -c 4 ‘ . $target );
}
echo "shell_exec:<br>";
echo $cmd;
// echo "system:<br>";
// echo $cmd1;
// echo "exec:<br>";
// echo $cmd2;
// echo "<br>";
}else{
die("IP填写的有误");
}
}
?>
PHP知识点
stristr查找 "world" 在 "Hello world!" 中的第一次出现,并返回字符串的剩余部分:
<?php
echo stristr("Hello world!","WORLD");
?>
system()
$last_line = system(‘ls‘, $return_var);
system() 会将输出内容直接印出, 所以若于网页, 会将所有回传内容都显示于页面上.
$last_line: 只能取得最后一行的内容
$return_var: 取得系统状态回传码
exec()
exec(‘ls‘, $output, $return_var);
$output: 回传内容都会存于此变数中(储存成阵列), 不会直接秀在页面上.
$return_var: 取得系统状态回传码
shell_exec()
$output = shell_exec(‘ls‘);
$output: 回传内容都会存于此变数中(储存成纯文字内容), 不会直接秀在页面上.
str_replace() 函数替代
array_keys() 函数返回包含数组中所有键名的一个新数组。
如果提供了第二个参数,则只返回键值为该值的键名。
如果 strict 参数指定为 true,则 PHP 会使用全等比较 (===) 来严格检查键值的数据类型。
Trim() 函数去除字符串头尾空格
Stripslashes()函数,删除反斜杠
Is_numeric()函数,监测变量是否数字
参考链接
代码审计——DVWA Command Injection(命令执行)
PHP代码审计-command injection-dvwa靶场