前言
👴的算法设计能过吗,👴的数据结构能过吗,👴的期末考试都可以过吗?
可以,一定可以。。。。。。。。。。
CommandInject
codeinject
源码粘贴出来
1 2 3 4 5 6 7 8 9
| @GetMapping("/codeinject") public String codeInject(String filepath) throws IOException {
String[] cmdList = new String[]{"sh", "-c", "ls -la " + filepath}; ProcessBuilder builder = new ProcessBuilder(cmdList); builder.redirectErrorStream(true); Process process = builder.start(); return WebUtils.convertStreamToString(process.getInputStream()); }
|
漏洞点一眼便知,filepath可控,通过构造可以达到任意命令执行的目的
paylaod
成功执行,呃呃呃,感觉也没啥好写的。
host
源码
1 2 3 4 5 6 7 8 9 10
| public String codeInjectHost(HttpServletRequest request) throws IOException {
String host = request.getHeader("host"); logger.info(host); String[] cmdList = new String[]{"sh", "-c", "curl " + host}; ProcessBuilder builder = new ProcessBuilder(cmdList); builder.redirectErrorStream(true); Process process = builder.start(); return WebUtils.convertStreamToString(process.getInputStream()); }
|
看到源码,其实漏洞点也很轻易的就能够看出来,curl+host,而且对host参数并没有任何过滤,所以可以尝试构造payload
即可。
sec
加入了参数过滤方法,点击打开cmdFilter方法进一步跟踪,找到在安全方法中声明的静态常量FILTER_PATTERN,常量为正在表达式对象,匹配模式只匹配大小写字母数字等几种字符,特殊字符都不会匹配成功,当出现命令注入时匹配到特殊字符后返回值为空,方法执行返回失败提示。
1 2 3 4 5 6 7 8 9 10 11 12 13
| @GetMapping("/codeinject/sec") public String codeInjectSec(String filepath) throws IOException { String filterFilePath = SecurityUtil.cmdFilter(filepath); if (null == filterFilePath) { return "Bad boy. I got u."; } String[] cmdList = new String[]{"sh", "-c", "ls -la " + filterFilePath}; ProcessBuilder builder = new ProcessBuilder(cmdList); builder.redirectErrorStream(true); Process process = builder.start(); return WebUtils.convertStreamToString(process.getInputStream()); } }
|
也就是这一句
1
| String filterFilePath = SecurityUtil.cmdFilter(filepath);
|