【 Remote vulnerability 】 Two or three things about the remote code execution vulnerability

Concept of remote command execution vulnerability

• Remote command execution vulnerability refers to the operation command submitted by the user through the browser.
• The malicious command is executed because the server does not filter the execution function

Remote code execution vulnerability concept

• A code execution vulnerability, also known as a code injection vulnerability, is when a user passes a browser
• Submit execute malicious script code, execute malicious construct script code

The difference between

• Command execution: generally refers to operating system commands
• Remote code execution: This generally refers to script code

Cause of

• The cause is that the Web server does not detect the security of user input commands.
• Cause malicious (operating system commands or script code) execution.

Command execution vulnerability

Classification of command execution vulnerabilities

Code layer: some commercial applications need to execute commands. Some core codes of commercial applications may be encapsulated in binary files and invoked by system functions in Web applications.

Third party component layer: typical wordpress, you can choose to use imageMagick, a commonly used image processing component, to process the image uploaded by the user, resulting in command execution, in addition to Java command execution vulnerability (struts2/Elasticsearch, etc.)

Hazards of command execution vulnerability

Arbitrary execution of system commands, malicious trojans are planted, hanging horses, fishing, sensitive information leakage…..

Example 1

Submitted to http://localhost/cmd.php? IP = 192.168.199.150 | | after ipconfig submit command pipeline operators will ping 192.168.199.150 | ipconfig command into shell_exec (' ping '. | ipconfig)Copy the code

How to prevent command execution vulnerability

There are many ways to fix this, for example: 1. Filter special characters or replace characters. 2

Option 2 Fix code: Execution effect

Remote code execution vulnerability

Example Tomcat Arbitrary file upload vulnerability CVE-2017-12615

This section describes the vulnerability of remote code execution caused by the Put method of HTTP enabled in the ApacheTomcat service component, which allows an attacker to upload JSP Trojan horses arbitrarily. Upload (PUT) and DELETE (DELETE) methods in HTTP requests are disabled by default.

Holes affect

Upload a file containing arbitrary code and execute it by the server. Impact platform loopholes in Windows/Linux version of Apache Tomcat < = 7.0.81 | Apache Tomcat < = 8.5.20 | Apache Tomcat < = 9.0.0. M26 repetition steps a prepared environment Java™ SE Runtime Environment (build 1.8.0_20-b26)

2, apache tomcat — 7.0.70

3. Configure the environment variable CATALINA_HOME

4. Modify the tomcat directory conf/web.xml

5. Enable HTTP PUT

Step 2 Download the tomcat environment (at the bottom of the article) Step 3 Start the Tomcat service

Step 4 Upload the Trojan tool directory using the PUT method

CMD goes to the utilization scripts directory

Upload the executable Trojan java-jar cVE-2017-12615-exploits.jar http://127.0.0.1:8080 /shell.jsp D:\aqcode\code\ cVE-2017-12615-master – Using script \cmd.jsp

Existence indicates that the upload is successful

Tool source code analysis

Code tag 1: read out the contents of D:\aqcode\code\ cVE-2017-12615-master-using the script \cmd.jsp

The contents of cmd.jsp are as follows

Code mark 2: the content of written to the file http://127.0.0.1:8080/shell.jsp/

Code tag 3: Requests are processed via JspServlet when the suffixes are.jsp and.jspx:

And other static files by org. Apache. Catalina. Servlets. DefaultServletDefaultServlet processing:

As you can see, “/shell.jsp/” (with a trailing backslash) does not match the JspServlet and is instead handled by DefaultServlet. When handling a PUT request:

Call resources.bind:

A dirContext FileDirContext:

Call rebind to create a file:

http://127.0.0.1:8080/shell.jsp/, more than a backslash, this key, because in the org. Apache. Catalina. Servlets. DefaultServlet code will remove the last/features, So put /shell.jsp/ will create successfully (while bypassing the JspServlet handling class)

Repetition step 5 executing Trojan program at http://127.0.0.1:8080/shell.jsp

Repair plan

1. Set readonly and VirtualDirContext to True or comment parameters, disable the PUT method, and restart Tomcat. Note: If the PUT method is disabled, applications that rely on the PUT method may fail.

2. Update the latest version based on the official patch

Bug summary

The prerequisite for exploiting this vulnerability is to manually enable the readOnly function to support upload operations. The vulnerability cannot be exploited successfully under the default configuration. According to the actual test, the vulnerability is not that harmful. However, if the user has enabled readOnly, the hacker can successfully exploit the vulnerability.

Duplicate environment and code tomcat7 source code

https://pan.baidu.com/s/1rcbxfRyRFujkmHJKCr9voQ

Using the tool

https://pan.baidu.com/s/10RJCGHUaU_Ifh1p2XCUfTw