ctf-pikachu-RCE

RCE(remote command/code execute, Remote system commands / Code execution )

RCE Loophole , It allows attackers to inject operating system commands or code directly into the background server , To control the background system .

reason ： The application system is designed to provide users with specified remote commands or interfaces for remote code to perform operations , If the designer designs this function again , There is no strict security control , It may cause an attacker to submit “ beat all ” The order of , So that the background can be executed , So as to control the whole background server .

1.exec “ping”

1. Submit normal ip Address , Such as 127.0.0.1
   

2. Submit ip Query command

    127.0.0.1 & ipconfig
   

   
   The discovery was carried out ping At the same time, it also implemented ipconfig command , Got the target ip Address .

2.exec “eval”

1. Enter any string .
   

2. Try entering a php Code .

   such as ：phpinfo();
   

summary

Some dangerous functions , To quote ： Remote command / Code Execution Vulnerability （RCE） summary

1. system() :

    string system ( string $command [, int &$return_var ] )
   

2. shell_exec():

   shell_exec — adopt shell Environment execution order ( This means that this method can only be used in linux or mac os Of shell Running in the environment ), And return the complete output as a string . If an error occurs during execution or the process does not produce output , Then return to NULL.

3. exec():

    string exec ( string $command [, array &$output [, int &$return_var ]] )
   

   exec perform command command , But it doesn't output all the results , It's the last line of the result , If you want to get all the results , You can use the second parameter , Let it output to an array , Each record in the array represents each row of output , If the output result has 10 That's ok , Then the array has 10 Bar record . So if you need to repeatedly output the results of calling external commands of different systems , You'd better clear this array when outputting the results of each external command of the system , In case of confusion . The third parameter is used to get the status code of the command execution , Usually, the successful execution returns ０

4. passthru():

    void passthru ( string $command [, int &$return_var ] )
   

   And exec The difference between ：passthru Output the result directly , No results returned , No use echo View results .