漏洞挖掘原则
所有变量所有头Cookie中的变量逐个变量删除
命令实行
运用程序开拓者直接调用操作系统的功能;&& | || &查看源码,过滤用户输入
对用户输入没有进行筛选区分:
这时我们看源代码可以看到没有任何过滤方法<?phpif( isset( $_POST[ 'submit' ] ) ) { $target = $_REQUEST[ 'ip' ]; // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.$cmd.'</pre>'; } }?>
<?phpif( isset( $_POST[ 'submit'] ) ) { $target = $_REQUEST[ 'ip' ]; // Remove any of the charactars in the array (blacklist). $substitutions = array( '&&' => '', ';' => '', ); $target = str_replace( array_keys( $substitutions ), $substitutions, $target ); // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.$cmd.'</pre>'; }}?>
如果改成高等别就很完善了
<?phpif( isset( $_POST[ 'submit' ] ) ) { $target = $_REQUEST["ip"]; $target = stripslashes( $target ); // Split the IP into 4 octects $octet = explode(".", $target); // Check IF each octet is an integer if ((is_numeric($octet[0])) && (is_numeric($octet[1])) && (is_numeric($octet[2])) && (is_numeric($octet[3])) && (sizeof($octet) == 4) ) { // If all 4 octets are int's put the IP back together. $target = $octet[0].'.'.$octet[1].'.'.$octet[2].'.'.$octet[3]; // Determine OS and execute the ping command. if (stristr(php_uname('s'), 'Windows NT')) { $cmd = shell_exec( 'ping ' . $target ); echo '<pre>'.$cmd.'</pre>'; } else { $cmd = shell_exec( 'ping -c 3 ' . $target ); echo '<pre>'.$cmd.'</pre>'; } } else { echo '<pre>ERROR: You have entered an invalid IP</pre>'; } }?>
上述代码既担保你输入切实其实定是数字,也担保你肯定是xxx.xxx.xxx.xxx格式的
