DVWA命令执行漏洞教学文档<\/h1>

一、命令执行漏洞概述<\/h2>
命令执行漏洞是指应用程序未对用户输入进行充分过滤，导致攻击者能够通过构造特殊输入在服务器上执行任意系统命令的安全漏洞。<\/p>

二、DVWA命令执行实验环境<\/h2>

DVWA(Damn Vulnerable Web Application)提供了四个安全等级的命令执行实验场景：<\/p>

Low级别<\/strong>：无任何过滤<\/li>
Medium级别<\/strong>：部分过滤<\/li>
High级别<\/strong>：严格过滤但有缺陷<\/li>

Impossible级别<\/strong>：完全防护<\/li> <\/ol>
三、各等级详细分析<\/h2>
Low级别<\/h3>
漏洞代码分析<\/h4>
if<\/span>(isset<\/span>($_POST['Submit'<\/span>])) { <\/span><\/span> $target =<\/span> $_REQUEST['ip'<\/span>]; <\/span><\/span> <\/span><\/span> if<\/span>(stristr<\/span>(php_uname<\/span>('s'<\/span>), 'Windows NT'<\/span>)) { <\/span><\/span> $cmd =<\/span> shell_exec<\/span>('ping '<\/span>.<\/span>$target); <\/span><\/span> } else<\/span> { <\/span><\/span> $cmd =<\/span> shell_exec<\/span>('ping -c 4 '<\/span>.<\/span>$target); <\/span><\/span> } <\/span><\/span> <\/span><\/span> echo<\/span> "<pre><\/span>{<\/span>$cmd}<\/span><\/pre>"<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>漏洞点<\/h4> 直接拼接用户输入$target<\/code>到系统命令中<\/li> 无任何过滤或验证<\/li> <\/ul> 利用方法<\/h4> 可以使用各种命令拼接符：<\/p> 127.0.0.1; ls 127.0.0.1 && cat \/etc\/passwd 127.0.0.1 | netstat -an <\/code><\/pre> 常用命令拼接符<\/h4> 符号<\/th> 说明<\/th> <\/tr> <\/thead> ;<\/code><\/td> 执行完前一个命令后执行后一个命令<\/td> <\/tr> &<\/code><\/td> 后台执行前一个命令，然后执行后一个命令<\/td> <\/tr> &&<\/code><\/td> 前一个命令成功才执行后一个命令<\/td> <\/tr> `<\/td> `<\/td> <\/tr> `<\/td> <\/td> <\/tr> <\/tbody> <\/table> Medium级别<\/h3> 漏洞代码分析<\/h4> $substitutions =<\/span> array<\/span>( <\/span><\/span> '&&'<\/span> =><\/span> ''<\/span>, <\/span><\/span> ';'<\/span> =><\/span> ''<\/span>, <\/span><\/span>); <\/span><\/span> <\/span><\/span>$target =<\/span> str_replace<\/span>(array_keys<\/span>($substitutions), $substitutions, $target); <\/span><\/span><\/code><\/pre>过滤措施<\/h4> 过滤了&&<\/code>和;<\/code>字符<\/li> <\/ul> 绕过方法<\/h4> 使用未被过滤的|<\/code>或&<\/code>符号：<\/li> <\/ul> 127.0.0.1 | whoami 127.0.0.1 & ipconfig <\/code><\/pre> High级别<\/h3> 漏洞代码分析<\/h4> $substitutions =<\/span> array<\/span>( <\/span><\/span> '&'<\/span> =><\/span> ''<\/span>, <\/span><\/span> ';'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '| '<\/span> =><\/span> ''<\/span>, \/\/ 注意这里有空格 <\/span><\/span><\/span><\/span> '-'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '$'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '('<\/span> =><\/span> ''<\/span>, <\/span><\/span> ')'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '`'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '||'<\/span> =><\/span> ''<\/span>, <\/span><\/span>); <\/span><\/span> <\/span><\/span>$target =<\/span> str_replace<\/span>(array_keys<\/span>($substitutions), $substitutions, $target); <\/span><\/span><\/code><\/pre>过滤措施<\/h4> 过滤了多种特殊字符<\/li> 特别注意'| '<\/code>是带空格的管道符<\/li> <\/ul> 绕过方法<\/h4> 使用不带空格的|<\/code>：<\/li> <\/ul> 127.0.0.1|uname -a <\/code><\/pre> Impossible级别<\/h3> 防护代码分析<\/h4> $target =<\/span> stripslashes<\/span>($target); <\/span><\/span>$octet =<\/span> explode<\/span>("."<\/span>, $target); <\/span><\/span> <\/span><\/span>if<\/span>((is_numeric<\/span>($octet[0<\/span>])) &&<\/span> <\/span><\/span> (is_numeric<\/span>($octet[1<\/span>])) &&<\/span> <\/span><\/span> (is_numeric<\/span>($octet[2<\/span>])) &&<\/span> <\/span><\/span> (is_numeric<\/span>($octet[3<\/span>])) &&<\/span> <\/span><\/span> (sizeof<\/span>($octet) ==<\/span> 4<\/span>)) { <\/span><\/span> $target =<\/span> $octet[0<\/span>].<\/span>'.'<\/span>.<\/span>$octet[1<\/span>].<\/span>'.'<\/span>.<\/span>$octet[2<\/span>].<\/span>'.'<\/span>.<\/span>$octet[3<\/span>]; <\/span><\/span> \/\/ 执行ping <\/span><\/span><\/span><\/span>} else<\/span> { <\/span><\/span> echo<\/span> '<pre>ERROR: You have entered an invalid IP.<\/pre>'<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>防护措施<\/h4> 使用stripslashes()<\/code>去除反斜杠<\/li> 将输入按.<\/code>分割为四部分<\/li> 验证每部分是否为数字<\/li> 验证是否为合法的四段IP格式<\/li> 重新拼接IP地址<\/li> <\/ol> 四、相关PHP函数解析<\/h2> 1. shell_exec()<\/h3> 执行shell命令并返回完整输出字符串<\/li> 类似函数比较： system()<\/code>: 直接输出结果<\/li> exec()<\/code>: 返回最后一行或数组<\/li> passthru()<\/code>: 直接输出原始结果<\/li> 反引号`<\/code>: 与shell_exec()<\/code>功能相同<\/li> <\/ul> <\/li> <\/ul> 2. stristr()<\/h3> 查找字符串的首次出现<\/li> 语法：stristr(string $haystack, mixed $needle)<\/code><\/li> <\/ul> 3. php_uname()<\/h3> 获取运行PHP的操作系统信息<\/li> 参数： 's': 操作系统名称<\/li> 'n': 主机名<\/li> 'r': 版本信息<\/li> 'v': 版本详情<\/li> 'm': 机器类型<\/li> <\/ul> <\/li> <\/ul> 五、防御措施总结<\/h2> 输入验证<\/strong>：<\/p> 严格限制输入格式（如Impossible级别的IP验证）<\/li> 使用白名单而非黑名单<\/li> <\/ul> <\/li> 命令执行防护<\/strong>：<\/p> 避免直接拼接用户输入到系统命令<\/li> 使用安全的API替代系统命令<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 使用escapeshellarg()<\/code>或escapeshellcmd()<\/code>函数<\/li> 设置Web服务器以最小权限运行<\/li> 实施CSRF防护（如Impossible级别中的token验证）<\/li> <\/ul> <\/li> <\/ol> 六、实验建议<\/h2> 依次尝试各个安全等级，观察防护措施的演进<\/li> 在Low级别尝试所有命令拼接符<\/li> 在Medium和High级别尝试绕过过滤<\/li> 分析Impossible级别的完整防护方案<\/li> 思考在实际开发中如何应用这些防护措施<\/li> <\/ol> 通过本实验，可以深入理解命令执行漏洞的原理、利用方式及防护方法，对提高Web应用安全性有重要意义。<\/p>

符号<\/th>	说明<\/th> <\/tr> <\/thead>
`;<\/code><\/td>`	执行完前一个命令后执行后一个命令<\/td> <\/tr>
`&<\/code><\/td>`	后台执行前一个命令，然后执行后一个命令<\/td> <\/tr>
`&&<\/code><\/td>`	前一个命令成功才执行后一个命令<\/td> <\/tr>
`<\/td>	`<\/td> <\/tr>
`<\/td>	<\/td> <\/tr> <\/tbody> <\/table> Medium级别<\/h3> 漏洞代码分析<\/h4> $substitutions =<\/span> array<\/span>( <\/span><\/span> '&&'<\/span> =><\/span> ''<\/span>, <\/span><\/span> ';'<\/span> =><\/span> ''<\/span>, <\/span><\/span>); <\/span><\/span> <\/span><\/span>$target =<\/span> str_replace<\/span>(array_keys<\/span>($substitutions), $substitutions, $target); <\/span><\/span><\/code><\/pre>过滤措施<\/h4> 过滤了&&<\/code>和;<\/code>字符<\/li> <\/ul> 绕过方法<\/h4> 使用未被过滤的\|<\/code>或&<\/code>符号：<\/li> <\/ul> 127.0.0.1 \| whoami 127.0.0.1 & ipconfig <\/code><\/pre> High级别<\/h3> 漏洞代码分析<\/h4> $substitutions =<\/span> array<\/span>( <\/span><\/span> '&'<\/span> =><\/span> ''<\/span>, <\/span><\/span> ';'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '\| '<\/span> =><\/span> ''<\/span>, \/\/ 注意这里有空格 <\/span><\/span><\/span><\/span> '-'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '$'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '('<\/span> =><\/span> ''<\/span>, <\/span><\/span> ')'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '`'<\/span> =><\/span> ''<\/span>, <\/span><\/span> '\|\|'<\/span> =><\/span> ''<\/span>, <\/span><\/span>); <\/span><\/span> <\/span><\/span>$target =<\/span> str_replace<\/span>(array_keys<\/span>($substitutions), $substitutions, $target); <\/span><\/span><\/code><\/pre>过滤措施<\/h4> 过滤了多种特殊字符<\/li> 特别注意'\| '<\/code>是带空格的管道符<\/li> <\/ul> 绕过方法<\/h4> 使用不带空格的\|<\/code>：<\/li> <\/ul> 127.0.0.1\|uname -a <\/code><\/pre> Impossible级别<\/h3> 防护代码分析<\/h4> $target =<\/span> stripslashes<\/span>($target); <\/span><\/span>$octet =<\/span> explode<\/span>("."<\/span>, $target); <\/span><\/span> <\/span><\/span>if<\/span>((is_numeric<\/span>($octet[0<\/span>])) &&<\/span> <\/span><\/span> (is_numeric<\/span>($octet[1<\/span>])) &&<\/span> <\/span><\/span> (is_numeric<\/span>($octet[2<\/span>])) &&<\/span> <\/span><\/span> (is_numeric<\/span>($octet[3<\/span>])) &&<\/span> <\/span><\/span> (sizeof<\/span>($octet) ==<\/span> 4<\/span>)) { <\/span><\/span> $target =<\/span> $octet[0<\/span>].<\/span>'.'<\/span>.<\/span>$octet[1<\/span>].<\/span>'.'<\/span>.<\/span>$octet[2<\/span>].<\/span>'.'<\/span>.<\/span>$octet[3<\/span>]; <\/span><\/span> \/\/ 执行ping <\/span><\/span><\/span><\/span>} else<\/span> { <\/span><\/span> echo<\/span> '<pre>ERROR: You have entered an invalid IP.<\/pre>'<\/span>; <\/span><\/span>} <\/span><\/span><\/code><\/pre>防护措施<\/h4> 使用stripslashes()<\/code>去除反斜杠<\/li> 将输入按.<\/code>分割为四部分<\/li> 验证每部分是否为数字<\/li> 验证是否为合法的四段IP格式<\/li> 重新拼接IP地址<\/li> <\/ol> 四、相关PHP函数解析<\/h2> 1. shell_exec()<\/h3> 执行shell命令并返回完整输出字符串<\/li> 类似函数比较： system()<\/code>: 直接输出结果<\/li> exec()<\/code>: 返回最后一行或数组<\/li> passthru()<\/code>: 直接输出原始结果<\/li> 反引号`<\/code>: 与shell_exec()<\/code>功能相同<\/li> <\/ul> <\/li> <\/ul> 2. stristr()<\/h3> 查找字符串的首次出现<\/li> 语法：stristr(string $haystack, mixed $needle)<\/code><\/li> <\/ul> 3. php_uname()<\/h3> 获取运行PHP的操作系统信息<\/li> 参数： 's': 操作系统名称<\/li> 'n': 主机名<\/li> 'r': 版本信息<\/li> 'v': 版本详情<\/li> 'm': 机器类型<\/li> <\/ul> <\/li> <\/ul> 五、防御措施总结<\/h2> 输入验证<\/strong>：<\/p> 严格限制输入格式（如Impossible级别的IP验证）<\/li> 使用白名单而非黑名单<\/li> <\/ul> <\/li> 命令执行防护<\/strong>：<\/p> 避免直接拼接用户输入到系统命令<\/li> 使用安全的API替代系统命令<\/li> <\/ul> <\/li> 其他措施<\/strong>：<\/p> 使用escapeshellarg()<\/code>或escapeshellcmd()<\/code>函数<\/li> 设置Web服务器以最小权限运行<\/li> 实施CSRF防护（如Impossible级别中的token验证）<\/li> <\/ul> <\/li> <\/ol> 六、实验建议<\/h2> 依次尝试各个安全等级，观察防护措施的演进<\/li> 在Low级别尝试所有命令拼接符<\/li> 在Medium和High级别尝试绕过过滤<\/li> 分析Impossible级别的完整防护方案<\/li> 思考在实际开发中如何应用这些防护措施<\/li> <\/ol> 通过本实验，可以深入理解命令执行漏洞的原理、利用方式及防护方法，对提高Web应用安全性有重要意义。<\/p>

DVWA命令执行漏洞教学文档<\/h1>

一、命令执行漏洞概述<\/h2> 命令执行漏洞是指应用程序未对用户输入进行充分过滤，导致攻击者能够通过构造特殊输入在服务器上执行任意系统命令的安全漏洞。<\/p>

三、各等级详细分析<\/h2>

Low级别<\/h3>

Medium级别<\/h3>

High级别<\/h3>

Impossible级别<\/h3>

四、相关PHP函数解析<\/h2>

一、命令执行漏洞概述<\/h2>
命令执行漏洞是指应用程序未对用户输入进行充分过滤，导致攻击者能够通过构造特殊输入在服务器上执行任意系统命令的安全漏洞。<\/p>