嗯,用户让我用中文总结一篇文章,控制在100字以内,而且不需要特定的开头。首先,我得仔细阅读文章内容。文章主要讲的是低、中、高三种安全级别的漏洞情况。 低安全级别的问题是没有对用户输入进行验证,直接拼接到shell_exec()中,导致注入攻击。中安全级别用了黑名单过滤&&和;,但没处理|,所以还是有漏洞。高安全级别虽然过滤了更多字符,但没考虑到|后面不带空格的情况,依然可以被利用。 接下来,我需要把这些要点浓缩到100字以内。要确保涵盖每个级别的漏洞和攻击方式。同时,语言要简洁明了,直接描述内容。 可能的结构是:先总述三种级别及其问题,然后分别说明每个级别的漏洞情况。这样既全面又简洁。 最后检查字数是否符合要求,并确保没有使用任何开头语句。这样用户的需求就能得到满足了。 </think> 文章描述了三个安全级别的漏洞情况:低安全级别因未对用户输入进行验证而易受注入攻击;中安全级别通过黑名单过滤部分命令符但未覆盖所有可能;高安全级别虽过滤更多字符但未能完全阻止管道符的利用。 2026-4-2 06:57:7 Author: infosecwriteups.com(查看原文) 阅读量:4 收藏
LOW, MEDIUM AND HIGH
Low Security
Scroll down and click “View source” button to view the source code of current level.
Vulnerability: The code takes user input from $_REQUEST['ip'] and concatenates it directly into shell_exec() with absolutely no validation or sanitization. The application blindly trusts that the user will only enter an IP address. This allows an attacker to append any shell operator (|, &&, ;) followed by arbitrary OS commands, which the server executes with web server privileges.
Confirming Injection
Start by confirming code execution with the simplest payload:
;whoami
;cat /etc/passwdWhen you submit ;whoami, the semicolon ; is a shell command separator that tells the terminal to run whatever comes after it as a completely new, independent command. So the shell executes ping first, then executes whoami right after regardless of whether ping succeeded or failed. Since there is no filtering on the input, the semicolon reaches the shell untouched and both commands run.
Medium Security
Scroll down and click “View source” button to view the source code of current level.
Vulnerability: The code attempts to fix the issue using a blacklist, stripping && and ; from the input. This is incomplete because it only blocks two operators out of many. The pipe operator | is completely unaddressed and works as-is.
Get Chris Christian’s stories in your inbox
Join Medium for free to get updates from this writer.
Blacklists like this assume you know every possible attack vector in advance, which is never true.
Confirming Injection
The pipe operator | was never added to the blacklist. It passes through completely untouched:
| whoami
| cat /etc/passwd
| id
| uname -aWhen you submit | whoami, the pipe | is meant to send the output of the left command as input to the right command. However whoami does not need any input, it simply ignores whatever is piped into it and runs anyway. The important thing is that the pipe forces whoami to execute. Since the blacklist only strips && and ;, the pipe passes through untouched. The output of whoami is what gets captured by shell_exec() and rendered in the browser.
High Security
Scroll down and click “View source” button to view the source code of current level.
Vulnerability: This blocks almost every common operator and even command substitution characters like backticks and $(). It looks thorough but has one critical mistake.
The blacklist strips | which is a pipe followed by a space. It does not strip | on its own. This means a pipe with no space before the command bypasses the filter completely.
Confirming Injection
|whoami
|cat /etc/passwd
|idThe Linux shell does not require a space after the pipe to understand it. |whoami and | whoami are treated identically by the shell. So whoami executes, and its output gets rendered in the browser.
如有侵权请联系:admin#unsafe.sh