First, what is the command execution
1. command execution
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009125855212-73819635.png)
2. Command Execution Vulnerability
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009125913042-829968962.png)
3. Command Execution Vulnerability generated conditions
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009125938177-1871291144.png)
4. The common function command
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009125954030-1381698813.png)
Second, the command execution exploit
1. The rights issue
Command injection vulnerabilities that with web middleware (apache, nginx, etc.) permission to run about, because the web application running on the web middleware, so web applications "inherit" the permission to run web middleware, if there is a command injection vulnerability web application running on the web middleware running as an administrator, then execute commands via a web administrator privileges equivalent to execute the command.
2. The common system commands and functions
command can be echo a command to the specified file webshell
① Under Windows simultaneously execute multiple command syntax
In fact, a pipe symbol two commands to be executed
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130022892-1207300399.png)
② under Linux simultaneously execute multiple command syntax
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130038973-1275923001.png)
Third, the deserialization command execution
(Exp able to use successfully exploit the vulnerability, to understand what is deserialized vulnerability, principle)
1. PHP serialization
① What is serialized?
php save an object allows easy reuse later, this process is referred to as a serialized
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130100712-443120574.png)
② serialization code examples are as follows:
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130114333-684452327.png)
2. PHP deserialization
① deserialization code sample as follows:
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130127636-2002538313.png)
② Constructor (automatically called when executing the corresponding operation)
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130142768-1151522608.png)
③ constructor following sample code:
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130158290-887152142.png)
3. * What is deserialized vulnerability?
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130211523-1993519390.png)
4. PHP exemplary deserialization vulnerability
![](https://img2018.cnblogs.com/blog/1816388/201910/1816388-20191009130226396-2098197859.png)
* How it works: When passed to unserialize () the parameters controllable variables, we can pass a string through a sequence of carefully constructed to control the internal objects even function