OS/Exec运行Shell CMD“ RSH”漏洞
$ GO版本
GO版本GO1.18 Windows/amd64
$ GO ENV
set GO111MODULE=on
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Binglei.Hou\AppData\Local\go-build
set GOENV=C:\Users\Binglei.Hou\AppData\Roaming\go\env
set GOEXE=
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=D:\gocode\pkg\mod
set GONOPROXY=*.corp.example.com
set GONOSUMDB=*.corp.example.com
set GOOS=linux
set GOPATH=D:\gocode
set GOPRIVATE=*.corp.example.com
set GOPROXY=https://goproxy.cn,direct
set GOROOT=D:\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=D:\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.18
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOMOD=D:\gocode\src\vg-monitor\go.mod
set GOWORK=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\Binglei.Hou\AppData\Local\Temp\go-build564106301=/tmp/go-build -gno-record-gcc-switches
您做了什么?
我使用exec.command运行rsh cmd for:
for _, value := range this.Info {
cmd := exec.Command("rsh", "-l", "monitor", value[0], "sh", "tru", "grou")
var stdout bytes.Buffer
cmd.Stdout = &stdout
err := cmd.Run()
if err != nil {
fmt.Println("cmd start err is:", err)
}
fmt.Println(value[0], "---> start")
fmt.Println("stdout is :", stdout.String())
value [0]表示远程主机IP。
您期望看到什么?
我希望stdout.sting()的每个结果都有值,
您看到了什么?
一些stdout.sting()具有价值,有些则没有。 和远程主机IP ID在每个弹奏期间都不同。 例如,一个人可能是1.1.1.1没有结果,下一次1.1.1.1可能有结果,但是2.2.2.2.2.2.2可能没有值。
$ go version
go version go1.18 windows/amd64
$ go env
set GO111MODULE=on
set GOARCH=amd64
set GOBIN=
set GOCACHE=C:\Users\Binglei.Hou\AppData\Local\go-build
set GOENV=C:\Users\Binglei.Hou\AppData\Roaming\go\env
set GOEXE=
set GOEXPERIMENT=
set GOFLAGS=
set GOHOSTARCH=amd64
set GOHOSTOS=windows
set GOINSECURE=
set GOMODCACHE=D:\gocode\pkg\mod
set GONOPROXY=*.corp.example.com
set GONOSUMDB=*.corp.example.com
set GOOS=linux
set GOPATH=D:\gocode
set GOPRIVATE=*.corp.example.com
set GOPROXY=https://goproxy.cn,direct
set GOROOT=D:\go
set GOSUMDB=sum.golang.org
set GOTMPDIR=
set GOTOOLDIR=D:\go\pkg\tool\windows_amd64
set GOVCS=
set GOVERSION=go1.18
set GCCGO=gccgo
set GOAMD64=v1
set AR=ar
set CC=gcc
set CXX=g++
set CGO_ENABLED=0
set GOMOD=D:\gocode\src\vg-monitor\go.mod
set GOWORK=
set CGO_CFLAGS=-g -O2
set CGO_CPPFLAGS=
set CGO_CXXFLAGS=-g -O2
set CGO_FFLAGS=-g -O2
set CGO_LDFLAGS=-g -O2
set PKG_CONFIG=pkg-config
set GOGCCFLAGS=-fPIC -m64 -fno-caret-diagnostics -Qunused-arguments -fmessage-length=0 -fdebug-prefix-map=C:\Users\Binglei.Hou\AppData\Local\Temp\go-build564106301=/tmp/go-build -gno-record-gcc-switches
What did you do?
I used exec.Command to run rsh cmd in for:
for _, value := range this.Info {
cmd := exec.Command("rsh", "-l", "monitor", value[0], "sh", "tru", "grou")
var stdout bytes.Buffer
cmd.Stdout = &stdout
err := cmd.Run()
if err != nil {
fmt.Println("cmd start err is:", err)
}
fmt.Println(value[0], "---> start")
fmt.Println("stdout is :", stdout.String())
value[0] means remote host IP.
What did you expect to see?
i expect each result of stdout.Sting() has value
What did you see instead?
some stdout.Sting() has value, and some not.
and remote host IP id different during every for func.
for example one may be 1.1.1.1 has no result, and next time 1.1.1.1 may have result, but 2.2.2.2 may be has no value.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论