Arbitrary code Command Execution Vulnerability

Code execution:

principle:	When an application when you call some of the code can be converted into a string function, it did not consider whether the user is able to control this string will result in a code injection vulnerability.
In php:	eval assert preg_replace(‘/*/e', '$ret = "\\1";',$data);
In the asp:	eval exevute executeglobal
In the jsp:	jsp not in php eval function, may be used reflection, the reflection-based expression engine, as 0GNL, SpEL, MVEL like.

Code execution vulnerability:

1, due to code execution vulnerability thinkphp, we can use the Google search syntax to such sites.

2, learning code audit, found himself some code execution vulnerability.

Simple code execution:

<?php     $data = $_GET[‘data’];     eval("\$ret = strtolower(\"$data\");");     echo $ret; ?>

Use:

• http://localhost/?data=${phpinfo();}

Code execution method of defense:

1, using the json save array, you do not need to use when reading the eval.

2, must be used for local eval, must strictly handle user data (whitelist, blacklist).

3, comprises a controllable single quotes string code, addslashes escape (addslashes, Sum quotes, htmlspecialchars, htmlentities, mysql_real_escape_string) prior to insertion.

4, to renounce the use of e preg_replace modifiers, using the preg_replace_callback () Replace (preg_replace_callback ()).

The object 5, must be used if the e preg_replace modifier, wrapped in single quotes certainly matched the regular (regular preg_replace +).