On the PHP command execution vulnerability
PHP command
PHP for the following functions for performing external applications; for example:system()、shell_exec()、exec()、passthru()
system()
<?php
$host = $argv[1];
system("ping ".$host);
?>In the server runningphp.exe index.php 192.168.2.1
Performing php.exe index.php "|net user"(where "|" ping shielding source code symbol characters action)
passthru () - execute external programs and displaying the original output
proc_open () - execute a command, and to open the input / output of the file pointer.
shell_exec () - Run through shell environment, and the full output of the character string is returned.
popen () - transmitting a command popen () parameters and popen () performs the open files
eval()
The PHP eval()function can be performed in the dynamic parameter string PHP code, the input must be valid PHP string code field and a semicolon
<?php
eval($_REQUEST['code']);
// $_REQUEST:支持GET和POST两种请求的数据
?>
Insert in the URL ?code=phpinfo();by using the GET method request to the server, index.php processing code in the server eval()function will request string as PHP code execution
Dynamic Invocation
<?php
function T1() {
echo "<script>alert('Hello,World!');</script>";
return 0 ;
}
function T2() {
echo "<script>alert('Error');</script>";
return 0 ;
}
$fun = $_REQUEST['fun'];
echo $fun();
// 当fun的value为:phpinfo时,在php的echo中构成 phpinfo()
?>
Of course, not only to perform only a phpinfo (), T1 () ......
<?php
$fun = $_GET['fun'];
$par = $_GET['par'];
$fun($par);
?>
Other dangerous PHP functions
array_map()
<?php
$arr = $_GET['arr'];
$array = array(1,2,3,4,5);
$new_array = array_map($arr, $array);
?>
array_map() Returns an array of the user-defined function processing
assert()
bool assert(mixed $assertion [,string $description])Check whether an assertion False; string $descriptionas PHP code execution
preg_replace()
Perform a regular expression search and replace
mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )pattern To search for a regular match mode
replacement A string or array of alternative
subject To search and replace a string or an array of
include
include $fileIn the variable $fileunder controlled circumstances, we can contain any files, so as to achieve the purpose of getshell;
Due to the different environments and different configurations include files are divided into: local and remote file include file that contains
File manipulation functions
copy: copy files
file_get_contents: read the entire file into a string
file_put_contents: Writes a string file
file: Reads entire file into an array
fopen: open the file or URL
move_uploaded_file: The move uploaded file to a new location
readfile: the output file
rename: rename a file or directory
rmdir: remove directory
unlink & delete: Delete Files
Special Functions
phpinfo () : This file contains a PHP compiler options, start the expansion version, the server configuration is very important sensitive configuration information, environment variables, operating system information, path variables, etc.
Use a soft connection to read the file contents
symlink () :, establish a connection to a target is generally used on linux server, read the contents of this link in the connection file and returns content
Environment Variables
getenv : Gets the value of an environment variable
putenv ($ a) : Add $ a variable to the server environment, but the environment variable alive only during the current request. At the end of the request would restore the environment to its original state.
Recommended Reading: PHP code audit - common risk and special functions