PHP Code Execution Vulnerability reference summary

Heimian blog

Code execution function
Functions that can execute code in PHP. Such as eval (), assert (), '', system (), exec (), shell_exec (), passthru (), escapeshellcmd (), pcntl_exec (), etc.
Demo code 1.1:

2. File Inclusion code injection
File contains code injection of functions under specific conditions, such as include (), include_once (), require (), and require_once ().
When allow_url_include = On and PHP Version> = 5.2.0, code injection occurs.
Demo code 2.1:

Access http: // 127.0.0.1/include. php? A = data: text/plain, % 3C? Php % 20 phpinfo % 28% 29 ;? % 3E:
Run phpinfo ().
Three-Regular Expression matching code injection
Code injection caused by the well-known preg_replace () function. When the/e pattern modifier exists in pattern, code execution is allowed. We will discuss this in three cases.
3.1 preg_replace () pattern parameter Injection
Pattern is the code injection of the first parameter.
When magic_quotes_gpc = Off, the code is executed.
Demo code 3.1:

Access http: // 127.0.0.1/preg_replace1.php? Reg = % 3C/php % 3E/e that is
Run phpinfo ().
3.2 preg_replace () replacement parameter Injection
Replacement is the code injection of the second parameter, resulting in code execution.

Demo code 3.2:

When we submit http: // 127.0.0.1/preg_replace2.php? H = phpinfo () that is
Run phpinfo ().
3.3 preg_replace () injection of the third parameter
We construct the subject parameter to execute the code. Submit: http: // 127.0.0.1/preg_replace3.php? H =
Phpinfo ()

Or http: // 127.0.0.1/preg_replace3.php? H =
$ {Phpinfo % 28% 29}
Cause code execution
Demo code 3.3:

4. Dynamic Code Execution
4.1 dynamic variable Code Execution
Demo code 4.1:

We submit http: // 127.0.0.1/dyn_func.php? Dyn_func = system & argument = ipconfig execute the ipconfig command
4.2 Dynamic Function Code Execution
Demo code 4.2:

We submit http: // 127.0.0.1/create_function.php? Foobar = system % 28dir % 29 run the dir command
Five others
5.1 code execution of the ob_start () function
Demo code 5.1:

5.2 code execution of the array_map () function
Demo code 5.2:

We submit http: // 127.0.0.1/array_map.php? Callback = phpinfo: Execute phpinfo ().

5.3 unserialize () and eval ()
Unserialize () is a function with high usage in PHP. Improper use of unserialize () may cause security risks.
(Black brother that challenge 2 html "> http://hi.baidu.com/hi_heige/blog/item/505b2828da5b18f499250a9b.html)
Demo code 5.3:

We submit http: // 127.0.0.1/unserialize. php? Saved_code = O: 7: % 22 Example % 22: 1: {s: 3: % 22var % 22; s: 10: % 22 phpinfo % 28% 29; % 22 ;} execute phpinfo ().
5.4 functions that may easily cause security problems
There are many functions of the same type
Array_map ()
Usort (), uasort (), uksort ()
Array_filter ()
Array_reduce ()
Array_diff_uassoc (), array_diff_ukey ()
Array_udiff (), array_udiff_assoc (), array_udiff_uassoc ()
Array_intersect_assoc (), array_intersect_uassoc ()
Array_uintersect (), array_uintersect_assoc (), array_uintersect_uassoc ()
Array_walk (), array_pai_recursive ()
Xml_set_character_data_handler ()
Xml_set_default_handler ()
Xml_set_element_handler ()
Xml_set_end_namespace_decl_handler ()
Xml_set_external_entity_ref_handler ()
Xml_set_notation_decl_handler ()
Xml_set_processing_instruction_handler ()
Xml_set_start_namespace_decl_handler ()
Xml_set_unparsed_entity_decl_handler ()
Stream_filter_register ()
Set_error_handler ()
Register_shutdown_function ()
Register_tick_function ()
Reference: http://php-security.org/2010/05/20/mops-submission-07-our-dynamic-php/index.html

Generated by Bo-blog 2.1.1 Release