Command injection attack
The following 5 functions can be used in PHP to execute external applications or functions
System, exec, PassThru, Shell_exec, "(Same as shell_exec function)
Function prototypes
String System (String command, int &return_var)
Command to execute
Return_var the state value after the execution of the execution command is held
String exec (String command, array &output, int &return_var)
Command to execute
Output gets the string of each line that executes the command output
Return_var the status value after the execution of the command
void PassThru (String command, int &return_var)
Command to execute
Return_var the status value after the execution of the command
String shell_exec (String command)
Command to execute
Vulnerability instance
Example 1:
Command injection attack PHP can use the following 5 functions to execute external applications or functions system, exec, PassThru, Shell_exec, "(Same as shell_exec function) function prototype string system (string commands, int &return_var) command to execute the Return_var hold the execution of the command after the state value string exec (String command, array & output, int &return_var) command commands to execute output of each line of string return_var the execution command , the state value of void PassThru ( string command, int &return_var) commands to execute Return_var holds the state value after executing the command string shell_exec (string command) commands to execute an example of a vulnerability Example 1:
We submit http://www.sectop.com/ex1.php?dir=| cat/etc/passwd
After submission, the command becomes system ("Ls-al | CAT/ETC/PASSWD ");
Eval injection attack
The Eval function executes the input string parameter as a PHP program code.
Function Prototypes:
Mixed eval (string code_str)//eval injection typically occurs when an attacker can control the input string
When we submit http://www.sectop.com/ex2.php?arg=phpinfo (), the loophole arises;
Dynamic functions
Php
Func A ()
{
DoSomething ();
}
Func B ()
{
DoSomething ();
}
if (Isset ($_get["func"]))
{
$myfunc = $_get["Func"];
Echo $myfunc ();
}
?>
The programmer intended to dynamically invoke the A and B functions, and then we commit the http://www.sectop.com/ex.php?func=phpinfo vulnerability to produce
Precautionary approach
1. Try not to execute external commands
2. Use custom functions or libraries to replace the functions of external commands
3. Use the Escapeshellarg function to handle command parameters
4. Use Safe_mode_exec_dir to specify the path to the executable file
The Esacpeshellarg function will escape any character that causes the argument or command to end, single quote "'", replace with "\", double quote "" ", replace with" \ "", semicolon ";" Replace with "\;"
Using Safe_mode_exec_dir to specify the path to the executable file, you can put the command that will be used in this path
Safe_mode = On
Safe_mode_exec_dir =/usr/local/php/bin/
The above is the full solution of PHP Vulnerability (ii)-The content of the command injection attack, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!