Arbitrary code Execution Vulnerability

Background Introduction :When applied to a function that calls some strings into code, no consideration is given to whether the user can control the string, resulting in a code injection vulnerability.
Correlation function:PHP eval (), assert () python exec () Java does not have a function similar to the previous two, but there are reflection mechanisms, and there are expression engines based on the reflection mechanism, such as 0GNL, Spel, Mvel, etc.

The main function that can cause code injection in--php--

①eval ()

<span style= "FONT-SIZE:14PX;" ><?php
$data = $_get[' data '];
Eval ($ret = $data);
echo $ret
?></span>

$data=phpinfo (), you can display the contents of the phpinfo.php file
②assert (), like the former, executes a string as code.
③preg_replace () +/e mode

<?php
$data = $_get[' data '];
Preg_replace ('/<data> (. *) <\/data>/e ', ' $ret = ' \\1 '; ', $data);
? >

Echo $reat

Make a data=<data>${phpinfo ()}</data>
Instance:
④unserialize () (deserialization function)
Repair plan:For the Eval () function, it is important to ensure that the user is not easily exposed to eval parameters, if the contact must use single quotes wrapped controllable code, and before inserting the addslashes

<?php
$data = addslashes ($data);
Eval ("$data = Deal (' $data ')");
? >

For the Preg_replace () function, you can discard the use of the/e modifier or use the Preg_replace_callback () function instead. If you must use this function, make sure that the second argument is wrapped in single quotes for the object that matches the regular match.