PHP Code Execution Vulnerability Reference summary

a code execution function

A function in PHP that can execute code. such as Eval (), assert (), ', System (), exec (), shell_exec (), PassThru (), Escapeshellcmd (), pcntl_exec (), etc.

Demo Code 1.1:

Two file contains code injection

The file contains the code injection for the function under certain conditions, such as include (), include_once (), require (), require_once ().

When Allow_url_include=on, PHP version>=5.2.0, leads to code injection.

Demo Code 2.1:

Visit Http://127.0.0.1/include.php?a=data:text/plain,%3C?php%20phpinfo%28%29;? %3E is

Execute Phpinfo ().

three regular match code injection

The well-known preg_replace () function results in code injection. Code is allowed to execute when there is a/e pattern modifier in patterns. We'll discuss this in three different situations.

3.1 preg_replace () pattern parameter injection

Pattern is the code injection of the first parameter.

When Magic_quotes_gpc=off, results in code execution.

Demo Code 3.1:

Access http://127.0.0.1/preg_replace1.php?reg=%3c\/php%3e/e that

Execute Phpinfo ().

3.2 preg_replace () Injection of replacement parameters

Replacement is the second parameter of the code injection, resulting in code execution.

Demo Code 3.2:

When we submit http://127.0.0.1/preg_replace2.php?h=phpinfo () that

Execute Phpinfo ().

3.3 Preg_replace () third parameter injection

We execute the code by constructing the subject parameter. Submitted by: Http://127.0.0.1/preg_replace3.php?h=

Phpinfo ()

or http://127.0.0.1/preg_replace3.php?h=.

${phpinfo%28%29}

Cause Code Execution

Demo Code 3.3:

Four dynamic code execution

4.1 Dynamic Variable Code execution

Demo Code 4.1:

We submit http://127.0.0.1/dyn_func.php?dyn_func=system&argument=ipconfig execute ipconfig command

4.2 Dynamic Function Code execution

Demo Code 4.2:

We submit Http://127.0.0.1/create_function.php?foobar=system%28dir%29 execute dir command

five other

code Execution of the 5.1 Ob_start () function

Demo Code 5.1:

code Execution of the 5.2 Array_map () function

Demo Code 5.2:

We submit http://127.0.0.1/array_map.php?callback=phpinfo that executes phpinfo ().

5.3 unserialize () with eval ()

Unserialize () is a very high usage function in PHP. Improper use of unserialize () is likely to lead to security risks.

We submit http://127.0.0.1/unserialize.php?saved_code=o:7:%22example%22:1:{s:3:%22var%22;s:10:%22phpinfo%28%29;%22;} That is, execute phpinfo ().

5.4 Functions that are easy to cause security problems

There's a lot of the same type of function

Array_map ()

Usort (), Uasort (), Uksort ()

Array_filter ()

Array_reduce ()

Array_diff_uassoc (), Array_diff_ukey ()

Array_udiff (), Array_udiff_assoc (), ARRAY_UDIFF_UASSOC ()

Array_intersect_assoc (), ARRAY_INTERSECT_UASSOC ()

Array_uintersect (), Array_uintersect_assoc (), ARRAY_UINTERSECT_UASSOC ()

Array_walk (), array_walk_recursive ()

Xml_set_character_data_handler ()

Xml_set_default_handler ()

Xml_set_element_handler ()

Xml_set_end_namespace_decl_handler ()

Xml_set_external_entity_ref_handler ()

Xml_set_notation_decl_handler ()

Xml_set_processing_instruction_handler ()

Xml_set_start_namespace_decl_handler ()

Xml_set_unparsed_entity_decl_handler ()

Stream_filter_register ()

Set_error_handler ()

Register_shutdown_function ()

Register_tick_function ()