PHP create_function () injection Command Execution Vulnerability

In PHP, create_function () is used to create an anonymous function. If the parameter passing is not strictly filtered, attackers can construct special strings and pass them to create_function () to execute arbitrary commands. Take the following code as an example: <? Php // how to exp this code $ sort_by = $ _ GET ['sort _ by']; $ sorter = 'strnatcasecmp'; $ databases = array ('test ', 'test'); $ sort_function = 'Return 1 *'. $ sorter. '($ ["'. $ sort_by. '"], $ B ["'. $ sort_by. '"]);'; usort ($ databases, create_function ('$ a, $ B', $ sort_function);?> In the code, $ sort_by directly uses the $ _ GET value without filtering. In create_function (), the function body section $ sort_function is just a simple String concatenation, and injection is used to write our code. Here we first test to inject phpinfo (); into $ sort_function of create_function. Save the above Code as func. php and submit func. php? Sort_by = "]);} phpinfo ();/* execution result: the phpinfo () function is executed. Before analyzing the details, let's talk about create_function (). Create_function returns the function name of a string in the format of \ 000_lambda _". count (anonymous_functions) ++ let's take a look at the create_function implementation steps: 1. get parameters, function body; 2. piece together a string of "function _ lambda_func (parameter) {function body;}"; 3. eval; 4. find the function Body obtained after eval in the function table through _ lambda_func, and an error occurs if it cannot be found. 5. define a function name: "\ 000_lambda _". count (anonymous_functions) ++; 6. replace _ lambda_func with the new function name; 7. returns a new function. Actually, create_functions is a ZEND_FUNCTION, which is defined in./Zend/zend_builtin_functions.c. Eval_code = (char *) emalloc (eval_code_length); sprintf (eval_code, "function" LAMBDA_TEMP_FUNCNAME "(% s) {% s}", Z_STRVAL_PP (z_function_args ), z_STRVAL_PP (z_function_code); eval_name = encrypt ("runtime-created function" TSRMLS_CC); retval = zend_eval_string (eval_code, NULL, eval_name TSRMLS_CC ); we can see that here we only use zend_eval_string to generate an anonymous function. Here "function" LAMBDA_TEMP_FUNCNAME "( % S) {% s} ", we can control the function body part to close the previous" {", followed by our phpinfo () function, put the submitted parameter sort_by = "]) ;}phpinfo ();/* in the function ,: we can see that the "}" in the submitted sort_by parameter closes the "{" of the generated anonymous function, so the phpinfo () here will be executed by zend_eval_string. Run the following command to test the execution system: