PHP Eval Study Notes

PHP is really easy to use. Today, after learning from scratch, I feel that I can write something simple...

0 cause:

A PHP plug-in often needs to be updated in the company. Although php update programs already exist, the plug-in cannot be updated in time due to the user's ftp write permission restrictions and other reasons.

Therefore, consider the following process:

Save the code in binary format to the MySQL database (not in the cache)

-Read the script code file from the database every time it is loaded

-Run the code dynamically read by index. php in a way similar to Eval ('code ').

In this way, you only need to update the code in the MySQL database each time.

1. Possible technical problems:

Before I started my research, I had the following questions:

1. Can PHP and HTML mixed code run successfully?

Http://stackoverflow.com/questions/2520344/php-eval-issue-with-php-html-code
2. Is it feasible for PHP include and PHP require?

Need to consider include once

3. Which special characters need to be escaped?

4. Is there a problem with return?
5. Whether the execution permission is different.
6. Can I handle exceptions correctly?

If I have not listed any technical points, please let me know.

 

2
Attachment example

Based on the above questions, I have made the following seven examples:

After testing, it is proved that PHP Eval can be implemented:

2.1
Run common string

For example, echo ("aaa ");

 

2.2
Runtime belt <? String starting with php

For example, <? Php echo ("aaa ");

 

2.3
Run <? Php,?> String ending

 

2.4
Run a string mixed with HTML and PHP

 

2.5
Read code from MySQL (string form) and dynamically load

 

2.6
Run the code that contains include and request

 

2.7
Check whether the running process is abnormal.

However, detailed exception information cannot be captured.

Attached test sample code:

Eval example

<?php//<editor-fold defaultstate="collapsed" desc="user-description">//</editor-fold>//<editor-fold desc="Sample 1: simplest php code">$sample1="echo(\"sample 1\");echo(\"\n<br />\");";//</editor-fold>//<editor-fold desc="Sample 2: PHP code with  head">$sample2="<?php echo(\"sample 2\");echo(\"\n<br />\");?>";//</editor-fold>//<editor-fold desc="Sample 3: PHP code with  head and no end">$sample3="<?php echo(\"sample 3\");echo(\"\n<br />\");";//</editor-fold>//<editor-fold desc="Sample 4: PHP code combined massively with HTML">$sample4="<div>HTML Start<br /> <?php echo(\"sample 3\");echo(\"\n<br />\"); ?> HTMLEnd<br />";//</editor-fold>//<editor-fold desc="Sample 5: Mimic read PHP code from MySQL database">$phpfiles1 = [    "phpfile1" => "<?php echo(\"I'm php file 1\");echo(\"\n<br />\");?>",    "folder1\\phpfile2" => "<?php echo(\"I'm php file 2\");echo(\"\n<br />\");?>",];//</editor-fold>//<editor-fold desc="Sample 6: PHP Code with include">$phpfiles2 = [    "phpfile1" => "<?php include 'phpfile2' echo(\"I'm php file 1\");echo(\"\n<br />\"); ?>",    "phpfile2" => "<?php echo(\"I'm php file 2\");echo(\"\n<br />\");?>",];//</editor-fold>//<editor-fold desc="Sample 7: Exception Handling">$sample7="<?php echo(\"sample 2\")echo(\"\n<br />\");?>";//</editor-fold>///////////////////////////////////////////////////////////////////////////////////////<editor-fold desc="eval comment">echo("First of all, before codes are stored into databases, it requires replacing escape character<br />");echo("replace \" with \\\"<br />");echo("replace \\ with \\\\<br />");echo("and other escape character<br />");echo("<br />");//</editor-fold>//<editor-fold desc="eval sample1">echo("Sample 1: simplest php code<br />");eval($sample1);echo("<br />==================<br />");//</editor-fold>//<editor-fold desc="eval sample2">echo("Sample 2: PHP code with < ?php head");echo("<br />");eval('?> ' .$sample2. ' <?php ');echo("<br />==================<br />");//</editor-fold>//<editor-fold desc="eval sample3">echo("Sample 3: PHP code with < ?php head and no ? >end");echo("<br />");eval('?> ' .$sample3);echo("<br />==================<br />");//</editor-fold>//<editor-fold desc="eval sample4">echo("Sample 4: PHP code combined massively with HTML");eval('?> ' .$sample4. ' <?php ');echo("<br />==================<br />");//</editor-fold>//<editor-fold desc="eval sample5">echo("Sample 5: Mimic read PHP code from MySQL database");echo("<br />");$sample5_1=$phpfiles1["phpfile1"];eval('?> ' .$sample5_1. ' <?php ');$sample5_2=$phpfiles1["folder1\\phpfile2"];eval('?> ' .$sample5_2. ' <?php ');echo("<br />==================<br />");//</editor-fold>//<editor-fold desc="eval sample6">echo("Sample 6: PHP Code with include");echo("<br />");$sample6 = $phpfiles2["phpfile1"];$sample6_includefile;$sample6_include_1stquote_pos;$sample6_include_2ndquote_pos;if (strpos($sample6, "'") !== FALSE) {    global $sample6_includefile;    global $sample6_include_1stquote_pos;    global $sample6_include_2ndquote_pos;    $sample6_include_1stquote_pos = strpos($sample6, "'");    $sample6_include_2ndquote_pos = strpos($sample6, "'", strpos($sample6, "'") + 1);    $sample6_includefile = substr($sample6            , $sample6_include_1stquote_pos + 1            , $sample6_include_2ndquote_pos - $sample6_include_1stquote_pos - 1    );}echo("Included file: " . $sample6_includefile . "<br />");$sample6_2 = $phpfiles2[$sample6_includefile];if (substr($sample6_2, 0, 2) == "<?") {    global $sample6_2;    $sample6_2 = substr($sample6_2, 6);}if (substr($sample6_2, strlen($sample6_2) - 2, 2) == "?>") {    global $sample6_2;    $sample6_2 = substr($sample6_2, 0, strlen($sample6_2) - 2);}$sample6 = \str_replace("include '" . $sample6_includefile . "' ", $sample6_2, $sample6);eval('?> ' . $sample6 . ' <?php ');echo("Should use some logic here, to judge if a include file is include or request more than once.<br />");echo("If the php file included starts with < ?php and ends with ? >, < ?php and ? > should be removed.<br />");echo("<br />==================<br />");//</editor-fold>//<editor-fold desc="Sample 7: Exception Handling">$evalresult=eval($sample7);if($evalresult!==null){    echo("Exception occurs");}echo("<br />");echo("No further exception message can be captured.");//</editor-fold>

 

 

3
Notes

1. Security

Http://php.net/manual/en/function.eval.php

If you have
Carefully verified that there is no other option than to use this construct,
Pay special attentionNot to pass any user provided dataInto
It without properly validating it beforehand.

According to the PHP official site prompt, pay attentionNoPut the Code provided by any user into the eval section before verifying security. Otherwise, malicious code may be executed at risk.

 

2. end with a semicolon

Because the code may miss a semicolon at the end, you may need to add a semicolon after the execution.