This article mainly introduces the command attack in the common attack mode of PHP website. command injection, an order injection attack, is a means by which a hacker changes the dynamically generated content of a Web page by inputting HTML code into an input mechanism, such as a table field that lacks valid validation restrictions. Using system commands is a risky operation, especially if you are trying to use remote data to construct a command to execute. If the contaminated data is used, the command injection vulnerability is generated.
Command injection attack
The following 5 functions can be used in PHP to execute external applications or functions
System, exec, PassThru, Shell_exec, "(Same as shell_exec function)
Function prototypes
String System (String command, int &return_var)
Command to execute
Return_var the state value after the execution of the execution command is held
String exec (String command, array &output, int &return_var)
Command to execute
Output gets the string of each line that executes the command output
Return_var the status value after the execution of the command
void PassThru (String command, int &return_var)
Command to execute
Return_var the status value after the execution of the command
String shell_exec (String command)
Command to execute
Vulnerability instance
Example 1:
- ex1.php
- $dir = $_get["dir"];
- if (Isset ($dir))
- {
- echo "
";
- System ("Ls-al". $DIR);
- echo "
";
We submit http://www.sectop.com/ex1.php?dir=| cat/etc/passwd
After submission, the command becomes system ("Ls-al | CAT/ETC/PASSWD ");
Eval injection attack
The Eval function executes the input string parameter as a PHP program code.
Function Prototypes:
Mixed eval (string code_str)//eval injection typically occurs when an attacker can control the input string
- ex2.php
- $var = "var";
- if (Isset ($_get["Arg"]))
- {
- $arg = $_get["Arg"];
- eval ("\ $var = $arg;");
- echo "\ $var =". $var;
- }
- ?>
When we submit http://www.sectop.com/ex2.php?arg=phpinfo (), the loophole arises;
Dynamic functions
- Php
- Func A ()
- {
- DoSomething ();
- }
- Func B ()
- {
- DoSomething ();
- }
- if (Isset ($_get["func"]))
- {
- $MyFunc = $_get["func"];
- Echo $myfunc ();
- }
- ?>
The programmer intended to dynamically invoke the A and B functions, and then we commit the http://www.sectop.com/ex.php?func=phpinfo vulnerability to produce
Precautionary approach
1. Try not to execute external commands
2. Use custom functions or libraries to replace the functions of external commands
3. Use the Escapeshellarg function to handle command parameters
4. Use Safe_mode_exec_dir to specify the path to the executable file
The Esacpeshellarg function will escape any character that causes the argument or command to end, single quote "'", replace with "\", double quote "" ", replace with" \ "", semicolon ";" Replace with "\;"
Using Safe_mode_exec_dir to specify the path to the executable file, you can put the command that will be used in this path
Safe_mode = On
Safe_mode_exec_dir =/usr/local/php/bin/