Home > Developer > Web Develop

PHP Vulnerability Full Solution (ii)-Command injection attack

Source: Internet
Author: User
Tags php website phpinfo vars
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

This article mainly introduces the command attack in the common attack mode of PHP website. command injection, an order injection attack, is a means by which a hacker changes the dynamically generated content of a Web page by inputting HTML code into an input mechanism, such as a table field that lacks valid validation restrictions. Using system commands is a risky operation, especially if you are trying to use remote data to construct a command to execute. If the contaminated data is used, the command injection vulnerability is generated.

Command injection attack

The following 5 functions can be used in PHP to execute external applications or functions

System, exec, PassThru, Shell_exec, "(Same as shell_exec function)

Function prototypes

String System (String command, int &return_var)

Command to execute

Return_var the state value after the execution of the execution command is held

String exec (String command, array &output, int &return_var)

Command to execute

Output gets the string of each line that executes the command output

Return_var the status value after the execution of the command

void PassThru (String command, int &return_var)

Command to execute

Return_var the status value after the execution of the command

String shell_exec (String command)

Command to execute

Vulnerability instance

Example 1:

    1. ex1.php
    3. $dir = $_get["dir"];
    4. if (Isset ($dir))
    5. {
    6. echo "
      ";
    7. System ("Ls-al".  $DIR);
    8. echo "

";

    • }
    • ?>

We submit http://www.sectop.com/ex1.php?dir=| cat/etc/passwd

After submission, the command becomes system ("Ls-al | CAT/ETC/PASSWD ");

Eval injection attack

The Eval function executes the input string parameter as a PHP program code.

Function Prototypes:

Mixed eval (string code_str)//eval injection typically occurs when an attacker can control the input string

    1. ex2.php
    3. $var = "var";
    4. if (Isset ($_get["Arg"]))
    5. {
    6. $arg = $_get["Arg"];
    7. eval ("\ $var = $arg;");
    8. echo "\ $var =".  $var;
    9. }
    10. ?>

When we submit http://www.sectop.com/ex2.php?arg=phpinfo (), the loophole arises;

Dynamic functions

    1. Php
    2. Func A ()
    3. {
    4. DoSomething ();
    5. }
    6. Func B ()
    7. {
    8. DoSomething ();
    9. }
    10. if (Isset ($_get["func"]))
    11. {
    12. $MyFunc = $_get["func"];
    13. Echo $myfunc ();
    14. }
    15. ?>

The programmer intended to dynamically invoke the A and B functions, and then we commit the http://www.sectop.com/ex.php?func=phpinfo vulnerability to produce

Precautionary approach

1. Try not to execute external commands

2. Use custom functions or libraries to replace the functions of external commands

3. Use the Escapeshellarg function to handle command parameters

4. Use Safe_mode_exec_dir to specify the path to the executable file

The Esacpeshellarg function will escape any character that causes the argument or command to end, single quote "'", replace with "\", double quote "" ", replace with" \ "", semicolon ";" Replace with "\;"

Using Safe_mode_exec_dir to specify the path to the executable file, you can put the command that will be used in this path

Safe_mode = On

Safe_mode_exec_dir =/usr/local/php/bin/

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
php injection attack example os command injection attack example sql injection attack example php sql injection solution what sql injection vulnerability php command injection sql injection vulnerability scanner

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More