This article mainly introduces command attacks among common attack methods on PHP websites. Command Injection refers to an attack method in which hackers change the dynamically generated content of a web page by entering HTML code into an input mechanism (such as a form field that lacks effective validation restrictions). Using system commands is a dangerous operation, especially if you are trying to use remote data to construct the command to be executed. If contaminated data is used, command injection vulnerabilities arise.
Command injection attack
The following 5 functions can be used in PHP to execute external Application or function
system, exec, passthru, shell_exec, "(same function as shell_exec)
Function prototype
string system(string command, int &return_var)
command The command to be executed
return_var stores the status value after the execution of the command
string exec ( string command, array &output, int &return_var)
command The command to be executed
output Gets each line of string output by executing the command
return_var stores the executed command The status value
void passthru (string command, int &return_var)
command The command to be executed
return_var stores the status value after executing the command
string shell_exec (string command)
command The command to be executed
漏洞实例
例1:
//ex1.php $dir = $_GET["dir"]; if (isset($dir)) { echo ""; system("ls -al ".$dir); echo ""; } ?>
我们提交http://www.sectop.com/ex1.php?dir=| cat /etc/passwd
提交以后,命令变成了 system("ls -al | cat /etc/passwd");
eval注入攻击
eval函数将输入的字符串参数当作PHP程序代码来执行
函数原型:
mixed eval(string code_str) //eval注入一般发生在攻击者能控制输入的字符串的时候
//ex2.php $var = "var"; if (isset($_GET["arg"])) { $arg = $_GET["arg"]; eval("\$var = $arg;"); echo "\$var =".$var; } ?>
当我们提交http://www.sectop.com/ex2.php?arg=phpinfo();漏洞就产生了;
动态函数
php func A() { dosomething(); } func B() { dosomething(); } if (isset($_GET["func"])) { $myfunc = $_GET["func"]; echo $myfunc(); } ?>
程序员原意是想动态调用A和B函数,那我们提交http://www.sectop.com/ex.php?func=phpinfo漏洞产生
防范方法
1、尽量不要执行外部命令
2、使用自定义函数或函数库来替代外部命令的功能
3、使用escapeshellarg函数来处理命令参数
4. Use safe_mode_exec_dir to specify the path of the executable file
The esacpeshellarg function will escape any characters that cause the end of parameters or commands, single quotes "'", and replace them with "\'", double quotes " "", replace it with "\"", replace the semicolon ";" with "\;"
Use safe_mode_exec_dir to specify the path of the executable file. You can put the commands you will use in this path in advance
safe_mode = On
safe_mode_exec_dir = /usr/local/php/bin/
The above is the detailed content of Detailed explanation of PHP website attack methods - command injection attack. For more information, please follow other related articles on the PHP Chinese website!