Detailed explanation of PHP website attack methods - command injection attack

This article mainly introduces command attacks among common attack methods on PHP websites. Command Injection refers to an attack method in which hackers change the dynamically generated content of a web page by entering HTML code into an input mechanism (such as a form field that lacks effective validation restrictions). Using system commands is a dangerous operation, especially if you are trying to use remote data to construct the command to be executed. If contaminated data is used, command injection vulnerabilities arise.

Command injection attack

The following 5 functions can be used in PHP to execute external Application or function

system, exec, passthru, shell_exec, "(same function as shell_exec)

Function prototype

string system(string command, int &return_var)

command The command to be executed

return_var stores the status value after the execution of the command

string exec ( string command, array &output, int &return_var)

command The command to be executed

output Gets each line of string output by executing the command

return_var stores the executed command The status value

void passthru (string command, int &return_var)

command The command to be executed

return_var stores the status value after executing the command

string shell_exec (string command)

command The command to be executed

漏洞实例

例1:

1. //ex1.php 
   $dir = $_GET["dir"]; 
   if (isset($dir)) 
   { 
   echo "";
   system("ls -al ".$dir); 
   echo ""; 
   } 
   ?>

我们提交http://www.sectop.com/ex1.php?dir=| cat /etc/passwd

提交以后，命令变成了 system("ls -al | cat /etc/passwd");

eval注入攻击

eval函数将输入的字符串参数当作PHP程序代码来执行

函数原型:

mixed eval(string code_str) //eval注入一般发生在攻击者能控制输入的字符串的时候

1. //ex2.php 
   $var = "var"; 
   if (isset($_GET["arg"])) 
   { 
   $arg = $_GET["arg"]; 
   eval("\$var = $arg;"); 
   echo "\$var =".$var; 
   } 
   ?>

当我们提交http://www.sectop.com/ex2.php?arg=phpinfo();漏洞就产生了；

动态函数

1. php 
   func A() 
   { 
   dosomething(); 
   } 
   func B() 
   { 
   dosomething(); 
   } 
   if (isset($_GET["func"])) 
   { 
   $myfunc = $_GET["func"]; 
   echo $myfunc(); 
   } 
   ?>

程序员原意是想动态调用A和B函数，那我们提交http://www.sectop.com/ex.php?func=phpinfo漏洞产生

防范方法

1、尽量不要执行外部命令

2、使用自定义函数或函数库来替代外部命令的功能

3、使用escapeshellarg函数来处理命令参数

4. Use safe_mode_exec_dir to specify the path of the executable file

The esacpeshellarg function will escape any characters that cause the end of parameters or commands, single quotes "'", and replace them with "\'", double quotes " "", replace it with "\"", replace the semicolon ";" with "\;"

Use safe_mode_exec_dir to specify the path of the executable file. You can put the commands you will use in this path in advance

safe_mode = On

safe_mode_exec_dir = /usr/local/php/bin/

The above is the detailed content of Detailed explanation of PHP website attack methods - command injection attack. For more information, please follow other related articles on the PHP Chinese website!