Summary of PHP code execution vulnerabilities

This article introduces a summary of PHP code execution vulnerabilities, which has certain reference value. Now I share it with everyone. Friends in need can refer to it

PHP code execution vulnerability summary

ref : http://blog.csdn.net/kuangmang/article/details/27170309
ref : http://blog.csdn.net/fuckcat_2333/article/details /52125951

1 Code execution function

The functions in php that can execute code are: eval(), assert(), ``, system(), exec(), shell_exec(), passthru(), pcntl_exec()
When the parameters (parts) in these functions are controllable, command injection vulnerabilities may occur. Escapeshellarg is usually used to process parameters, but there is a vulnerability in this function in the lower version of the PHP library function (reason: backslashes are not filtered on Windows), so you need to pay attention.

2 File Contains Code Injection

When input variables are included in file inclusion functions (include, include_once, require, require_once), code injection may occur.
Conditions: allow_url_include=On, PHP Version>=5.2.0
demo code:

Visit http://127.0.0.1/demo.php?a=data:text/plain, , phpinfo() is executed.

3 Regular expression code injection

preg_replace() function:
When the /e mode modifier exists in pattern and matches, the code in replacement is allowed to be executed.

3.1 第一个(pattern)参数注入

条件：magic_quotes_gpc=Off，pattern参数中注入/e选项；
demo code:

phpinfo()';
preg_replace("/(.*?)$regexp", '\\1', $var);?>

访问http://127.0.0.1/preg_replace1.php?reg=%3C/php%3E/e
即会执行phpinfo()

3.2 第二个人(replacement)参数注入

条件：pattern参数中带/e

提交 http://127.0.0.1/demo2.php?h=phpinfo()时， 即 执行phpinfo()。

3.3 第三个参数注射

4 动态代码执行

4.1 动态变量代码执行

当http://127.0.0.1/dyn_func.php?dyn_func=system&argument=ipconfig时，执行ipconfig命令

4.2 动态函数代码执行

关键函数：create_function
demo code：

当提交http://127.0.0.1/create_function.php?foobar=system%28dir%29时，执行dir命令

5 其他

array_map()函数
ob_start()函数？？？
函数处理函数：http://www.php.net/manual/zh/book.funchand.php

相关推荐：

PHP执行程序php.exe参数解析

The above is the detailed content of Summary of PHP code execution vulnerabilities. For more information, please follow other related articles on the PHP Chinese website!