Shulou(Shulou.com)05/31 Report--

This article Xiaobian introduces in detail for you "php command execution and code execution vulnerabilities how to solve", the content is detailed, the steps are clear, the details are handled properly, I hope this "php command execution and code execution vulnerabilities how to solve" article can help you solve doubts, following the editor's ideas slowly in-depth, together to learn new knowledge.

Note: this article is for reference only.

Command execution definition

When the application needs to call some external programs to process the content, it will use some functions to execute system commands. Such as system,exec,shell_exec in PHP, when the user can control the parameters in the command execution function, malicious system commands can be injected into normal commands, resulting in command execution attacks.

Cause of formation

The advantage of scripting language is concise and convenient, but it is also accompanied by some problems, such as slow speed, unable to remove the bottom of the system, if we develop applications that need some special functions to remove web, we need to call some external programs. There is a threat as well as convenience.

Vulnerability hazard

Inherit the permissions of the Web service program to execute system commands or read and write files

Rebound shell

Control the entire website or even the server

Further intranet penetration

The difference between code execution and command execution

Command execution vulnerability:

Call operating system commands directly (equivalent to typing commands under cmd)

The principle of command execution vulnerability: in the operating system, "&, |, | |" can be used as a command connector. The user submits the execution command through the browser, because the server does not filter the execution function. Causes the command to be executed without specifying an absolute path (such as adding a user named admin password admin to join the administrators group (giving administrator privileges))

Command1&command2 executes two commands simultaneously

Command1&&command2 only if the previous command is executed successfully, the latter command will continue to execute.

Command1;command2 regardless of whether the previous command is executed successfully or not, the subsequent command continues to execute

Command1 | | command2 executes multiple commands sequentially. Subsequent commands will not be executed when the correct command is executed.

Command executes common functions

1. The System:system function can be used to execute an external application and output the corresponding execution result. The function prototype is as follows:

String system (string command, int&return_var)

Where command is the command to be executed, and return_var stores the status value after the execution of the command.

2. The Exec:exec function can be used to execute an external application

String exec (string command, array&output, int & return_var)

Where command is the command to be executed, output is every line string that gets the output of the execution command, and return_var stores the status value after the execution of the command.

The 3.Passthru:passthru function can be used to execute a UNIX system command and display the original output. When the output of the UNIX system command is binary data and needs to return the value directly to the browser, you need to use the passthru function instead of the system and exec functions. The prototype of the Passthru function is as follows:

Void passthru (string command, int&return_var)

Where command is the command to be executed, and return_var stores the status value after the command is executed.

4. Shell_exec: execute the shell command and return the output string. The function prototype is as follows:

String shell_exec (string command)

Where command is the command to be executed.

Code execution vulnerabilities:

When an application calls functions that can convert a string into code, such as eval in PHP, it does not consider whether the user controls the string, which will result in a code execution vulnerability.

It is difficult to find vulnerabilities through black boxes, and most of them judge code execution vulnerabilities based on source code.

Code execution related functions:

PHP: eval, assert, preg_replace (), + / e mode (PHP version

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.