ToKeiChun

Dangerous PHP Function

Feb 6th, 2021
318
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 5.72 KB | None | 0 0
  1. ## Command Execution
  2. ```
  3. exec - Returns last line of commands output
  4. passthru - Passes commands output directly to the browser
  5. system - Passes commands output directly to the browser and returns last line
  6. shell_exec - Returns commands output
  7. \`\` (backticks) - Same as shell_exec()
  8. popen - Opens read or write pipe to process of a command
  9. proc_open - Similar to popen() but greater degree of control
  10. pcntl_exec - Executes a program
  11. ```
  12.  
  13. ## PHP Code Execution
  14. #### Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.
  15.  
  16. ```eval()
  17. assert() - identical to eval()
  18. preg_replace('/.*/e',...) - /e does an eval() on the match
  19. create_function()
  20. include()
  21. include_once()
  22. require()
  23. require_once()
  24. $_GET['func_name']($_GET['argument']);
  25. $func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());
  26. ```
  27.  
  28.  
  29.  
  30. ## List of functions which accept callbacks
  31. #### These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.
  32. ```
  33. Function => Position of callback arguments
  34. 'ob_start' => 0,
  35. 'array_diff_uassoc' => -1,
  36. 'array_diff_ukey' => -1,
  37. 'array_filter' => 1,
  38. 'array_intersect_uassoc' => -1,
  39. 'array_intersect_ukey' => -1,
  40. 'array_map' => 0,
  41. 'array_reduce' => 1,
  42. 'array_udiff_assoc' => -1,
  43. 'array_udiff_uassoc' => array(-1, -2),
  44. 'array_udiff' => -1,
  45. 'array_uintersect_assoc' => -1,
  46. 'array_uintersect_uassoc' => array(-1, -2),
  47. 'array_uintersect' => -1,
  48. 'array_walk_recursive' => 1,
  49. 'array_walk' => 1,
  50. 'assert_options' => 1,
  51. 'uasort' => 1,
  52. 'uksort' => 1,
  53. 'usort' => 1,
  54. 'preg_replace_callback' => 1,
  55. 'spl_autoload_register' => 0,
  56. 'iterator_apply' => 1,
  57. 'call_user_func' => 0,
  58. 'call_user_func_array' => 0,
  59. 'register_shutdown_function' => 0,
  60. 'register_tick_function' => 0,
  61. 'set_error_handler' => 0,
  62. 'set_exception_handler' => 0,
  63. 'session_set_save_handler' => array(0, 1, 2, 3, 4, 5),
  64. 'sqlite_create_aggregate' => array(2, 3),
  65. 'sqlite_create_function' => 2,
  66. ```
  67.  
  68. ## Information Disclosure
  69. #### Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.
  70. ```
  71. phpinfo
  72. posix_mkfifo
  73. posix_getlogin
  74. posix_ttyname
  75. getenv
  76. get_current_user
  77. proc_get_status
  78. get_cfg_var
  79. disk_free_space
  80. disk_total_space
  81. diskfreespace
  82. getcwd
  83. getlastmo
  84. getmygid
  85. getmyinode
  86. getmypid
  87. getmyuid
  88. ```
  89.  
  90. ## Other
  91. ```
  92. extract - Opens the door for register_globals attacks (see study in scarlet).
  93. parse_str - works like extract if only one argument is given.
  94. putenv
  95. ini_set
  96. mail - has CRLF injection in the 3rd parameter, opens the door for spam.
  97. header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area.
  98. proc_nice
  99. proc_terminate
  100. proc_close
  101. pfsockopen
  102. fsockopen
  103. apache_child_terminate
  104. posix_kill
  105. posix_mkfifo
  106. posix_setpgid
  107. posix_setsid
  108. posix_setuid
  109. ```
  110.  
  111. ## Filesystem Functions
  112. #### According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.
  113.  
  114. ```
  115. // open filesystem handler
  116. fopen
  117. tmpfile
  118. bzopen
  119. gzopen
  120. SplFileObject->__construct
  121. // write to filesystem (partially in combination with reading)
  122. chgrp
  123. chmod
  124. chown
  125. copy
  126. file_put_contents
  127. lchgrp
  128. lchown
  129. link
  130. mkdir
  131. move_uploaded_file
  132. rename
  133. rmdir
  134. symlink
  135. tempnam
  136. touch
  137. unlink
  138. imagepng - 2nd parameter is a path.
  139. imagewbmp - 2nd parameter is a path.
  140. image2wbmp - 2nd parameter is a path.
  141. imagejpeg - 2nd parameter is a path.
  142. imagexbm - 2nd parameter is a path.
  143. imagegif - 2nd parameter is a path.
  144. imagegd - 2nd parameter is a path.
  145. imagegd2 - 2nd parameter is a path.
  146. iptcembed
  147. ftp_get
  148. ftp_nb_get
  149. // read from filesystem
  150. file_exists
  151. file_get_contents
  152. file
  153. fileatime
  154. filectime
  155. filegroup
  156. fileinode
  157. filemtime
  158. fileowner
  159. fileperms
  160. filesize
  161. filetype
  162. glob
  163. is_dir
  164. is_executable
  165. is_file
  166. is_link
  167. is_readable
  168. is_uploaded_file
  169. is_writable
  170. is_writeable
  171. linkinfo
  172. lstat
  173. parse_ini_file
  174. pathinfo
  175. readfile
  176. readlink
  177. realpath
  178. stat
  179. gzfile
  180. readgzfile
  181. getimagesize
  182. imagecreatefromgif
  183. imagecreatefromjpeg
  184. imagecreatefrompng
  185. imagecreatefromwbmp
  186. imagecreatefromxbm
  187. imagecreatefromxpm
  188. ftp_put
  189. ftp_nb_put
  190. exif_read_data
  191. read_exif_data
  192. exif_thumbnail
  193. exif_imagetype
  194. hash_file
  195. hash_hmac_file
  196. hash_update_file
  197. md5_file
  198. sha1_file
  199. highlight_file
  200. show_source
  201. php_strip_whitespace
  202. get_meta_tags
  203. ```
  204.  
  205.  
  206. Stolen from here: https://stackoverflow.com/a/3697776
Add Comment
Please, Sign In to add comment