可利用的 PHP 函数 [英] Exploitable PHP functions

问题描述

我正在尝试构建可用于任意代码执行的函数列表.目的不是列出应列入黑名单或以其他方式禁止的功能.相反，我想要一个 grep-able 的 red-flag 关键字列表，以便在搜索受感染的服务器寻找后门时很方便.

I'm trying to build a list of functions that can be used for arbitrary code execution. The purpose isn't to list functions that should be blacklisted or otherwise disallowed. Rather, I'd like to have a grep-able list of red-flag keywords handy when searching a compromised server for back-doors.

这个想法是，如果你想构建一个多用途的恶意 PHP 脚本——比如像 c99 或 r57 这样的web shell"脚本——你将不得不使用一个或多个相对较小的文件中某处的一组函数，以允许用户执行任意代码.搜索这些函数可以帮助您更快地将数以万计的 PHP 文件的海量缩小到需要仔细检查的相对较小的脚本集.

The idea is that if you want to build a multi-purpose malicious PHP script -- such as a "web shell" script like c99 or r57 -- you're going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code. Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination.

显然，例如，以下任何一种都将被视为恶意(或糟糕的编码):

Clearly, for example, any of the following would be considered malicious (or terrible coding):

<? eval($_GET['cmd']); ?>

<? system($_GET['cmd']); ?>

<? preg_replace('/.*/e',$_POST['code']); ?>

等等.

前几天在一个受感染的网站上搜索，我没有注意到一段恶意代码，因为我没有意识到使用 /e 可能会使 preg_replace 变得危险 标志(哪个，说真的?为什么会在那里?).还有其他我想念的吗?

Searching through a compromised website the other day, I didn't notice a piece of malicious code because I didn't realize preg_replace could be made dangerous by the use of the /e flag (which, seriously? Why is that even there?). Are there any others that I missed?

这是我目前的清单:

外壳执行

• 系统
• exec
• popen
• 反引号运算符
• pcntl_exec

PHP 执行

• eval
• preg_replace(带有 /e 修饰符)
• create_function
• include[_once]/require[_once](参见 mario 的回答 获取漏洞利用详情)

• eval
• preg_replace (with /e modifier)
• create_function
• include[_once] / require[_once] (see mario's answer for exploit details)

拥有一个能够修改文件的函数列表也可能很有用，但我想 99% 的漏洞利用代码将至少包含上述函数之一.但是，如果您有能够编辑或输出文件的所有功能的列表，请将其发布，我会将其包含在此处.(而且我没有计算 mysql_execute，因为这是另一类漏洞利用的一部分.)

It might also be useful to have a list of functions that are capable of modifying files, but I imagine 99% of the time exploit code will contain at least one of the functions above. But if you have a list of all the functions capable of editing or outputting files, post it and I'll include it here. (And I'm not counting mysql_execute, since that's part of another class of exploit.)

推荐答案

为了构建这个列表，我使用了 2 个源.Scarlet 研究 和 RATS.我还添加了一些我自己的内容，此线程上的人提供了帮助.

To build this list I used 2 sources. A Study In Scarlet and RATS. I have also added some of my own to the mix and people on this thread have helped out.

发布此列表后，我联系了 RIPS 到目前为止，该工具会搜索 PHP 代码以使用此列表中的每个函数.

After posting this list I contacted the founder of RIPS and as of now this tools searches PHP code for the use of every function in this list.

大多数这些函数调用都被归类为接收器.当一个受污染的变量(如 $_REQUEST)被传递给一个接收器函数时，你就有了一个漏洞.RATS 和 RIPS 使用类似 grep 的功能来识别应用程序中的所有接收器.这意味着程序员在使用这些功能时应该格外小心，但如果它们都被禁止，那么你将无法完成很多工作.

Most of these function calls are classified as Sinks. When a tainted variable (like $_REQUEST) is passed to a sink function, then you have a vulnerability. Programs like RATS and RIPS use grep like functionality to identify all sinks in an application. This means that programmers should take extra care when using these functions, but if they where all banned then you wouldn't be able to get much done.

能力越大，责任越大."

--斯坦·李

exec           - Returns last line of commands output
passthru       - Passes commands output directly to the browser
system         - Passes commands output directly to the browser and returns last line
shell_exec     - Returns commands output
`` (backticks) - Same as shell_exec()
popen          - Opens read or write pipe to process of a command
proc_open      - Similar to popen() but greater degree of control
pcntl_exec     - Executes a program

PHP 代码执行

除了eval之外，还有其他的方式来执行PHP代码:include/require 可以用于远程代码执行的形式:本地文件包含和远程文件包含 漏洞.

PHP Code Execution

Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.

eval()
assert()  - identical to eval()
preg_replace('/.*/e',...) - /e does an eval() on the match
create_function()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);
$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());

接受回调的函数列表

这些函数接受一个字符串参数，可用于调用攻击者选择的函数.根据函数的不同，攻击者可能有也可能没有能力传递参数.在这种情况下，可以使用像 phpinfo() 这样的 Information Disclosure 函数.

Function                     => Position of callback arguments
'ob_start'                   =>  0,
'array_diff_uassoc'          => -1,
'array_diff_ukey'            => -1,
'array_filter'               =>  1,
'array_intersect_uassoc'     => -1,
'array_intersect_ukey'       => -1,
'array_map'                  =>  0,
'array_reduce'               =>  1,
'array_udiff_assoc'          => -1,
'array_udiff_uassoc'         => array(-1, -2),
'array_udiff'                => -1,
'array_uintersect_assoc'     => -1,
'array_uintersect_uassoc'    => array(-1, -2),
'array_uintersect'           => -1,
'array_walk_recursive'       =>  1,
'array_walk'                 =>  1,
'assert_options'             =>  1,
'uasort'                     =>  1,
'uksort'                     =>  1,
'usort'                      =>  1,
'preg_replace_callback'      =>  1,
'spl_autoload_register'      =>  0,
'iterator_apply'             =>  1,
'call_user_func'             =>  0,
'call_user_func_array'       =>  0,
'register_shutdown_function' =>  0,
'register_tick_function'     =>  0,
'set_error_handler'          =>  0,
'set_exception_handler'      =>  0,
'session_set_save_handler'   => array(0, 1, 2, 3, 4, 5),
'sqlite_create_aggregate'    => array(2, 3),
'sqlite_create_function'     =>  2,

信息披露

大多数这些函数调用都不是接收器.但是，如果攻击者可以查看返回的任何数据，则它可能是一个漏洞.如果攻击者可以看到phpinfo()，那肯定是一个漏洞.

phpinfo
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid

其他

extract - Opens the door for register_globals attacks (see study in scarlet).
parse_str -  works like extract if only one argument is given.  
putenv
ini_set
mail - has CRLF injection in the 3rd parameter, opens the door for spam. 
header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. 
proc_nice
proc_terminate
proc_close
pfsockopen
fsockopen
apache_child_terminate
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid

文件系统函数

根据 RATS，php 中的所有 文件系统函数都是令人讨厌的.其中一些对攻击者来说似乎不是很有用.其他的比你想象的更有用.例如，如果 allow_url_fopen=On 则可以将 url 用作文件路径，因此调用 copy($_GET['s'], $_GET['d']); 可用于在系统的任何位置上传 PHP 脚本.此外，如果某个站点容易受到通过 GET 发送的请求的攻击，那么所有这些文件系统功能都可能被滥用，通过您的服务器引导和攻击另一台主机.

Filesystem Functions

According to RATS all filesystem functions in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.

// open filesystem handler
fopen
tmpfile
bzopen
gzopen
SplFileObject->__construct
// write to filesystem (partially in combination with reading)
chgrp
chmod
chown
copy
file_put_contents
lchgrp
lchown
link
mkdir
move_uploaded_file
rename
rmdir
symlink
tempnam
touch
unlink
imagepng   - 2nd parameter is a path.
imagewbmp  - 2nd parameter is a path. 
image2wbmp - 2nd parameter is a path. 
imagejpeg  - 2nd parameter is a path.
imagexbm   - 2nd parameter is a path.
imagegif   - 2nd parameter is a path.
imagegd    - 2nd parameter is a path.
imagegd2   - 2nd parameter is a path.
iptcembed
ftp_get
ftp_nb_get
// read from filesystem
file_exists
file_get_contents
file
fileatime
filectime
filegroup
fileinode
filemtime
fileowner
fileperms
filesize
filetype
glob
is_dir
is_executable
is_file
is_link
is_readable
is_uploaded_file
is_writable
is_writeable
linkinfo
lstat
parse_ini_file
pathinfo
readfile
readlink
realpath
stat
gzfile
readgzfile
getimagesize
imagecreatefromgif
imagecreatefromjpeg
imagecreatefrompng
imagecreatefromwbmp
imagecreatefromxbm
imagecreatefromxpm
ftp_put
ftp_nb_put
exif_read_data
read_exif_data
exif_thumbnail
exif_imagetype
hash_file
hash_hmac_file
hash_update_file
md5_file
sha1_file
highlight_file
show_source
php_strip_whitespace
get_meta_tags

这篇关于可利用的 PHP 函数的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！