Presentation is loading. Please wait.

Presentation is loading. Please wait.

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane"— Presentation transcript:

1 ©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane jukeane@sas.upenn.edu

2 ©2009 Justin C. Klein Keane What is Command Injection Also known as arbitrary code execution Attacker injects malicious input that is then passed to functions that execute shell commands based on the input

3 ©2009 Justin C. Klein Keane Typical Example <?php if (isset($_GET['file']) { system('rm '. $_GET['file'] '.php'); } ?> Developer hopes to delete a specific PHP file, but the intent of the command is easily bypassed

4 ©2009 Justin C. Klein Keane Injection Strategies Shell commands are delimited by a semi-colon, so multiple commands can be chained together The pound or hash (#) symbol denotes the beginning of a comment on the shell, any text following it will be ignored Strategies similar to SQL injection can be utilized

5 ©2009 Justin C. Klein Keane Functions to Watch Luckily, the list of commands which execute via a shell is somewhat limited:  system() Executes the command and returns output  exec() Executes command, can populate PHP variables with output and return values  passthru() Executes command but only returns return status

6 ©2009 Justin C. Klein Keane Other Dangerous Functions There are other, less common functions to watch out for  Backtick operators $retval = `ls -lh *.php`;  shell_exec() Same as backtick

7 ©2009 Justin C. Klein Keane Pipe Operations PHP has commands that can open a pipe to a process, so input and output can be directed to the process  popen() and pclose() $proc = popen(“/bin/ls”, “r”);  proc_open() Offers more command control

8 ©2009 Justin C. Klein Keane Command Sanitization PHP has two commands that can be used to scrub input before passing it to a command  escapeshellarg() Adds quotes around string and escapes any internal quotes  escapeshellcmd() Escapes all special characters that could be used to interrupt or override execution flow Note that you should still strive to sanitize to “known good” commands

9 ©2009 Justin C. Klein Keane Other Nefarious Outliers preg_replace with the /e flag allows for command execution <?php print preg_replace('/(.*)/e', 'strtoupper("\\1")', '{${phpinfo()}}'); ?> This is certainly not the first place you would look to find command execution!

10 ©2009 Justin C. Klein Keane Executing PHP Commands Using the eval() command Because of PHP's dynamic nature, variables can actually be interpreted as commands: <?php $x = “echo exec('cat /etc/passwd');”; eval($x); ?>

11 ©2009 Justin C. Klein Keane Mitigation PHP's php.ini contains a rarely used directive: ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. disable_functions = exec, system, passthru, eval Probably won't completely cut off avenues of attack but can limit the programmers power to introduce vulnerabilities

Download ppt "©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane"

Similar presentations

Web Security Never, ever, trust user inputs Supankar.

Web Security Never, ever, trust user inputs Supankar.
©Copyright Justin C. Klein Keane PHP Vulnerability Potpourri File Include, Command Injection & Authentication Bypass Vulnerabilities.

©Copyright Justin C. Klein Keane PHP Vulnerability Potpourri File Include, Command Injection & Authentication Bypass Vulnerabilities.
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.2 – File Include Vulnerabilities Justin C. Klien Keane
Introduction to JavaScript

Introduction to JavaScript
Introduction to PHP MIS 3501, Fall 2014 Jeremy Shafer

Introduction to PHP MIS 3501, Fall 2014 Jeremy Shafer
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 4.3 – Information Disclosure & Authentication Bypass Justin C. Klein Keane
Software Security Lecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.

Software Security Lecture 4 Fang Yu Dept. of MIS, National Chengchi University Spring 2011.
CIS 118 – Intro to UNIX Shells 1. 2 What is a shell? Bourne shell – Developed by Steve Bourne at AT&T Korn shell – Developed by David Korn at AT&T C-shell.

CIS 118 – Intro to UNIX Shells 1. 2 What is a shell? Bourne shell – Developed by Steve Bourne at AT&T Korn shell – Developed by David Korn at AT&T C-shell.
EMT 2390L Lecture 4 Dr. Reyes Reference: The Linux Command Line, W.E. Shotts.

EMT 2390L Lecture 4 Dr. Reyes Reference: The Linux Command Line, W.E. Shotts.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
CS 311 - Lecture 03 Outline Sed and awk from previous lecture Writing simple bash script Assignment 1 discussion 1CS 311 Operating SystemsLecture 03.

CS Lecture 03 Outline Sed and awk from previous lecture Writing simple bash script Assignment 1 discussion 1CS 311 Operating SystemsLecture 03.
Shell Basics CS465 - Unix. Shell Basics Shells provide: –Command interpretation –Multiple commands on a single line –Expansion of wildcard filenames –Redirection.

Shell Basics CS465 - Unix. Shell Basics Shells provide: –Command interpretation –Multiple commands on a single line –Expansion of wildcard filenames –Redirection.
©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 7 Sessions and Cookies Justin C. Klein Keane
©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 6 Auditing Strategies & Demonstration Justin C. Klein Keane
Copyright 2009 Justin C. Klein Keane PHP Code Auditing Session 1 – PHP Foundations Justin C. Klein Keane

Copyright 2009 Justin C. Klein Keane PHP Code Auditing Session 1 – PHP Foundations Justin C. Klein Keane
The UNIX Shells 1. What is a Unix shell? 2. A few common shells in the Unix & Linux. A. Bourne shell B. Korn shell C. C shell D. Bash-the default shell.

The UNIX Shells 1. What is a Unix shell? 2. A few common shells in the Unix & Linux. A. Bourne shell B. Korn shell C. C shell D. Bash-the default shell.
SQL Injection and Buffer overflow

SQL Injection and Buffer overflow
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

PHP Security CS-422 (from The Linux Journal Oct 2002 author: Nuno Lourereio)

Similar presentations

Ads by Google