Download presentation
Presentation is loading. Please wait.
1
©2009 Justin C. Klein Keane PHP Code Auditing Session 4.1 – Command Injection Justin C. Klein Keane jukeane@sas.upenn.edu
2
©2009 Justin C. Klein Keane What is Command Injection Also known as arbitrary code execution Attacker injects malicious input that is then passed to functions that execute shell commands based on the input
3
©2009 Justin C. Klein Keane Typical Example <?php if (isset($_GET['file']) { system('rm '. $_GET['file'] '.php'); } ?> Developer hopes to delete a specific PHP file, but the intent of the command is easily bypassed
4
©2009 Justin C. Klein Keane Injection Strategies Shell commands are delimited by a semi-colon, so multiple commands can be chained together The pound or hash (#) symbol denotes the beginning of a comment on the shell, any text following it will be ignored Strategies similar to SQL injection can be utilized
5
©2009 Justin C. Klein Keane Functions to Watch Luckily, the list of commands which execute via a shell is somewhat limited: system() Executes the command and returns output exec() Executes command, can populate PHP variables with output and return values passthru() Executes command but only returns return status
6
©2009 Justin C. Klein Keane Other Dangerous Functions There are other, less common functions to watch out for Backtick operators $retval = `ls -lh *.php`; shell_exec() Same as backtick
7
©2009 Justin C. Klein Keane Pipe Operations PHP has commands that can open a pipe to a process, so input and output can be directed to the process popen() and pclose() $proc = popen(“/bin/ls”, “r”); proc_open() Offers more command control
8
©2009 Justin C. Klein Keane Command Sanitization PHP has two commands that can be used to scrub input before passing it to a command escapeshellarg() Adds quotes around string and escapes any internal quotes escapeshellcmd() Escapes all special characters that could be used to interrupt or override execution flow Note that you should still strive to sanitize to “known good” commands
9
©2009 Justin C. Klein Keane Other Nefarious Outliers preg_replace with the /e flag allows for command execution <?php print preg_replace('/(.*)/e', 'strtoupper("\\1")', '{${phpinfo()}}'); ?> This is certainly not the first place you would look to find command execution!
10
©2009 Justin C. Klein Keane Executing PHP Commands Using the eval() command Because of PHP's dynamic nature, variables can actually be interpreted as commands: <?php $x = “echo exec('cat /etc/passwd');”; eval($x); ?>
11
©2009 Justin C. Klein Keane Mitigation PHP's php.ini contains a rarely used directive: ; This directive allows you to disable certain functions for security reasons. ; It receives a comma-delimited list of function names. This directive is ; *NOT* affected by whether Safe Mode is turned On or Off. disable_functions = exec, system, passthru, eval Probably won't completely cut off avenues of attack but can limit the programmers power to introduce vulnerabilities
Similar presentations
© 2025 SlidePlayer.com. Inc.
All rights reserved.