Databases
StackOverflow2013
Postsdbo
POExploitable PHP functions
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. POExploitable PHP functions
    text
    copied!<p>I'm trying to build a list of functions that can be used for arbitrary code execution. The purpose isn't to list functions that should be blacklisted or otherwise disallowed. Rather, I'd like to have a <code>grep</code>-able list of <em>red-flag</em> keywords handy when searching a compromised server for back-doors.</p> <p>The idea is that if you want to build a multi-purpose malicious PHP script -- such as a "web shell" script like c99 or r57 -- you're going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code. Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination.</p> <p>Clearly, for example, any of the following would be considered malicious (or terrible coding):</p> <pre><code>&lt;? eval($_GET['cmd']); ?&gt; &lt;? system($_GET['cmd']); ?&gt; &lt;? preg_replace('/.*/e',$_POST['code']); ?&gt; </code></pre> <p>and so forth. </p> <p>Searching through a compromised website the other day, I didn't notice a piece of malicious code because I didn't realize <code>preg_replace</code> could be made dangerous by the use of the <code>/e</code> flag (<em>which, seriously? Why is that even there</em>?). Are there any others that I missed?</p> <p>Here's my list so far:</p> <p><strong>Shell Execute</strong> </p> <ul> <li><code>system</code></li> <li><code>exec</code></li> <li><code>popen</code></li> <li><em><code>backtick operator</code></em></li> <li><code>pcntl_exec</code></li> </ul> <p><strong>PHP Execute</strong></p> <ul> <li><code>eval</code></li> <li><code>preg_replace</code> (with <code>/e</code> modifier)</li> <li><code>create_function</code></li> <li><code>include</code>[<code>_once</code>] / <code>require</code>[<code>_once</code>] (<em>see mario's answer</em> for exploit details)</li> </ul> <p>It might also be useful to have a list of functions that are capable of modifying files, but I imagine 99% of the time exploit code will contain at least one of the functions above. But if you have a list of all the functions capable of editing or outputting files, post it and I'll include it here. (And I'm not counting <code>mysql_execute</code>, since that's part of another class of exploit.)</p>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload