Databases
StackOverflow2013
Postsdbo
PO
Body
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    text
    copied!<p>To build this list I used 2 sources. <a href="http://seclists.org/bugtraq/2001/Jul/att-26/studyinscarlet.txt" rel="noreferrer">A Study In Scarlet</a> and <a href="https://www.fortify.com/ssa-elements/threat-intelligence/rats.html" rel="noreferrer">RATS</a>. I have also added some of my own to the mix and people on this thread have helped out.</p> <p><strong>Edit:</strong> After posting this list I contacted the founder of <a href="https://sourceforge.net/projects/rips-scanner/" rel="noreferrer">RIPS</a> and as of now this tools searches PHP code for the use of every function in this list.</p> <p>Most of these function calls are classified as Sinks. When a tainted variable (like $_REQUEST) is passed to a sink function, then you have a vulnerability. Programs like <a href="https://www.fortify.com/ssa-elements/threat-intelligence/rats.html" rel="noreferrer">RATS</a> and <a href="https://sourceforge.net/projects/rips-scanner/" rel="noreferrer">RIPS</a> use grep like functionality to identify all sinks in an application. This means that programmers should take extra care when using these functions, but if they where all banned then you wouldn't be able to get much done. </p> <p><strong>"<em>With great power comes great responsibility.</em>"</strong></p> <p>--Stan Lee </p> <h3>Command Execution</h3> <pre class="lang-none prettyprint-override"><code>exec - Returns last line of commands output passthru - Passes commands output directly to the browser system - Passes commands output directly to the browser and returns last line shell_exec - Returns commands output `` (backticks) - Same as shell_exec() popen - Opens read or write pipe to process of a command proc_open - Similar to popen() but greater degree of control pcntl_exec - Executes a program </code></pre> <h3>PHP Code Execution</h3> <p>Apart from <code>eval</code> there are other ways to execute PHP code: <code>include</code>/<code>require</code> can be used for remote code execution in the form of <a href="http://www.exploit-db.com/exploits/12510/" rel="noreferrer">Local File Include</a> and <a href="http://en.wikipedia.org/wiki/Remote_File_Inclusion" rel="noreferrer">Remote File Include</a> vulnerabilities.</p> <pre><code>eval() assert() - identical to eval() preg_replace('/.*/e',...) - /e does an eval() on the match create_function() include() include_once() require() require_once() $_GET['func_name']($_GET['argument']); $func = new ReflectionFunction($_GET['func_name']); $func-&gt;invoke(); or $func-&gt;invokeArgs(array()); </code></pre> <h3>List of functions which accept callbacks</h3> <p>These functions accept a string parameter which could be used to call a function of the attacker's choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an <code>Information Disclosure</code> function like <code>phpinfo()</code> could be used.</p> <pre><code>Function =&gt; Position of callback arguments 'ob_start' =&gt; 0, 'array_diff_uassoc' =&gt; -1, 'array_diff_ukey' =&gt; -1, 'array_filter' =&gt; 1, 'array_intersect_uassoc' =&gt; -1, 'array_intersect_ukey' =&gt; -1, 'array_map' =&gt; 0, 'array_reduce' =&gt; 1, 'array_udiff_assoc' =&gt; -1, 'array_udiff_uassoc' =&gt; array(-1, -2), 'array_udiff' =&gt; -1, 'array_uintersect_assoc' =&gt; -1, 'array_uintersect_uassoc' =&gt; array(-1, -2), 'array_uintersect' =&gt; -1, 'array_walk_recursive' =&gt; 1, 'array_walk' =&gt; 1, 'assert_options' =&gt; 1, 'uasort' =&gt; 1, 'uksort' =&gt; 1, 'usort' =&gt; 1, 'preg_replace_callback' =&gt; 1, 'spl_autoload_register' =&gt; 0, 'iterator_apply' =&gt; 1, 'call_user_func' =&gt; 0, 'call_user_func_array' =&gt; 0, 'register_shutdown_function' =&gt; 0, 'register_tick_function' =&gt; 0, 'set_error_handler' =&gt; 0, 'set_exception_handler' =&gt; 0, 'session_set_save_handler' =&gt; array(0, 1, 2, 3, 4, 5), 'sqlite_create_aggregate' =&gt; array(2, 3), 'sqlite_create_function' =&gt; 2, </code></pre> <h3>Information Disclosure</h3> <p>Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see <code>phpinfo()</code> it is definitely a vulnerability. </p> <pre><code>phpinfo posix_mkfifo posix_getlogin posix_ttyname getenv get_current_user proc_get_status get_cfg_var disk_free_space disk_total_space diskfreespace getcwd getlastmo getmygid getmyinode getmypid getmyuid </code></pre> <h3>Other</h3> <pre><code>extract - Opens the door for register_globals attacks (see study in scarlet). parse_str - works like extract if only one argument is given. putenv ini_set mail - has CRLF injection in the 3rd parameter, opens the door for spam. header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. proc_nice proc_terminate proc_close pfsockopen fsockopen apache_child_terminate posix_kill posix_mkfifo posix_setpgid posix_setsid posix_setuid </code></pre> <h3>Filesystem Functions</h3> <p>According to RATS all <a href="http://us.php.net/manual/en/ref.filesystem.php" rel="noreferrer">filesystem functions</a> in php are nasty. Some of these don't seem very useful to the attacker. Others are more useful than you might think. For instance if <code>allow_url_fopen=On</code> then a url can be used as a file path, so a call to <code>copy($_GET['s'], $_GET['d']);</code> can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.</p> <pre><code>// open filesystem handler fopen tmpfile bzopen gzopen SplFileObject-&gt;__construct // write to filesystem (partially in combination with reading) chgrp chmod chown copy file_put_contents lchgrp lchown link mkdir move_uploaded_file rename rmdir symlink tempnam touch unlink imagepng - 2nd parameter is a path. imagewbmp - 2nd parameter is a path. image2wbmp - 2nd parameter is a path. imagejpeg - 2nd parameter is a path. imagexbm - 2nd parameter is a path. imagegif - 2nd parameter is a path. imagegd - 2nd parameter is a path. imagegd2 - 2nd parameter is a path. iptcembed ftp_get ftp_nb_get // read from filesystem file_exists file_get_contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype glob is_dir is_executable is_file is_link is_readable is_uploaded_file is_writable is_writeable linkinfo lstat parse_ini_file pathinfo readfile readlink realpath stat gzfile readgzfile getimagesize imagecreatefromgif imagecreatefromjpeg imagecreatefrompng imagecreatefromwbmp imagecreatefromxbm imagecreatefromxpm ftp_put ftp_nb_put exif_read_data read_exif_data exif_thumbnail exif_imagetype hash_file hash_hmac_file hash_update_file md5_file sha1_file highlight_file show_source php_strip_whitespace get_meta_tags </code></pre>
 

Querying!

 
Guidance
An individual column

Larger individual text columns get their own page to allow for proper reading.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload