問題:
I'm trying to build a list of functions that can be used for arbitrary code execution.我正在嘗試構建可用於任意代碼執行的函數列表。 The purpose isn't to list functions that should be blacklisted or otherwise disallowed.目的不是列出應列入黑名單或以其他方式禁止的功能。 Rather, I'd like to have a grep -able list of red-flag keywords handy when searching a compromised server for back-doors.相反,我希望在搜索受感染的服務器以查找後門時,有一個可使用grep的紅旗關鍵字列表。
The idea is that if you want to build a multi-purpose malicious PHP script -- such as a "web shell" script like c99 or r57 -- you're going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code.這個想法是,如果你想構建一個多用途的惡意 PHP 腳本——比如像 c99 或 r57 這樣的“web shell”腳本——你將不得不使用一個或多個相對較小的函數集文件中的某處,以允許用戶執行任意代碼。 Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination.搜索這些函數可以幫助您更快地將數以萬計的 PHP 文件大海撈針縮小爲需要仔細檢查的相對較小的腳本集。
Clearly, for example, any of the following would be considered malicious (or terrible coding):很明顯,例如,以下任何一項都將被視爲惡意(或糟糕的編碼):
<? eval($_GET['cmd']); ?>
<? system($_GET['cmd']); ?>
<? preg_replace('/.*/e',$_POST['code']); ?>
and so forth.等等。
Searching through a compromised website the other day, I didn't notice a piece of malicious code because I didn't realize preg_replace could be made dangerous by the use of the /e flag ( which, seriously? Why is that even there ?).前幾天在一個受感染的網站上搜索時,我沒有注意到一段惡意代碼,因爲我沒有意識到使用/e標誌可能會使preg_replace變得危險(這,說真的?爲什麼會這樣?) . Are there any others that I missed?還有其他我錯過的嗎?
Here's my list so far:到目前爲止,這是我的清單:
Shell Execute外殼執行
system-
exec -
popen -
backtick operator -
pcntl_exec
PHP Execute PHP 執行
eval-
preg_replace(with/emodifier)preg_replace(帶/e修飾符) -
create_function -
include[_once] /require[_once] ( see mario's answer for exploit details)include[_once] /require[_once](有關漏洞利用詳情,請參閱 mario 的回答)
It might also be useful to have a list of functions that are capable of modifying files, but I imagine 99% of the time exploit code will contain at least one of the functions above.擁有一個能夠修改文件的函數列表也可能很有用,但我想 99% 的漏洞利用代碼將至少包含上述函數之一。 But if you have a list of all the functions capable of editing or outputting files, post it and I'll include it here.但是,如果您有能夠編輯或輸出文件的所有功能的列表,請將其發佈,我會將其包含在此處。 (And I'm not counting mysql_execute , since that's part of another class of exploit.) (而且我沒有計算mysql_execute ,因爲這是另一類漏洞利用的一部分。)
解決方案:
參考一: https://stackoom.com/question/D4Ux參考二: Exploitable PHP functions