Dangerous PHP functions

SYS_DATE: 2022-04-18 00:00 | SIZE: 746 words

Dangerous PHP Functions

Command Execution

1exec           - Returns last line of commands output
2passthru       - Passes commands output directly to the browser
3system         - Passes commands output directly to the browser and returns last line
4shell_exec     - Returns commands output
5\`\` (backticks) - Same as shell_exec()
6popen          - Opens read or write pipe to process of a command
7proc_open      - Similar to popen() but greater degree of control
8pcntl_exec     - Executes a program

PHP Code Execution

Apart from eval there are other ways to execute PHP code: include/require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities.

 1eval()
 2assert()  - identical to eval()
 3preg_replace('/.*/e',...) - /e does an eval() on the match
 4create_function()
 5include()
 6include_once()
 7require()
 8require_once()
 9$_GET['func_name']($_GET['argument']);
10$func = new ReflectionFunction($_GET['func_name']); $func->invoke(); or $func->invokeArgs(array());

List of functions which accept callbacks

These functions accept a string parameter which could be used to call a function of the attacker’s choice. Depending on the function the attacker may or may not have the ability to pass a parameter. In that case an Information Disclosure function like phpinfo() could be used.

 1Function                     => Position of callback arguments
 2'ob_start'                   =>  0,
 3'array_diff_uassoc'          => -1,
 4'array_diff_ukey'            => -1,
 5'array_filter'               =>  1,
 6'array_intersect_uassoc'     => -1,
 7'array_intersect_ukey'       => -1,
 8'array_map'                  =>  0,
 9'array_reduce'               =>  1,
10'array_udiff_assoc'          => -1,
11'array_udiff_uassoc'         => array(-1, -2),
12'array_udiff'                => -1,
13'array_uintersect_assoc'     => -1,
14'array_uintersect_uassoc'    => array(-1, -2),
15'array_uintersect'           => -1,
16'array_walk_recursive'       =>  1,
17'array_walk'                 =>  1,
18'assert_options'             =>  1,
19'uasort'                     =>  1,
20'uksort'                     =>  1,
21'usort'                      =>  1,
22'preg_replace_callback'      =>  1,
23'spl_autoload_register'      =>  0,
24'iterator_apply'             =>  1,
25'call_user_func'             =>  0,
26'call_user_func_array'       =>  0,
27'register_shutdown_function' =>  0,
28'register_tick_function'     =>  0,
29'set_error_handler'          =>  0,
30'set_exception_handler'      =>  0,
31'session_set_save_handler'   => array(0, 1, 2, 3, 4, 5),
32'sqlite_create_aggregate'    => array(2, 3),
33'sqlite_create_function'     =>  2,

Information Disclosure

Most of these function calls are not sinks. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. If an attacker can see phpinfo() it is definitely a vulnerability.

 1phpinfo
 2posix_mkfifo
 3posix_getlogin
 4posix_ttyname
 5getenv
 6get_current_user
 7proc_get_status
 8get_cfg_var
 9disk_free_space
10disk_total_space
11diskfreespace
12getcwd
13getlastmo
14getmygid
15getmyinode
16getmypid
17getmyuid

PHP PHAR exploitation

 1include(‘phar://test.phar’);
 2file_get_contents(‘phar://test.phar’);
 3file_put_contents(‘phar://test.phar’, ‘’);
 4copy('phar://test.phar', '');
 5file_exists(‘phar://test.phar’);
 6is_executable(‘phar://test.phar’);
 7is_file(‘phar://test.phar’);
 8is_dir(‘phar://test.phar’);
 9is_link(‘phar://test.phar’);
10is_writable(‘phar://test.phar‘);
11fileperms(‘phar://test.phar’);
12fileinode('phar://test.phar');
13filesize('phar://test.phar');
14fileowner(‘phar://test.phar’);
15filegroup(‘phar://test.phar’);
16fileatime('phar://test.phar');
17filemtime(‘phar://test.phar’);
18filectime(‘phar://test.phar’);
19filetype('phar://test.phar');
20getimagesize(‘phar://test.phar’);
21exif_read_data(‘phar://test.phar’);
22stat('phar://test.phar');
23lstat(‘phar://test.phar’);
24touch(‘phar://test.phar‘);
25md5_file(‘phar://test.phar’);

Other

 1extract - Opens the door for register_globals attacks (see [study in scarlet - seclist](http://seclists.org/bugtraq/2001/Jul/att-26/studyinscarlet.txt)).
 2parse_str -  works like extract if only one argument is given.
 3putenv
 4ini_set
 5mail - has CRLF injection in the 3rd parameter, opens the door for spam. 
 6header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area. 
 7proc_nice
 8proc_terminate
 9proc_close
10pfsockopen
11fsockopen
12apache_child_terminate
13posix_kill
14posix_mkfifo
15posix_setpgid
16posix_setsid
17posix_setuid

Filesystem Functions

According to RATS all filesystem functions in php are nasty. Some of these don’t seem very useful to the attacker. Others are more useful than you might think. For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy ($_GET['s'], $_GET['d']); can be used to upload a PHP script anywhere on the system. Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server.

 1// open filesystem handler
 2
 3fopen
 4tmpfile
 5bzopen
 6gzopen
 7SplFileObject->__construct
 8
 9// write to filesystem (partially in combination with reading)
10
11chgrp
12chmod
13chown
14copy
15file_put_contents
16lchgrp
17lchown
18link
19mkdir
20move_uploaded_file
21rename
22rmdir
23symlink
24tempnam
25touch
26unlink
27imagepng   - 2nd parameter is a path.
28imagewbmp  - 2nd parameter is a path. 
29image2wbmp - 2nd parameter is a path. 
30imagejpeg  - 2nd parameter is a path.
31imagexbm   - 2nd parameter is a path.
32imagegif   - 2nd parameter is a path.
33imagegd    - 2nd parameter is a path.
34imagegd2   - 2nd parameter is a path.
35iptcembed
36ftp_get
37ftp_nb_get
38
39// read from filesystem
40
41file_exists
42file_get_contents
43file
44fileatime
45filectime
46filegroup
47fileinode
48filemtime
49fileowner
50fileperms
51filesize
52filetype
53glob
54is_dir
55is_executable
56is_file
57is_link
58is_readable
59is_uploaded_file
60is_writable
61is_writeable
62linkinfo
63lstat
64parse_ini_file
65pathinfo
66readfile
67readlink
68realpath
69stat
70gzfile
71readgzfile
72getimagesize
73imagecreatefromgif
74imagecreatefromjpeg
75imagecreatefrompng
76imagecreatefromwbmp
77imagecreatefromxbm
78imagecreatefromxpm
79ftp_put
80ftp_nb_put
81exif_read_data
82read_exif_data
83exif_thumbnail
84exif_imagetype
85hash_file
86hash_hmac_file
87hash_update_file
88md5_file
89sha1_file
90highlight_file
91show_source
92php_strip_whitespace
93get_meta_tags

Reference

https://stackoverflow.com/questions/3115559/exploitable-php-functions/3697776#3697776