Exploitable PHP functions

Question

I m trying to build a list of functions that can be used for arbitrary code execution  The purpose isn t to list functions that should be blacklisted or otherwise disallowed  Rather  I d like to have a grep-able list of red-flag keywords handy when searching a compromised server for back-doors   The idea is that if you want to build a multi-purpose malicious PHP script -- such as a  web shell  script like c99 or r57 -- you re going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code  Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination   Clearly  for example  any of the following would be considered malicious  or terrible coding     lt   eval   GET  cmd       gt    lt   system   GET  cmd       gt    lt   preg replace      e    POST  code       gt    and so forth    Searching through a compromised website the other day  I didn t notice a piece of malicious code because I didn t realize preg replace could be made dangerous by the use of the  e flag  which  seriously  Why is that even there    Are there any others that I missed   Here s my list so far   Shell Execute     system exec popen backtick operator pcntl exec   PHP Execute   eval preg replace  with  e modifier  create function include  once    require  once   see mario s answer for exploit details    It might also be useful to have a list of functions that are capable of modifying files  but I imagine 99  of the time exploit code will contain at least one of the functions above  But if you have a list of all the functions capable of editing or outputting files  post it and I ll include it here   And I m not counting mysql execute  since that s part of another class of exploit

User · Answer

Backtick Operator Backtick on php manual

User · Answer

You can find a continuously updated list of sensitive sinks  exploitable php functions  and their parameters in RIPS  config sinks php  a static source code analyser for vulnerabilities in PHP applications that also detects PHP backdoors

User · Answer

One source of interesting exploits has not been mentioned  PHP allows strings to have 0x00 bytes in them  Underlying  libc  functions treat this as the end of a string   This allows for situations where  poorly implemented  sanity-checking in PHP can be fooled  e g  in a situation like       note  proof of principle code  don t use  include     GET  file    if   preg match      php     include    include  include     This might include any file - not just those ending in  php - by calling script php file somefile 00 php  So any function that will not obey PHP s string length may lead to some vulnerability

User · Answer

You d have to scan for include  tmp  and require HTTP REFERER  and   once as well  If an exploit script can write to a temporary file  it could just include that later  Basically  a two-step eval     And it s even possible to hide remote code with workarounds like    include  data text plain base64   GET code       Also  if your webserver has already been compromised you will not always see unencoded evil  Often the exploit shell is gzip-encoded  Think of include  zlib script2 png gz    No eval here  still same effect

User · Answer

Most of attacks in the code use multiple access sources  or multiple steps to execute themselves  I would search not only for a code  or method having malicious code  but all methods  function executing or calling it  The best security would also include encoding and validating form data as it comes in and out   Watch also out from defining system variables  they can afterwards be called from any function or method in the code

User · Answer

Here is a list of functions my provider disables for security purposes    exec dl show source apache note apache setenv closelog debugger off debugger on define syslog variables escapeshellarg escapeshellcmd ini restore openlog passthru pclose pcntl exec popen proc close proc get status proc nice proc open proc terminate shell exec syslog system url exec

User · Answer

There was some discussion of this on security stackexchange com recently     functions that can be used for arbitrary code execution   Well that reduces the scope a little - but since  print  can be used to inject javascript  and therefore steal sessions etc  its still somewhat arbitrary      isn t to list functions that should be blacklisted or otherwise disallowed  Rather  I d like to have a grep-able list   That s a sensible approach   Do consider writing your own parser though - very soon you re going to find a grep based approach getting out of control  awk would be a bit better   Pretty soon you re also going to start wishing you d implemented a whitelist too   In addition to the obvious ones  I d recommend flagging up anything which does an include with an argument of anything other than a string literal  Watch out for   autoload   too

User · Answer

Several buffer overflows were discovered using 4bit  characters functions that interpret text   htmlentities   htmlspecialchars    were at the top  a good defence is to use mb convert encoding   to convert to single encoding prior to interpretation

User · Answer

i d particularly want to add unserialize   to this list  It has had a long history of various vulnerabilities including arbitrary code execution  denial of service and memory information leakage  It should never be called on user-supplied data  Many of these vuls have been fixed in releases over the last dew years  but it still retains a couple of nasty vuls at the current time of writing   For other information about dodgy php functions usage look around the Hardened PHP Project and its advisories  Also the recent Month of PHP Security and 2007 s Month of PHP Bugs projects   Also note that  by design  unserializing an object will cause the constructor and destructor functions to execute  another reason not to call it on user-supplied data

User · Answer

There are loads of PHP exploits which can be disabled by settings in the PHP ini file  Obvious example is register globals  but depending on settings it may also be possible to include or open files from remote machines via HTTP  which can be exploited if a program uses variable filenames for any of its include   or file handling functions   PHP also allows variable function calling by adding    to the end of a variable name -- eg  myvariable    will call the function name specified by the variable  This is exploitable  eg if an attacker can get the variable to contain the word  eval   and can control the parameter  then he can do anything he wants  even though the program doesn t actually contain the eval   function

User · Answer

Plattform-specific  but also theoretical exec vectors    dotnet load   new COM  WScript Shell   new Java  java lang Runtime   event new   - very eventually   And there are many more disguising methods    proc open is an alias for popen call user func array  exE  chr 99   array   usr bin damage    --all     file put contents   cgi-bin nextinvocation cgi    amp  amp  chmod      PharData  setDefaultStub - some more work to examine code in  phar files runkit function rename  exec    innocent name   or APD rename function

User · Answer

This is not an answer per se  but here s something interesting    y   str replace  z    e    zxzc     y  malicious code      In the same spirit  call user func array   can be used to execute obfuscated functions

User · Answer

I fear my answer might be a bit too negative  but     IMHO  every single function and method out there can be used for nefarious purposes   Think of it as a trickle-down effect of nefariousness  a variable gets assigned to a user or remote input  the variable is used in a function  the function return value used in a class property  the class property used in a file function  and so forth   Remember  a forged IP address or a man-in-the-middle attack can exploit your entire website   Your best bet is to trace from beginning to end any possible user or remote input  starting with   SERVER    GET    POST    FILE    COOKIE  include some remote file   if allow url fopen is on   all other functions classes dealing with remote files  etc   You programatically build a stack-trace profile of each user- or remote-supplied value   This can be done programatically by getting all repeat instances of the assigned variable and functions or methods it s used in  then recursively compiling a list of all occurrences of those functions methods  and so on   Examine it to ensure it first goes through the proper filtering and validating functions relative to all other functions it touches   This is of course a manual examination  otherwise you ll have a total number of case switches equal to the number of functions and methods in PHP  including user defined    Alternatively for handling only user input  have a static controller class initialized at the beginning of all scripts which 1  validates and stores all user-supplied input values against a white-list of allowed purposes  2  wipes that input source  ie   SERVER   null    You can see where this gets a little Naziesque

User · Answer

My VPS is set to disable the following functions   root vps      grep disable functions  usr local lib php ini disable functions   dl  exec  shell exec  system  passthru  popen  pclose  proc open  proc nice  proc terminate  proc get status  proc close  pfsockopen  leak  apache child terminate  posix kill  posix mkfifo  posix setpgid  posix setsid  posix setuid   PHP has enough potentially destructible functions that your list might be too big to grep for  For example  PHP has chmod and chown  which could be used to simply deactivate a website   EDIT  Perhaps you may want to build a bash script that searches for a file for an array of functions grouped by danger  functions that are bad  functions that are worse  functions that should never be used   and then calculate the relativity of danger that the file imposes into a percentage  Then output this to a tree of the directory with the percentages tagged next to each file  if greater than a threshold of say  30  danger

User · Answer

Also be aware of the class of  interruption vulnerabilities  that allow arbitrary memory locations to be read and written    These affect functions such as trim    rtrim    ltrim    explode    strchr    strstr    substr    chunk split    strtok    addcslashes    str repeat   and more  This is largely  but not exclusively  due to the call-time pass-by-reference feature of the language that has been deprecated for 10 years but not disabled   Fore more info  see Stefan Esser   s talk about interruption vulnerabilities and other lower-level PHP issues at BlackHat USA 2009 Slides Paper  This paper presentation also shows how dl   can be used to execute arbitrary system code

User · Answer

These functions can also have some nasty effects    str repeat   unserialize   register tick function   register shutdown function     The first two can exhaust all the available memory and the latter keep the exhaustion going

User · Answer

I guess you won t be able to really find all possible exploits by parsing your source files    also if there are really great lists provided in here  you can miss a function which can be exploitet there still could be  hidden  evil code like this       myEvilRegex   base64 decode  Ly4qL2U          preg replace  myEvilRegex    POST  code        you could now say  i simply extend my script to also match this but then you will have that mayn  possibly evil code  which additionally is out of it s context so to be  pseudo- secure  you should really write good code and read all existing code yourself

User · Answer

I know move uploaded file has been mentioned  but file uploading in general is very dangerous  Just the presence of   FILES should raise some concern   It s quite possible to embed PHP code into any type of file  Images can be especially vulnerable with text comments  The problem is particularly troublesome if the code accepts the extension found within the   FILES data as-is   For example  a user could upload a valid PNG file with embedded PHP code as  foo php   If the script is particularly naive  it may actually copy the file as   uploads foo php   If the server is configured to allow script execution in user upload directories  often the case  and a terrible oversight   then you instantly can run any arbitrary PHP code   Even if the image is saved as  png  it might be possible to get the code to execute via other security flaws    A  non-exhaustive  list of things to check on uploads    Make sure to analyze the contents to make sure the upload is the type it claims to be Save the file with a known  safe file extension that will not ever be executed Make sure PHP  and any other code execution  is disabled in user upload directories

User · Answer

I m surprised no one has mentioned echo and print as points of security exploitation   Cross-Site Scripting  XSS  is a serious security exploit  because it s even more common than server-side code execution exploits

User · Answer

Let s add pcntl signal and pcntl alarm to the list   With the help of those functions you can work around any set time limit restriction created int the php ini or in the script   This script for example will run for 10 seconds despite of set time limit 1     Credit goes to Sebastian Bergmanns tweet and gist     lt  php declare ticks   1    set time limit 1    function foo         for            class Invoker TimeoutException extends RuntimeException     class Invoker       public function invoke  callable   timeout                pcntl signal SIGALRM  function     throw new Invoker TimeoutException     TRUE           pcntl alarm  timeout           call user func  callable            try        invoker   new Invoker       invoker- gt invoke  foo   1     catch  Exception  e        sleep 10       echo  Still running despite of the timelimit

User · Answer

What about dangerous syntactic elements   The  variable variable     var  will find a variable in the current scope by the name of  var  If used wrong  the remote user can modify or read any variable in the current scope  Basically a weaker eval   Ex  you write some code   uservar   1   then the remote user sets  uservar to  admin   causing  admin to be set to 1 in the current scope

User · Answer

Apart from the eval language construct there is another function which allows arbitrary code execution  assert  assert  ex     ec  kill --bill

User · Answer

To build this list I used 2 sources   A Study In Scarlet and RATS    I have also added some of my own to the mix and people on this thread have helped out   Edit  After posting this list I contacted the founder of RIPS and as of now this tools searches PHP code for the use of every function in this list   Most of these function calls are classified as Sinks  When a tainted variable  like   REQUEST  is passed to a sink function  then you have a vulnerability   Programs like RATS and RIPS use grep like functionality to identify all sinks in an application   This means that programmers should take extra care when using these functions   but if they where all banned then you wouldn t be able to get much done      With great power comes great responsibility    --Stan Lee   Command Execution  exec           - Returns last line of commands output passthru       - Passes commands output directly to the browser system         - Passes commands output directly to the browser and returns last line shell exec     - Returns commands output     backticks  - Same as shell exec   popen          - Opens read or write pipe to process of a command proc open      - Similar to popen   but greater degree of control pcntl exec     - Executes a program   PHP Code Execution  Apart from eval there are other ways to execute PHP code  include require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities   eval   assert    - identical to eval   preg replace      e       -  e does an eval   on the match create function   include   include once   require   require once     GET  func name     GET  argument      func   new ReflectionFunction   GET  func name      func- gt invoke    or  func- gt invokeArgs array       List of functions which accept callbacks  These functions accept a string parameter which could be used to call a function of the attacker s choice   Depending on the function the attacker may or may not have the ability to pass a parameter   In that case an Information Disclosure function like phpinfo   could be used   Function                       gt  Position of callback arguments  ob start                      gt   0   array diff uassoc             gt  -1   array diff ukey               gt  -1   array filter                  gt   1   array intersect uassoc        gt  -1   array intersect ukey          gt  -1   array map                     gt   0   array reduce                  gt   1   array udiff assoc             gt  -1   array udiff uassoc            gt  array -1  -2    array udiff                   gt  -1   array uintersect assoc        gt  -1   array uintersect uassoc       gt  array -1  -2    array uintersect              gt  -1   array walk recursive          gt   1   array walk                    gt   1   assert options                gt   1   uasort                        gt   1   uksort                        gt   1   usort                         gt   1   preg replace callback         gt   1   spl autoload register         gt   0   iterator apply                gt   1   call user func                gt   0   call user func array          gt   0   register shutdown function    gt   0   register tick function        gt   0   set error handler             gt   0   set exception handler         gt   0   session set save handler      gt  array 0  1  2  3  4  5    sqlite create aggregate       gt  array 2  3    sqlite create function        gt   2    Information Disclosure  Most of these function calls are not sinks    But rather it maybe a vulnerability if any of the data returned is viewable to an attacker   If an attacker can see phpinfo   it is definitely a vulnerability    phpinfo posix mkfifo posix getlogin posix ttyname getenv get current user proc get status get cfg var disk free space disk total space diskfreespace getcwd getlastmo getmygid getmyinode getmypid getmyuid   Other  extract - Opens the door for register globals attacks  see study in scarlet   parse str -  works like extract if only one argument is given    putenv ini set mail - has CRLF injection in the 3rd parameter  opens the door for spam   header - on old systems CRLF injection could be used for xss or other purposes  now it is still a problem if they do a header  location         and they do not die     The script keeps executing after a call to header    and will still print output normally  This is nasty if you are trying to protect an administrative area   proc nice proc terminate proc close pfsockopen fsockopen apache child terminate posix kill posix mkfifo posix setpgid posix setsid posix setuid   Filesystem Functions  According to RATS all filesystem functions in php are nasty  Some of these don t seem very useful to the attacker  Others are more useful than you might think  For instance if allow url fopen On then a url can be used as a file path  so a call to copy   GET  s      GET  d     can be used to upload a PHP script anywhere on the system   Also if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server      open filesystem handler fopen tmpfile bzopen gzopen SplFileObject- gt   construct    write to filesystem  partially in combination with reading  chgrp chmod chown copy file put contents lchgrp lchown link mkdir move uploaded file rename rmdir symlink tempnam touch unlink imagepng   - 2nd parameter is a path  imagewbmp  - 2nd parameter is a path   image2wbmp - 2nd parameter is a path   imagejpeg  - 2nd parameter is a path  imagexbm   - 2nd parameter is a path  imagegif   - 2nd parameter is a path  imagegd    - 2nd parameter is a path  imagegd2   - 2nd parameter is a path  iptcembed ftp get ftp nb get    read from filesystem file exists file get contents file fileatime filectime filegroup fileinode filemtime fileowner fileperms filesize filetype glob is dir is executable is file is link is readable is uploaded file is writable is writeable linkinfo lstat parse ini file pathinfo readfile readlink realpath stat gzfile readgzfile getimagesize imagecreatefromgif imagecreatefromjpeg imagecreatefrompng imagecreatefromwbmp imagecreatefromxbm imagecreatefromxpm ftp put ftp nb put exif read data read exif data exif thumbnail exif imagetype hash file hash hmac file hash update file md5 file sha1 file highlight file show source php strip whitespace get meta tags

[php] Exploitable PHP functions

Examples related to php

Examples related to security

Examples related to grep