write to filesystem (partially in combination with reading) For instance if allow_url_fopen=On then a url can be used as a file path, so a call to copy($_GET, $_GET) can be used to upload a PHP script anywhere on the system.Īlso if a site is vulnerable to a request send via GET everyone of those file system functions can be abused to channel and attack to another host through your server. Others are more useful than you might think. Some of these don't seem very useful to the attacker. This is nasty if you are trying to protect an administrative area.Īccording to RATS all filesystem functions in php are nasty. The script keeps executing after a call to header(), and will still print output normally. Header - on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location. Mail - has CRLF injection in the 3rd parameter, opens the door for spam. Parse_str - works like extract if only one argument is given. Other extract - Opens the door for register_globals attacks (see study in scarlet). If an attacker can see phpinfo() it is definitely a vulnerability. But rather it maybe a vulnerability if any of the data returned is viewable to an attacker. Most of these function calls are not sinks. 'sqlite_create_aggregate' => array(2, 3),
Function => Position of callback arguments In that case an Information Disclosure function like phpinfo() could be used. Depending on the function the attacker may or may not have the ability to pass a parameter. These functions accept a string parameter which could be used to call a function of the attacker's choice. $func = new ReflectionFunction($_GET) $func->invoke() or $func->invokeArgs(array())
Preg_replace('/.*/e'.) - /e does an eval() on the match
IMAGEGIF PHP CODE
Proc_open - Similar to popen() but greater degree of controlĪpart from eval there are other ways to execute PHP code: include/ require can be used for remote code execution in the form of Local File Include and Remote File Include vulnerabilities. Popen - Opens read or write pipe to process of a command
System - Passes commands output directly to the browser and returns last line Passthru - Passes commands output directly to the browser Stan Lee Command Execution exec - Returns last line of commands output " With great power comes great responsibility." This means that programmers should take extra care when using these functions, but if they where all banned then you wouldn't be able to get much done. Programs like RATS and RIPS use grep like functionality to identify all sinks in an application. When a tainted variable (like $_REQUEST) is passed to a sink function, then you have a vulnerability. Most of these function calls are classified as Sinks. I have also added some of my own to the mix and people on this thread have helped out.Įdit: After posting this list I contacted the founder of RIPS and as of now this tools searches PHP code for the use of every function in this list.
0 kommentar(er)
