Is it possible to make a “php injection”?
Question
I'm building a web application and I'm concern with security.
Is it a way to make a "php injection", in the same way it is possible to make "SQL injection" ? That means client can send some php code which will be executed on the server.
Until we don't use the "eval" function, I would like to say "no" because when we get a value by $_GET and $_POST, all the data are treated as simple string... But maybe I don't see an obvious attack.
3 answers
solution1
2 ACCPTED 2014-04-06 14:29:04
In general, not unless you evaluate it with something that might parse and execute PHP. You already mentioned eval, but there are other functions that have eval-like properties (eg preg_replace , if the attacker manages to inject the /e modifier) or can otherwise allow unwanted levels of access (eg system() ).
Also, if an attacker can upload a file and get it interpreted as PHP, he can run PHP code. nginx can be easily misconfigured in a way that allows attackers to execute PHP code in image files. The same goes for getting your web site to include() his code - possibly by overwriting your files with his uploads, or changing the include() arguments to point to a remote site (if that is not disabled in php.ini).
solution2
1 2014-04-06 14:23:18
There are a number of ways in which you could, potentially, have a "PHP injection". eval is one of them. shell_exec and related functions are a risk too (always use escapeshellarg !) But the common theme is putting user input somewhere it can be executed. This is the case with SQL injections, where the query is a string that contains user input and is then executed on the MySQL server.
One slightly more obscure example is file uploads. If you allow uploading of files to your server, do NOT allow unfettered access to them! Someone could upload a PHP file, then access it and get full control of your site, so... yeah, be careful with uploads!
solution3
0 2014-04-06 18:35:14
You would call it PHP injection if the PHP script ”constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment” [1] .
So for PHP as the processor, any function, whose parameter are being interpreted as PHP, directly or indirectly, may be prone to PHP injection. This includes obviously the eval function , but also functions like create_function , and preg_replace with PREG_REPLACE_EVAL modifier .
Furthermore, this also includes routines that generate PHP code for being written to file like configuration files during an application setup. Or routines that execute PHP via php -r … , even when escaped via escapeshellarg .
Have a look at the observed examples for CWE-94: Improper Control of Generation of Code ('Code Injection') .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.