Question 1: What is Command Injection Attack?

Question 2: Which functions of PHP may cause Command Injection Attack?

Question 3: How to prevent Command Injection Attack?

1. What is Command Injection Attack

2. Functions of PHP related to Command Injection Attack

3. Examples of Command Injection Attack

4. How to prevent Command Injection Attack

Command Injection Attack refer to that, because web applications don't do enough filters to submitted data, so attackers may form special characters, post them to PHP program, then execute external applications or internal commands. By thus, the attackers may get data or network resource illegal, or even execute other attacks. The Command Injection Attach is a common vulnerability of PHP, and many famous open source PHP applications are found with this vulnerability.

Function 'system' may be used to execute an external program and return the executed result

The usage of the function is:

string system(string command, int &return_var)

Parameter 'command' is the command to be executed, parameter 'return_val' stores the executed status

Function 'exec' may be used to execute an external program

The usage of the function is:

string exec (string command, array &output, int &return_var)

Parameter 'command' is the command to be executed, parameter 'output' is every line of the executed result, and parameter 'return_val' stores the executed status

Function 'passthru' may be use to execute a system command and return the original executed results, expecially binary outputs

The usage of the function is:

void passthru (string command, int &return_var)

Parameter 'command' is the system command to be executed, parameter 'return_val' stores the executed status

Function 'shell_exec' may be use to execute shell commands and return the executed results in string format

The usage of the function is:

string shell_exec (string command)

Parameter 'command' is the shell command to be executed

`` is the same as 'shell_exec', execute shell commands and return the executed results in string format

The usage of the operator is:

``

Parameter 'command' is the shell command to be executed

Function 'eval' will use parameter as PHP code to execute. User may save PHP code in string format, then execute it by pass to 'eval'

The usage of the function is:

mixed eval(string $code_str)

Parameter 'code_str' is PHP code which will be executed, in string format

Function 'preg_replace' execute a regural expression find and replace

The usage of the function is:

mixed preg_replace ( mixed , mixed , mixed )

Parameter 'pattern' is the search mode, mode 'e' may cause command injection attack

Function 'str_replace' may be use to replace strings

The usage of the function is:

mixed str_replace ( mixed $search , mixed $replace , mixed $subject)

Parameter 'search' is the string to be searched, parameter 'replace' is the string to be replaced, and parameter 'subject' is the string to be execute the replace

Function 'call_user_func' use the first parameter as a function to execute, the rest parameters are treated as the parameters of the executed function

The usage of the function is:

mixed call_user_func ( callable $callback [, mixed $parameter [, mixed $... ]] )

Parameter 'callback' is the function to be executed

The parameters of such functions are all have a 'command'. The 'command' can execute system command directly. So the attacks of these functions are simily.

For example:

User pass in a directory name, then list files in the directory:

<?php

$dir = $_GET[“dir”]; //the directory name user passed in

system(“dir ” . $dir);

?>

When $dir is passed by user is: '|cat /etc/passwd', the actual executed command is as following:

system(“dir |cat /etc/passwd”), Thus the should be kept secret '/etc/passwd' is let out to the attacker

Such function are all can execute PHP statements and functions directly, so the attacks of these functions are simily.

For example:

Execute a statement input by the user:

<?php

$cmd = $_GET[“cmd”]; //the statement the user input

eval($cmd);

?>

When user input $cmd as phpinfo(), the actual executed statement is:

eval(phpinfo()), so many important informations of phpinfo are let out to the cracker

Another example, this is one line in a famous open source CMS:

@eval(file_get_contents('php://input'));

php://input is an inpu stream, user can use POST to get the original data. So the content of the execute may be controller by POST, then when we POST phpinfo() to it, it will execute phpinfo() directly. Thus the attack is executed successfully.

1. Do not execute external commands and applications as far as possible. When in need, use builtin PHP functions instead. For example, don't use 'shell("rm 1.txt") to remove a file, use 'unlink("1.txt") instead.

2. If you must to use an external commands or applications, make sure you know what's the passed in parameters actually means. Don't use $_GET, $_POST directly without any check, don't give the attacker any opportunity to attack your system.

For example:

<?php

$cmd = $_GET[“cmd”]; //the command the user passed in

eval($cmd);

?>

For this example, we can check where the cmd is in our allowed list before we execute 'eval($cmd)'. Only when the check is passed can we execute it.

<?php

$cmd = $_GET[“cmd”]; //the command the user passwe in

$allow_cmds = array(“getdate”); //command lists that are allowed to execute

if(in_array($cmd, $allow_cmds)){ //only in the command lists can we execute it

    eval($cmd);

}

?>

3. If you must execute any thing passed by the user using $_GET or $_POST, you should use function 'escapeshellarg' to handle with the parameters. Function 'escapeshellarg' will add a single quote to the command, and will escape any existing single quotes. So the result may be passed to function 'shell' safely. For example:

<?php

$dir = $_GET[“dir”]; //the directory name user passed in

system(escapeshellarg(“dir ” . $dir));

?>

When passed by user is '|cat /etc/passwd', the actual command is:

system(escapeshellarg(“dir |cat /etc/passwd”)), thus, the PHP handler may deal with it correctly, and it won't let out the /etc/passwd file.

4. Use 'safe_mode_exec_dir' to set safe execute directory. Firstly, set 'safe_mode' in php.ini to On, then put all command files you want to execute into a directory, then set 'safe_mode_exec_dir' point to that directory. When execute external commands within PHP code, all external files must within the 'safe_mode_exec_dir' directory, or the execute will fail.