I'm trying to build a list of functions that can be used for arbitrary code execution. The purpose isn't to list functions that should be blacklisted or otherwise disallowed. Rather, I'd like to have a grep -able list of red-flag keywords handy when searching a compromised server for back-doors.
The idea is that if you want to build a multi-purpose malicious PHP script -- such as a "web shell" script like c99 or r57 -- you're going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code. Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination.
Clearly, for example, any of the following would be considered malicious (or terrible coding):
<? eval($_GET['cmd']); ?>
<? system($_GET['cmd']); ?>
<? preg_replace('/.*/e',$_POST['code']); ?>
and so forth.
Searching through a compromised website the other day, I didn't notice a piece of malicious code because I didn't realize preg_replace could be made dangerous by the use of the /e flag ( which, seriously? Why is that even there ?). Are there any others that I missed?
Here's my list so far:
Shell Execute
-
system
-
exec
-
popen
-
backtick operator
-
pcntl_exec
PHP Execute
-
eval
-
preg_replace(with/emodifier)
-
create_function
-
include[_once] /require[_once] ( see mario's answer for exploit details)
It might also be useful to have a list of functions that are capable of modifying files, but I imagine 99% of the time exploit code will contain at least one of the functions above. But if you have a list of all the functions capable of editing or outputting files, post it and I'll include it here. (And I'm not counting mysql_execute , since that's part of another class of exploit.)
Source: Tips4all
No comments:
Post a Comment