Exploitable PHP Functions: Analysis of Code Execution Risks

Keywords: PHP security | code execution | vulnerability detection

Abstract: This article provides an in-depth analysis of PHP functions that can be exploited for arbitrary code execution, based on security research and practical cases. It systematically categorizes risky functions into command execution, PHP code execution, callback functions, information disclosure, and more, offering insights for security auditing and vulnerability detection to help identify backdoors and malicious code.

Exploitable PHP Functions: Analysis of Code Execution Risks

In PHP development, certain functions, if misused, can be exploited by attackers to execute arbitrary code, leading to severe security vulnerabilities. This article systematically reviews these high-risk functions based on security research such as A Study In Scarlet and the RATS tool, aiming to assist security auditors in quickly identifying potential threats. These functions are often termed "sinks"; when tainted variables (e.g., $_REQUEST) are passed to them, vulnerabilities may arise. Security tools like RIPS use grep-like functionality to scan for these sinks, but developers should note that not all functions should be banned—they require careful usage.

Command Execution Functions

Command execution functions allow running system commands on the server. If user input is passed directly without sanitization, remote code execution can occur. For example, system($_GET['cmd']) executes the command from the GET parameter. Key functions include:

exec: Returns the last line of command output.
passthru: Passes command output directly to the browser.
system: Similar to passthru but returns the last line.
shell_exec and backticks: Return command output.
popen and proc_open: Open process pipes for more control.
pcntl_exec: Executes a program.

Attackers often use these functions to build web shells, such as c99 or r57 scripts. In code audits, searching for these functions can quickly narrow down suspicious files.

PHP Code Execution Functions

Beyond eval, other functions can execute PHP code, including file inclusion vulnerabilities. For instance, the /e modifier in preg_replace evals matched content, as in preg_replace('/.*/e',$_POST['code']). The list includes:

eval() and assert(): Directly execute strings as code.
create_function(): Creates anonymous functions, potentially abused.
include, include_once, require, require_once: Execute code via local or remote file inclusion.
Dynamic function calls: e.g., $_GET['func_name']($_GET['argument']).
ReflectionFunction: e.g., $func = new ReflectionFunction($_GET['func_name']); $func->invoke();.

Supplementary cases show attackers may hide code using encoding or compression, such as include("data:text/plain;base64,$_GET[code]") or include("zlib:script2.png.gz"), bypassing simple detection.

Callback Functions

Many PHP functions accept callback parameters; if attackers control these, arbitrary functions may be executed. For example, array_map($_GET['callback'], $array) can lead to code execution. Key functions include:

call_user_func and call_user_func_array: Directly invoke functions.
preg_replace_callback: Executes a callback on matches.
Array functions like array_filter, array_map.
Others such as register_shutdown_function, set_error_handler.

Attackers might obfuscate function names with string operations, e.g., $y = str_replace('z', 'e', 'zxzc'); $y("malicious code");, increasing detection difficulty.

Information Disclosure Functions

These functions may expose sensitive information; if output is accessible to attackers, it constitutes a vulnerability. For example, phpinfo() displays server configuration and is a common target. The list includes:

phpinfo: Shows detailed PHP configuration.
getenv and get_cfg_var: Retrieve environment variables and configuration values.
Process and system functions like proc_get_status, getmypid.
File system information such as disk_free_space.

Information disclosure may not directly execute code but can provide data for subsequent attacks, such as identifying vulnerabilities or bypassing defenses.

Other Risky Functions

Other functions may also introduce security risks, for example:

extract and parse_str: Simulate register_globals, potentially causing variable injection.
putenv and ini_set: Modify environment or configuration, affecting system behavior.
mail and header: CRLF injection can be used for XSS or other attacks.
File system functions: If allow_url_fopen=On, they can be exploited for file operation attacks, e.g., copy($_GET['s'], $_GET['d']) to upload malicious scripts.

The RATS tool notes that all file system functions can be abused, including read/write operations like fopen, file_put_contents, file_get_contents, etc.

Security Recommendations and Conclusion

Identifying these high-risk functions is the first step in security auditing. Developers should:

Validate and sanitize all user input to avoid direct passing to sink functions.
Use security tools like RIPS for automated scanning.
Restrict function usage, e.g., disable eval or set allow_url_fopen=Off.
Monitor server logs to detect anomalous behavior.

In summary, PHP's powerful features come with responsibility; developers must balance functionality with security. By understanding these exploitable functions, one can better defend against attacks and protect applications from threats.

Copyright Notice: All rights in this article are reserved by the operators of DevGex. Reasonable sharing and citation are welcome; any reproduction, excerpting, or re-publication without prior permission is prohibited.