Exploitable PHP functions

Answer 1

Backtick Operator Backtick on php manual

Answer 2

I know move_uploaded_file has been mentioned, but file uploading in general is very dangerous. Just the presence of $_FILES should raise some concern.

It's quite possible to embed PHP code into any type of file. Images can be especially vulnerable with text comments. The problem is particularly troublesome if the code accepts the extension found within the $_FILES data as-is.

For example, a user could upload a valid PNG file with embedded PHP code as "foo.php". If the script is particularly naive, it may actually copy the file as "/uploads/foo.php". If the server is configured to allow script execution in user upload directories (often the case, and a terrible oversight), then you instantly can run any arbitrary PHP code. (Even if the image is saved as .png, it might be possible to get the code to execute via other security flaws.)

A (non-exhaustive) list of things to check on uploads:

• Make sure to analyze the contents to make sure the upload is the type it claims to be
• Save the file with a known, safe file extension that will not ever be executed
• Make sure PHP (and any other code execution) is disabled in user upload directories

Answer 3

I'm surprised no one has mentioned echo and print as points of security exploitation.

Cross-Site Scripting (XSS) is a serious security exploit, because it's even more common than server-side code execution exploits.

Answer 4

Also be aware of the class of "interruption vulnerabilities" that allow arbitrary memory locations to be read and written!

These affect functions such as trim(), rtrim(), ltrim(), explode(), strchr(), strstr(), substr(), chunk_split(), strtok(), addcslashes(), str_repeat() and more. This is largely, but not exclusively, due to the call-time pass-by-reference feature of the language that has been deprecated for 10 years but not disabled.

Fore more info, see Stefan Esser’s talk about interruption vulnerabilities and other lower-level PHP issues at BlackHat USA 2009 Slides Paper

This paper/presentation also shows how dl() can be used to execute arbitrary system code.

Answer 5

What about dangerous syntactic elements?

The "variable variable" ($$var) will find a variable in the current scope by the name of $var. If used wrong, the remote user can modify or read any variable in the current scope. Basically a weaker eval.

Ex: you write some code $$uservar = 1;, then the remote user sets $uservar to "admin", causing $admin to be set to 1 in the current scope.

Answer 6

These functions can also have some nasty effects.

• str_repeat()
• unserialize()
• register_tick_function()
• register_shutdown_function()

The first two can exhaust all the available memory and the latter keep the exhaustion going...