I’m trying to build a list of functions that can be used for arbitrary code execution. The purpose isn’t to list functions that should be blacklisted or otherwise disallowed. Rather, I’d like to have a grep
-able list of red-flag keywords handy when searching a compromised server for back-doors.
The idea is that if you want to build a multi-purpose malicious PHP script — such as a “web shell” script like c99 or r57 — you’re going to have to use one or more of a relatively small set of functions somewhere in the file in order to allow the user to execute arbitrary code. Searching for those those functions helps you more quickly narrow down a haystack of tens-of-thousands of PHP files to a relatively small set of scripts that require closer examination.
Clearly, for example, any of the following would be considered malicious (or terrible coding):
<? eval($_GET['cmd']); ?>
<? system($_GET['cmd']); ?>
<? preg_replace('/.*/e',$_POST['code']); ?>
and so forth.
Searching through a compromised website the other day, I didn’t notice a piece of malicious code because I didn’t realize preg_replace
could be made dangerous by the use of the /e
flag (which, seriously? Why is that even there?). Are there any others that I missed?
Here’s my list so far:
Shell Execute
system
exec
popen
backtick operator
pcntl_exec
PHP Execute
eval
preg_replace
(with/e
modifier)create_function
include
[_once
] /require
[_once
] (see mario’s answer for exploit details)
It might also be useful to have a list of functions that are capable of modifying files, but I imagine 99% of the time exploit code will contain at least one of the functions above. But if you have a list of all the functions capable of editing or outputting files, post it and I’ll include it here. (And I’m not counting mysql_execute
, since that’s part of another class of exploit.)