![首頁 Logo Keith ]p !!](/themes/mytheme/logo.png){kind=logo}
disable_functions example
Disable run program/script
disable_functions = exec,passthru,shell_exec,system,proc_open,popen
* Only internal functions can be disabled. (User-defined functions are unaffected)
* This directive must be set in php.ini. (You cannot set this in httpd.conf)
此外以下設定會令 php code 行得更安全
allow_url_fopen=Off allow_url_include=Off
禁止轉身份
posix_setuid,posix_setgid
Test Code
<?php
system("whoami");
shell_exec("whoami");
exec("whoami");
passthru("whoami");
?>error.log
... PHP Warning: system() has been disabled for security reasons in /path/to/my.php on line 2
個別 vhost 的 disable 方法
因為 disable-functions 只可在 php.ini, 所以要用 suhosin.executor.func.blacklist
suhosin:
php_admin_value suhosin.executor.func.blacklist "show_source, , , ..."
DOC
http://www.php.net/manual/en/ini.sect.safe-mode.php#ini.disable-functions
Function List
proccess
exec
Execute an external program
string exec ( string $command [, array &$output [, int &$return_var ]] )
passthru
Execute an external program and display raw output
* binary data which needs to be passed directly back to the browser.
shell_exec
string shell_exec ( string $cmd )
Execute command via shell and return the complete output as a string
system
Execute an external program and display the output
pcntl_exec
Executes specified program in current process space
Process Control support in PHP is not enabled by default.
You have to compile the CGI or CLI version of PHP with "--enable-pcntl" configuration option
防 PHP-Reverse-Shell
popen — Opens process file pointer
resource popen ( string $command , string $mode )
Opens a pipe to a process executed by forking the command given by command.
proc_open — Execute a command and open file pointers for input/output
proc_open() is similar to popen() but provides a much greater degree of control over the program execution.
curl
curl_exec
curl_exec — Perform a cURL session
curl_multi_exec
This function should be called after initializing a cURL session and all the options for the session are set.
curl_multi_exec — Run the sub-connections of the current cURL handle
int curl_multi_exec ( resource $mh , int &$still_running )
show_source - Alias of highlight_file()
<?php
/* some code here */
show_source(__FILE__);
?>parse_ini_file - Parse a configuration file
array parse_ini_file ( string $filename [, bool $process_sections = false [, int $scanner_mode = INI_SCANNER_NORMAL ]]
loads in the ini file specified in filename, and returns the settings in it in an associative array.
Socket
fsockopen - Open Internet or Unix domain socket connection
resource fsockopen ( string $hostname [, int $port = -1 [, int &$errno [, string &$errstr [, float $timeout = ini_get("default_socket_timeout") ]]]] )
If OpenSSL (ssl:// or tls://)
Example:
<?php
$fp = fsockopen("localhost", 80, $errno, $errstr, 6);
if (!$fp) {
echo "Fail: $errno";
} else {
echo "Succuss";
}
?>pfsockopen - Open persistent Internet or Unix domain socket connection
# This function behaves exactly as fsockopen()
# difference that the connection is not closed after the script finishes.
one caveat: when connection is broken because of physical net failure, pfsockopen() returns handle as if connection was working. Subsequent call to fwrite() returns false so you have information about error.
stream_socket_client - Open Internet or Unix domain socket connection
# Initiates a stream or datagram connection to the destination specified by remote_socket.
The socket will by default be opened in blocking mode.
Disable Socket - php.ini
disable_functions = fsocket,fsockopen,pfsockopen ; Whether to allow the treatment of URLs (like http:// or ftp://) as files. allow_url_fopen = On
