Dynamic Function Injection in PHP

In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.

View post on imgur.com

I have used call_user_func_array() to pass the arguments to the function. The syntax would be:

call_user_func_array(function, param_arr)

Since I have used $_GET we can pass the function and its arguments during runtime.


View post on imgur.com

When we pass the URL like that the actual parameters would be like the following.

call_user_func_array("user", ['Osanda', 'secret', 'abc@abc.com']);

Donโ€™t you see the loophole? ๐Ÿ˜‰ Why not we can call any PHP function. The first thing that comes to my mind is phpinfo()


View post on imgur.com

What about code execution? Yeah it is possible. For example we can call passthru() and pass the arguments nicely.

http://localhost/?func=passthru&args[]=systeminfo | findstr /C:"OS"

View post on imgur.com

The simplest way to mitigate these kind of arbitrary calling of functions you could add a prefix to your functions. You can of course think of better solutions than this depending on your situation. But in this case for example instead of:

function User($user, $pass, $email)

you can add something like

function secure_User($user, $pass, $email)

Also make sure you concatenate the prefix to the GET request in call_user_func_array()

call_user_func_array("secure_".$_GET['func'], $_GET['args']);

View post on imgur.com

Now if you try to request any arbitrary function PHP will throw an error since we have concatenated “secure_” prefix to the calling function.


View post on imgur.com

Thanks for reading!

5 thoughts on “Dynamic Function Injection in PHP

  1. Really nice article this is improving programming skill and increasing my knowledge about it. I know about the dynamic function in the PHP Development course and some doubts are clear through this article, this is more useful for me.

Leave a Reply