Dynamic Function Injection in PHP

In PHP we can pass arguments to a function dynamically during runtime. For example have look at this example.

I have used call_user_func_array() to pass the arguments to the function. The syntax would be:

call_user_func_array(function, param_arr)

Since I have used $_GET we can pass the function and its arguments during runtime.

http://localhost/?func=user&args%5B%5D=Osanda&args%5B%5D=secret&args%5B%5D=abc@abc.com


When we pass the URL like that the actual parameters would be like the following.

call_user_func_array("user", ['Osanda', 'secret', 'abc@abc.com']);

Don’t you see the loophole? 😉 Why not we can call any PHP function. The first thing that comes to my mind is phpinfo()

http://localhost/?func=phpinfo&args%5B%5D=-3

What about code execution? Yeah it is possible. For example we can call passthru() and pass the arguments nicely.

http://localhost/?func=passthru&args[]=systeminfo | findstr /C:"OS"

The simplest way to mitigate these kind of arbitrary calling of functions you could add a prefix to your functions. You can of course think of better solutions than this depending on your situation. But in this case for example instead of:

function User($user, $pass, $email)

you can add something like

function secure_User($user, $pass, $email)

Also make sure you concatenate the prefix to the GET request in call_user_func_array()

call_user_func_array("secure_".$_GET['func'], $_GET['args']);


Now if you try to request any arbitrary function PHP will throw an error since we have concatenated “secure_” prefix to the calling function.

http://localhost/?func=system&args%5B%5D=dir


Thanks for reading!

Advertisements

5 thoughts on “Dynamic Function Injection in PHP

  1. Really nice article this is improving programming skill and increasing my knowledge about it. I know about the dynamic function in the PHP Development course and some doubts are clear through this article, this is more useful for me.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s