There is quite an extensive collection of PHP functions that can be used to execute backdoors. Learning what these functions are will help guide developers to the areas of a file that might be doing something it shouldn't be. To help you understand what these are and what they do, we've broken them down by category.
Filesystem Functions There are two sets of
filesystem functions an attacker might use to create an exploit. The first set involves opening and manipulating files. These functions also allow the attacker to read, write, or execute files they shouldn't have access to.
●
fopen: Opens a file for reading or writing.
●
tmpfile: Creates a temporary file with a unique name.
●
bzopen: Opens a bzip2-compressed file for reading or writing.
●
gzopen: Opens a gzip-compressed file for reading or writing.
●
SplFileObject->__construct: Constructs a new file object for a file.
On the other hand, this next set of functions allows attackers to change file permissions, and move or delete files. These functions can also open access to people who shouldn't have it or remove access from those who should.
●
chgrp: Changes the group ownership of a file.
●
chmod: Changes the file mode (permissions).
●
chown: Changes the owner of a file.
●
copy: Copies a file to a new location.
●
file_put_contents: Writes data to a file, creating it if it doesn't exist.
●
lchgrp: Changes group ownership of a symlink.
●
lchown: Changes the owner of a symlink.
●
link: Creates a hard link to a file.
●
mkdir: Creates a directory.
●
move_uploaded_file: Moves an uploaded file to a new location, securely.
●
rename: Renames or moves a file or directory.
●
rmdir: Removes a directory.
●
symlink: Creates a symbolic link to a file.
●
tempnam: Creates a file with a unique name in a specified directory.
●
touch: Sets access and modification time of a file, creating it if it doesn't exist.
●
unlink: Deletes a file.
Command Execution Functions PHP code sometimes needs to access shell commands, allowing it to run any program on the system that it has permission to run. When used in the wrong hands, the functions that allow for that give attackers much greater control over the server.
●
exec: Executes a command.
●
passthru: Executes a command and directly outputs the result.
●
system: Executes a command and outputs the result, returning the last line.
●
shell_exec: Executes a command, returning the full output as a string.
●
popen: Opens a process or command for reading or writing.
●
proc_open: Executes a command and opens file pointers for input/output.
●
pcntl_exec: Replaces the current PHP process with a new process.
PHP Code Execution In addition to running shell commands, there are functions for running code in other PHP files. The
eval function, in particular, is very risky as it directly runs any string argument as PHP code.
●
require: Includes and evaluates a specified file and errors out if the file doesn't exist.
●
include: Includes and evaluates a specified file and gives a warning if the file doesn't exist.
●
require_once: Same as require, but only evaluates the file once.
●
Include_once: Same as include, but only evaluates the file once.
●
create_function: Creates a lambda-style function (deprecated in PHP 7.2.0).
●
eval: Executes a string as PHP code.
●
assert: Checks if a given condition is true, raising a warning or error if it isn't.
Callback FunctionsA callback function runs in response to something. If an attacker can change the callback argument, they can run a different function than the developers intended.
●
register_shutdown_function: Registers a callback for when script execution ends or exit() is called.
●
set_error_handler: Registers a callback for when an error occurs.
●
set_exception_handler: Registers a callback for when an uncaught exception occurs.
●
call_user_func_array: Calls a user-defined function with an array of parameters.
Information Disclosure This section includes only one function,
phpinfo.
This function is a goldmine for potential attackers. It details information about the PHP environment as well as the server itself, providing the attacker with insights that can help them compromise website security.