Php Command Injection In Exec Functions
Description
Detects potential command injection vulnerabilities in PHP applications where dangerous system command execution functions (exec, shell_exec, system, passthru, popen) are used. These functions can allow attackers to execute arbitrary system commands if they receive unsanitized input.
Detection Strategy
• Identifies usage of dangerous PHP functions: exec, shell_exec, system, passthru, or popen
• Analyzes the function arguments and data flow to determine if untrusted/unsanitized data reaches these functions
• Reports a vulnerability when any of these dangerous functions are called with potentially tainted input that could be controlled by an attacker
Vulnerable code example
<?php
// User input directly used in shell command - VULNERABLE
$user_input = $_GET['cmd'];
// Dangerous: Unsanitized user input passed to exec()
exec($user_input);
// Dangerous: Command injection via string concatenation...✅ Secure code example
<?php
// Get user input but sanitize before use
$user_input = $_GET['cmd'];
// Safe: Sanitize command using escapeshellcmd() to prevent injection
exec(escapeshellcmd($user_input));
// Safe: Use escapeshellarg() to safely handle path parameter ...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.