Vulnerable sample code -OS command injection-

Vote 0 Votes

OS コマンドインジェクション

- 脆弱なコードの例

  <form name="mailForm" action="mail.php" method="POST">
    メールアドレス: <input type="text" name="email" size="40"><br>
    <input type="submit" value="send">
system("echo 'hello' | sendmail ".$email);
print "メールアドレス:".$email;

- 入力;cat /etc/passwd

- 対策
- エスケープする

system("echo 'hello' | sendmail ".escapeshellarg($email));

- OSコマンドを実行可能なAPI(systemとか)を使わない






Leave a comment

About this Entry

This page contains a single entry by gamzatti published on April 23, 2017 12:05 AM.

How to use stored procedure in PHP was the previous entry in this blog.

Vulnerable sample code -XSS- is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.