Command execution is one of the common methods in web attacks. In PHP, you can call the following functions to realize command execution, such as

1,exec()

The exec function is rarely used, mainly because the default return value of the function is the last line of the execution result, and there will not be all the execution results. If you want to print the execution result, you need to traverse the print output array,

1.1 function prototype

string exec ( string command, array &output, int &return_var)

//The command parameter is the command to execute
//The output array holds the output results
//return_var shaping is used to save the status code after the command is executed. 0 represents execution success and 1 represents execution failure

1.2 example usage

<?php
	$command = 'ls /';
	$ret=exec($command,$output,$a);

	#By default, only the first row of results is returned
	echo "First row result:".$ret,PHP_EOL,PHP_EOL;

	#Print out the execution status code
	echo "Status: ",$a,PHP_EOL,PHP_EOL;

	#Length of array
	$length=count($output);    
	  for($i=0;$i<$length;$i++){
	  	echo $output[$i];
	  	echo PHP_EOL;
	}
?>

The following results can be obtained,

2,shell_exec() 

shell_exec can return all results in the form of string. It is easy to use and common

2.1 function prototype

shell_exec(string $cmd): string
// cmd command to execute
// Return result string

2.2 example usage

<?php 
	$cmd = "ls /";
	$output = passthru($cmd);
	echo $output,PHP_EOL;
?>

The returned results are as follows:,

3,system()

Similar to exec, system returns the last line of the execution result and echoes the execution result to the standard output

3.1 function prototype

system(string command , int & return_var)
//The command parameter is the command to be executed,
//return_ The var parameter stores the returned value, but this parameter may not be written

3.2 example usage  

<?php 
	$cmd = 'ls /';
	$output = system($cmd,$resCode);
	echo $resCode == 0 ? 'Successful execution!':'Execution failed',PHP_EOL,PHP_EOL;

	echo $output;
?>

The returned results are as follows:,

 4,`$command` 

4.1 function prototype

PHP execution operator, that is, the backquote in front of number key 1. You can see the official PHP documentation. PHP supports an execution operator: backquote (` `). Note that this is not a single quote! PHP will try to execute the contents of the backquote as a shell command and return its output information (that is, it can be assigned to a variable rather than simply discarded to standard output). The effect of using the backquote operator ` 'is the same as that of the function   shell_exec()   Same.

4.2 example usage

<?php
	$cmd = "ls /";
	echo `$cmd`,PHP_EOL;
?>

5,passthru()

with   exec()   Functions are similar,   passthru()   Functions are also used to execute external commands. When the executed Unix command outputs binary data and needs to be directly transmitted to the browser, this function needs to be used instead   exec()   or   system()   Function. It is commonly used to execute commands such as pbmplus that can directly output an image stream. By setting content type to   image/gif, and then calling the pbmplus program to export the GIF file, you can directly output the image from the PHP script to the browser.

5.1 function prototype

passthru(string $command, int &$return_var = ?): void
// Command is the command to execute
// Status code

5.2 example usage

Similar to system and exec, input and output are transferred to standard output

6,popen()

6.1 function prototype

popen ( string command, string mode )
//Open a pipeline to the process that is generated by deriving the execution of the given command command.
//Returns the same file pointer as fopen(), except that it is one-way (read or write only)
//)And must be closed with pclose(). This pointer can be used for fgets(), fgetss(), and fwrite().

6.2 example usage

<?php
  $command='ls /';
  $fd = popen($command, 'r'); 
  while($s=fgets($fd)){
    print_r($s);
  }
?>

7,proc_open()

proc_open  —  Execute a command and open the file pointer for input / output. similar   popen()   Function, but   proc_open()   It provides a more powerful ability to control program execution.

7.1 function prototype

proc_open(
    mixed $cmd,
    array $descriptorspec,
    array &$pipes,
    string $cwd = null,
    array $env = null,
    array $other_options = null
): resource

7.2 example usage

proc_ The use of open is slightly complicated. Generally, this function can be considered when other functions are filtered

<?php
	$command = 'ls /';
	$descriptorspec=array( 
        0=>array('pipe','r'), 
        1=>array('pipe','w'),
        2=>array('pipe','w') 
    );
    $handle=proc_open($command,$descriptorspec,$pipes,NULL);
    if(!is_resource($handle)){
      die('proc_open failed');
    }
    while($s=fgets($pipes[1])){
      print_r($s);
    }
    while($s=fgets($pipes[2])){
      print_r($s);
    }
    fclose($pipes[0]);
    fclose($pipes[1]);
    fclose($pipes[2]);
    proc_close($handle);
?>