How do I attack through a session file?
PHP 4 or later provides support for sessions, whose main purpose is to store state information between pages and pages in a PHP program. For example, when a user logs on to the site, the fact that he landed and the information about who landed on the site will be saved in the session, and all PHP code can obtain these status information when he is browsing around the site.
In fact, when a session is started (which is actually set in the configuration file to start automatically on the first request), a random "session ID" is generated, if the remote browser always submits the "session ID" when sending the request, The session will always be maintained. This can be done easily through cookies, or by submitting a form variable (containing "session ID") on each page. The PHP program can register a special variable with the session, and its value will be in the session file at the end of each PHP script, and will be loaded into the variable before each PHP script starts. The following is a simple example:
Session_destroy (); Kill any data currently in the session
$session _auth = "Shaun";
Session_register ("Session_auth"); Register $session _auth as a session variable
? > |
The new version of PHP will automatically set the "$session _auth" value to "Shaun", if they are modified, the future script will automatically accept the modified value, which is a very good tool for the stateless web, but we should also be careful.
One obvious problem is to make sure that the variable really comes from the session, for example, given the code above, if the following script is:
if (!empty ($session _auth))
Grant access to Site here
? > |
The above code assumes that if "$session _auth" is assigned, it is assigned from the session rather than the user input, and if the attacker assigns a value through form input, he can gain access to the site. Note that an attacker must use this attack method before the session registers the variable, and once the variable is placed in the session, it will overwrite any form input.
Session data is generally stored in the file (location is configurable, usually "/tmp"), the file name is generally similar to "sess_<session id>" form, this file contains the variable name, variable type, variable value and some other data. In a multi-host system, because the file is stored as the user who runs the Web server (typically nobody), a malicious site owner can create a session file to gain access to other sites and even check for sensitive information in the session file.
The session mechanism also provides another convenience for attackers to save their input to files in the remote system. For the above example, an attacker would need to place a file containing PHP code in the remote system, and if not, he would usually use the session to assign a value to a variable at his own will, then guess the location of the session file, and he knew the filename was " Php<session id> ", so just guess the directory, and the directory is usually"/tmp ".
Alternatively, an attacker could arbitrarily specify the session ID (for example, "Hello") and then create a session file (such as "/tmp/sess_hello") with this session ID, but the session ID can only be a combination of letters and numbers.
How do I attack with a data type?
PHP has loosely typed data types, and the types of variables depend on the context in which they are located. For example: "$hello" begins as a string variable with a value of "", but when evaluated, it becomes the shaping variable "0", which can sometimes lead to unexpected results. If the value of "$hello" is different for "000" or "0", the result returned by empty () will not be true.
An array in PHP is an associative array, that is, the index of an array is of a string type. This means that "$hello [" 000 "]" and "$hello [0]" are also different.
The development of the program should carefully consider the above problem, for example, we should not be in one place to test whether a variable is "0", and in another place using empty () to verify.
How do I attack with an error-prone function? The following is a more detailed list of error-prone functions:
<php Code Execution >
Require (): reads the contents of the specified file and interprets it as PHP code
Include (): Ibid.
Eval (): Executes the given string as PHP code
Preg_replace (): When used with the "/E" switch, the replacement string is interpreted as PHP code
Order execution
EXEC (): Executes the specified command, returning the last line of the execution result
PassThru (): Executes the specified command, returning all results to the client browser
": Executes the specified command, returning all results to an array
System (): Same as PassThru (), but does not process binary data
Popen (): Executes the specified command to connect the input or output to the PHP file descriptor
Disclosure of documents
fopen (): Open the file and correspond to a PHP file descriptor
ReadFile (): reads the contents of the file and then outputs it to the customer's browser
File (): reads the entire contents into an array
How to enhance the security of PHP?
All of the attacks we've described above are well-implemented for the PHP4 of the default installation, but the PHP configuration is very flexible, and by configuring some PHP options, we can completely resist some of these attacks. Below we classify some configurations according to the difficulty of implementation:
* Low Difficulty
* * Medium and low difficulty
Medium to High difficulty
High Difficulty
If you use all of the options provided by PHP, then your PHP will be very safe, even for third-party code, because many of these features are no longer available.
Set "Register_globals" to "off"
This option prevents PHP from creating global variables for user input, meaning that if the user submits the form variable "Hello", PHP will not create "$ hello" and will only create "http_get/post_vars[' Hello '". This is an extremely important option in PHP, and turning off this option can cause great inconvenience to programming.
Set "Safe_mode" to "on"
Turning this option on will add the following restrictions:
1. Restrict which command can be executed
2. Restrict which function can be used
3. File access restrictions based on script ownership and target file ownership
4. Disable File Upload feature
This is a "great" option for ISPs, and it can greatly improve the security of PHP.
* * Set "Open_basedir"
This option disables file operations outside of the specified directory, effectively eliminating local files or remote files being used by include (), but still requires attention to file uploads and session file attacks.
* * Set "display_errors" to "off" and set "Log_errors" to "on"
This option prevents the error message from being displayed in the Web page, but is recorded in a log file, which effectively resists the attacker's ability to detect functions in the target script.
* Set "Allow_url_fopen" to "off"
This option prevents remote file functionality.
http://www.bkjia.com/PHPjc/629796.html www.bkjia.com true http://www.bkjia.com/PHPjc/629796.html techarticle How do I attack through a session file? PHP 4 or later provides support for sessions, whose main purpose is to store state information between pages and pages in a PHP program. For example, when ...
