PHP extension taint How to find potential security vulnerabilities on your website (must SEE)

This article brings you the content is about PHP extension taint How to find the potential security vulnerabilities of the site, there is a certain reference value, the need for a friend can refer to, I hope you have some help.

I. BACKGROUND

The author from the contact computer after the network security has been more interested in the development of PHP after the web security has been more concerned about, 2016 inadvertently found taint this expansion, the experience was found to be useful, but when the relevant information found that the number of people concerned about this extension is not many Recently, because of the change of the computer, need to install the extension again, found that the expansion of the person is still relatively small, so I will install the process and test results recorded, easy to follow-up use and let more developers to understand taint

Ii. Summary of operation

1. Source code Download and compilation

2. Extended Configuration and Installation

3. Functional Inspection and testing

Third, the source code download and compile

Taint extension PHP itself does not carry, in the Linux or Mac system I need to download the source code to compile their own installation

3.1 Source Download

The author's development environment is the MAC system, so need to go to PHP pecl extension website to download the source code, where taint address is:

Https://pecl.php.net/package/taint

At the end of the extension URL, you can see a row of download addresses, such as

I need to choose a suitable version of the author's development environment using PHP7.1, so select the latest version, corresponding download address as follows:

Https://pecl.php.net/get/taint-2.0.4.tgz

Use wget to download the source code, the Reference command is as follows:

wget https://pecl.php.net/get/taint-2.0.4.tgz

After downloading, the author needs to unzip, the decompression command reference as follows:

TAR-ZXVF taint-2.0.4.tgz

After extracting, enter the directory, the reference command is as follows:

CD taint-2.0.4

3.2 Source Code compilation

Now I need to compile the source code, before compiling can use Phpze to detect PHP environment, the reference command is as follows:

Phpize

The returned results are as follows

Configuring For:php API Version:         20160303Zend Module API No:      20160303Zend Extension API No:   320160303

Build Makefile to prepare for the next compilation

./configure

return results

Checking how to HardCode library paths into programs ... immediatechecking whether stripping libraries is possible ... Yesch Ecking if Libtool supports shared libraries ... yeschecking whether to build shared libraries ... yeschecking whether to Bui LD static Libraries ... nocreating libtoolappending configuration Tag "CXX" to libtoolconfigure:creating./CONFIG.STATUSC Onfig.status:creating config.h

Start compiling, and install

Make && make install

(CD. Libs && rm-f taint.la && ln-s.. /taint.la taint.la)/bin/sh/users/song/taint-2.0.4/libtool--mode=install CP./taint.la/users/song/taint-2.0.4/ Modulescp./.libs/taint.so/users/song/taint-2.0.4/modules/taint.socp./.libs/taint.lai/users/song/taint-2.0.4/ Modules/taint.la----------------------------------------------------------------------Libraries have been Installed in:/users/song/taint-2.0.4/modulesif-ever happen to want to link against installed Librariesin a given di Rectory, Libdir, must either use Libtool, andspecify the full pathname of the library, or use the '-llibdir ' flag durin g Linking and do at least one of the following:-add Libdir to the ' Dyld_library_path ' environment variable during  Executionsee any operating system documentation about shared libraries Formore information, such as the LD (1) and ld.so (8) Manual pages.----------------------------------------------------------------------Build complete. Don ' t forget to run ' make TeSt '. Installing Shared extensions:/usr/local/cellar/php71/7.1.14_25/lib/php/extensions/no-debug-non-zts-20160303/

Iv. Configuration and Installation

After compiling the extension, I also need to put taint in the specified location, and modify the configuration file for it to take effect

4.1 Configuring Taint

I first need to know how much PHP configuration file, and then by looking at the configuration file extension path, in order to put so file in the corresponding, view the configuration file location command as follows:

PHP--ini

The returned results are as follows

Configuration file (php.ini) Path:/usr/local/etc/php/7.1loaded configuration file:         /usr/local/etc/php/7.1/ Php.iniscan for additional. ini files in:/usr/local/etc/php/7.1/conf.dadditional. ini files parsed:      /usr/local/etc /php/7.1/conf.d/ext-opcache.ini

I can see php.ini placed in the /usr/local/etc/php/7.1/php.ini

After knowing the configuration file, I need to find the extension folder location, the reference command is as follows

Cat/usr/local/etc/php/7.1/php.ini | grep Extension_dir

Command execution results as follows, I can see the extension folder location is/usr/local/lib/php/pecl/20160303

Extension_dir = "/usr/local/lib/php/pecl/20160303"; Extension_dir = "ext"; Be sure to appropriately set the Extension_dir directive.; Sqlite3.extension_dir =

4.2 Installing the Extension

Now I need to copy the extension file to PHP extension file location, the reference command is as follows

cp/usr/local/cellar/php71/7.1.14_25/lib/php/extensions/no-debug-non-zts-20160303/taint.so/usr/local/lib/php/ pecl/20160303/

After the copy is complete, I need to edit the configuration file to copy the taint configuration items.

Vim/usr/local/etc/php/7.1/php.ini

To add Tain configuration items to the php.ini file, refer to the following configuration:

[Taint]extension=taint.sotaint.enable=1taint.error_level=e_warning

4.3 Installation result Verification

After saving the configuration file and exiting, the installation of the author has been completed, it is necessary to restart PHP for it to take effect, the reference command is as follows

Brew Services Restart php@7.1

After the reboot is complete, you can view the current extension of PHP with the taint by command, and the Reference command is as follows:

Php-i | grep taint

Return results if a message appears, it's basically installed successfully.

Tainttaint support = Enabledtaint.enable = on = Ontaint.error_level = 2 = 2

V. Functional INSPECTION and Testing

Complete the above two steps, the author of the installation phase is done, and now I need to use taint to test the effect, the test is divided into three parts, first with the taint author of the demo code for testing, and then use the penetration test system permeate to test, Finally, the author usually developed code to test.

5.1 Demo File test

The purpose of testing with the demo file is to verify that the taint installed by the author is really in effect, and that taint has no meaning.

5.1.1 Copy Demo Code

On the author's GitHub there is the following demo code, the author copies it to the Web directory, the location is as follows:

/users/song/mycode/safe/permeate

The demo code reads as follows, which can be copied when the reader is experimenting:

<?php$a = Trim ($_get[' a '), $file _name = '/tmp '.  $a; $output    = "Welcome, {$a}!!!"; $var       = "Output"; $sql       = "SELECT * from  ". $a $sql      . = "Ooxx"; Echo $output;p rint $ $var; include ($file _name); mysql_query ($sql);

5.1.2 Configuring a virtual Host

When the code file is saved, I need to add a virtual host in the Nginx configuration file for the browser to access this file, the reference configuration is as follows:

    server {        listen       ;        server_name  test.localhost;        Root  /users/song/mycode/safe/permeate;        Location/{            index index.html index.htm index.php;         }        Location ~ \.php$ {            fastcgi_pass   127.0.0.1:9000;            Fastcgi_index  index.php;            Fastcgi_param  script_filename  $document _root$fastcgi_script_name;            Include        fastcgi_params;        }    }

5.1.3 Browser Access

Then the author accesses the corresponding code file through the browser, the URL address is as follows:

Http://test.localhost/taintdemo.php?a=1

After the browser visits the page, the author can see some warning message in the page, the content is as follows:

warning:main () [echo]: Attempt to echo a string this might be tainted In/users/song /mycode/work/test/taintdemo.php on line 10Welcome, 1!!! Warning:main () [Print]: Attempt to print a string that might is tainted in/users/song/mycode/work/test/taintdemo.php on Line 12Welcome, 1!!! Warning:main () [include]: File path contains data that might is tainted in/users/song/mycode/work/test/taintdemo.php on Line 14warning:include (/TMP1): Failed to open stream:no such file or directory In/users/song/mycode/work/test/taintdemo . PHP on Line 14warning:include (): Failed opening '/tmp1 ' for inclusion (include_path= '.:/ Usr/local/cellar/php@7.1/7.1.19/share/php@7.1/pear ') in/users/song/mycode/work/test/taintdemo.php on line 14Fatal Error:uncaught error:call to undefined function mysql_query () in/users/song/mycode/work/test/taintdemo.php:16 Stack TR Ace: #0 {main} thrown in/users/song/mycode/work/test/taintdemo.php on line + 

From the warning message can be seen, the author's taint has been in force, gave a lot of warning hints, indicating that the parameters may be contaminated, because the parameters have not been filtered;

5.1.4 Parameter Filtering test

If you do not want taint to give you a warning, you can change the second line of code in the demo code or add a filter rule, the reference code is as follows:

$a = Htmlspecialchars ($_get[' a ');

Back to the browser again, refresh the current page, you can see that the returned information has changed, the contents are as follows

Welcome, 1!!! Welcome, 1!!!  Warning:include (/TMP1): Failed to open stream:no such file or directory in/users/song/mycode/work/test/taintdemo.php on Line 15warning:include (): Failed opening '/tmp1 ' for inclusion (include_path= '.:/ Usr/local/cellar/php@7.1/7.1.19/share/php@7.1/pear ') in/users/song/mycode/work/test/taintdemo.php on line 15Fatal Error:uncaught error:call to undefined function mysql_query () in/users/song/mycode/work/test/taintdemo.php:17 Stack TR Ace: #0 {main} thrown in/users/song/mycode/work/test/taintdemo.php on line 17

Because the author added the parameter Escape in the code, at this time refresh the browser again, you will see taint no longer give warning reminders.

5.2 Penetration Test System verification

Using the demo system to verify that the taint extension is in effect, now I will use a penetration test system to do an experiment, in the system itself there are a lot of security problems, using taint to find these problems, using the penetration test system permeate渗透测试系统 , the address is as follows

Https://git.oschina.net/songboy/permeate

5.2.1 Download permeate

The author through git to download the source code, the Reference command is as follows

Https://gitee.com/songboy/permeate.git

After downloading, also create a virtual host, you can refer to the above Nginx configuration

5.2.2 Importing databases

Because this system will use the database, so I need to create a new database to permeate use

After the new completion of the database, I need to import some data table structure and initialization data into the database, after using git downloaded, in its directory with a Doc folder, after the author opened it, I can see a SQL file, as shown in

Open the file and copy the contents of it, copy the contents into the Navicat premium of the management database, and execute the SQL statements as shown in

5.2.3 Modifying a configuration file

After the import database completes, the author modifies the database configuration file, lets the permeate to connect the secondary database, the configuration file in the root directory conf/dbconfig.php , inside the configuration code below, the address account and the password and the database name one by one corresponding fills

<?php    !defined (' db_host ') && define (' Db_host ', ' 127.0.0.1 ');    ! Defined (' Db_user ') && define (' Db_user ', ' root ');    ! Defined (' Db_pass ') && define (' Db_pass ', ' root ');    ! Defined (' db_name ') && define (' db_name ', ' permeate ');    ! Defined (' Db_charset ') && define (' Db_charset ', ' UTF8 ');    $sex =array (' secrecy ', ' male ', ' female ');    $edu =array (' confidentiality ', ' primary ', ' Junior ', ' High school/Secondary ', ' College ', ' undergraduate ', ' Graduate ', ' PhD ', ' postdoctoral ');    $admins =array (' Normal user ', ' admin ')

5.2.4 Verifying installation Results

After setting up the database, the author installs the permeate to be completed, at this time opens the homepage, sees the interface should be as follows:

If you do not see the plate and partition information in the first page, it is likely that the database is not connected successfully or the database does not import data correctly.

5.2.5 Mining Vulnerabilities

The following starts the test, the author click on the first plate SQL注入 , and click on the list of 下一页 buttons, this time to see the page as shown:

I don't see any problems on this plate list page, but in fact taint has given the author warning reminders.

The author can see these problems by looking at the source code, as shown in the taint hint in the code file /Users/song/mycode/safe/permeate/core/common.php of 50 lines, there is a situation where the parameters are contaminated.

5.2.5 Vulnerability Analysis

I found the corresponding code location, found that the code content is as follows:

function Includeaction ($model, $action) {    //determine if the controller exists    $filePath = "./action/$model. php";    if (is_readable ($filePath)) {        require_once $filePath;        $class = new $model;        if (is_callable (Array ($class, $action))) {            $class-$action ();            return true;        }    }

In the code, I see that there is a require_once function to load the file, the parameters inside the use of variables $model and, through the source of the $action final variable, in the code file /Users/song/mycode/safe/permeate/home/router.php found that the two parameters are really not filtered, as shown in the following code:

<?phprequire_once "/core/common.php"; $model =!empty ($_get[' m '])? $_get[' m ']: ' index '; $action =!empty ($_get[' a '])? $_get[' A ']: ' index '; includeaction ("$model", "$action");

Finally need to remind everyone, taint in the development environment installation, do not install into the production environment, or it may be the security of the site directly exposed to the attackers

Related recommendations:

PHP website Common Security loopholes and corresponding preventive measures summary, security loopholes prevention measures

Security vulnerability caused by debug of new PHP Vulnerability Mining (Edusoho)

Phpshop There are multiple security vulnerabilities _php tutorials