PHP vulnerability full solution (details)

There are several main attack methods for PHP websites. here we will introduce the following methods. when writing php code, you must pay attention to them.

PHP websites are vulnerable to the following attacks:
1. Command Injection)
2. eval Injection)
3. Script Insertion)
4. Cross-Site Scripting (XSS)
5. SQL injection attacks)
6. Cross-Site Request forgery (CSRF)
7. Session Hijacking)
8. Session Fixation)
9. HTTP Response Splitting attack (HTTP Response Splitting)
10. File Upload Attack)
11. Directory Traversal vulnerability (Directory Traversal)
12. Remote file Inclusion attack)
13. Dynamic function injection (Dynamic Variable Evaluation)
14. URL attack)
15. Form submission spoofing attack (Spoofed Form Submissions)
16. HTTP request spoofing attack (Spoofed HTTP Requests)

Command Injection Attacks
PHP can use the following five functions to execute external applications or functions
System, exec, passthru, shell_exec, "(same as shell_exec)
Function prototype
String system (string command, int & return_var)
Command
Return_var stores the status values after command execution
String exec (string command, array & output, int & return_var)
Command
Output: obtain each line of the output string.
Return_var stores the status values after the command is executed.
Void passthru (string command, int & return_var)
Command
Return_var stores the status values after the command is executed.
String shell_exec (string command)
Command

Vulnerability instance

Example 1:
// Ex1.php
$ Dir = $ _ GET ["dir"];
If (isset ($ dir ))
{
Echo"

";
        system("ls -al ".$dir);
        echo "

";
}
?>
We submit http://www.sectop.com/ex1.php? Dir = | cat/etc/passwd
After the command is submitted, the command is changed to system ("ls-al | cat/etc/passwd ");

Eval injection attack
The eval function executes the input string parameters as PHP code.
Function prototype:
Mixed eval (string code_str) // eval injection generally occurs when attackers can control input strings.
// Ex2.php
$ Var = "var ";
If (isset ($ _ GET ["arg"])
{
$ Arg = $ _ GET ["arg"];
Eval ("\ $ var = $ arg ;");
Echo "\ $ var =". $ var;
}
?>
When we submit http://www.sectop.com/ex2.php? Arg = phpinfo ();

Dynamic functions
Func ()
{
Dosomething ();
}
Func B ()
{
Dosomething ();
}
If (isset ($ _ GET ["func"])
{
$ Myfunc = $ _ GET ["func"];
Echo $ myfunc ();
}
?>
Programmers want to dynamically call A and B functions, then we submit the http://www.sectop.com/ex.php? Func = phpinfo vulnerability generation

Defense methods
1. try not to execute external commands
2. use a user-defined function or function library to replace the functions of external commands
3. use the escapeshellarg function to process command parameters
4. use safe_mode_exec_dir to specify the path of the executable file
The esacpeshellarg function will escape any character that causes the parameter or command end. replace the single quotation mark (') with "\", double quotation mark ("") with "\" ", replace semicolon ";" with "\;"
Use safe_mode_exec_dir to specify the path of the executable file. you can put the commands in this path in advance.
Safe_mode = On
Safe_mode_exec_di r =/usr/local/php/bin/

Client script implantation

Script Insertion refers to inserting executable scripts into objects such as forms, images, animations, or hyperlink text. When the user opens these objects, the script implanted by the attacker will be executed, and then the attack will begin.
HTML tags that can be embedded as scripts generally include:
1. page script programs such as javascript and vbscript marked by the script tab. You can specify the js program code in the script label, or specify the URL path of the js file in the src attribute.
2,Tag object. These objects are java applets, multimedia files, ActiveX controls, and so on. Generally, the URL path of an object is specified in the data attribute.
3,Tag object. These objects are multimedia files, such as swf files. Generally, the URL path of an object is specified in the src attribute.
4. Tag objects. These objects are java applets. Generally, the URL path of an object is specified in the codebase attribute.
5,
$ _ SERVER ["PHP_SELF"] Variable value: current page name
Example:
Http://www.sectop.com/get.php
The preceding form in get. php
Then we submit
Http://www.sectop.com/get.php/ "> script alert (document. cookie); script
Then the form becomes


Save it as attack.html and paste it on your website.

Defense methods
It is more difficult to prevent CSRF than to prevent other attacks, because although the HTTP request of CSRF is forged by the attacker, it is sent by the target user. Generally, there are several common preventive methods:
1. check the webpage source
2. check the built-in hidden variables.
3. use POST instead of GET
Check webpage source
Add the following red font code to the // pass. php header to verify data submission.

If ($ _ GET ["act"])
{
If (isset ($ _ SERVER ["HTTP_REFERER"])
{
$ Serverhost = $ _ SERVER ["SERVER_NAME"];
$ Strurl = str_replace ("http: //", "", $ _ SERVER ["HTTP_REFERER"]);
$ Strdomain = explode ("/", $ strurl );
$ Sourcehost = $ strdomain [0];
If (strncmp ($ sourcehost, $ serverhost, strlen ($ serverhost )))
{
Unset ($ _ POST );
Echo"