Security details in php programs

The topic of script security seems to be endless forever. If you often go abroad to various types of bugtraq, you will find that more than half of them are related to scripts, such as SQL injection, XSS, Path Disclosure, remote commands execution is a word that can be used only to catch bots? For those who want to do web security, it is best to learn it. But what we want is not fish but fish. In China, a variety of php 1.0 and 2.0 programs have sprung up. However, we are all concerned about some well-known cms, forums, and blog programs, few people are conducting security checks on unspecified programs. For more and more php programmers and webmasters, apart from relying on server bastion settings, you must understand the security of php programs.

Some people say that php security is nothing more than injection and cross-site anything. It is a big mistake. If so, a magic_quotes_gpc or some security settings on the server will make us completely dead :(. What I want to talk about today is not injection, not cross-site, but some security details in php programs. OK! Start with the topic.

Focus on filtering some functions

Some functions are frequently used in programs, such as include (), require (), fopen (), fwrite (), readfile (), unlink (), eval () and their variant functions. These functions are very practical, and they do not mean that you have to worry about them. You have to pay more for them. :)

1. include (), require (), fopen (), include_once (), and require_once () can all remotely call files. If you search for these files, you will be very clear about the harm they cause, if you do not filter out the variables that contain the call, you can include any file and execute it. For example, let's look at print. php.

...

If (empty ($ bn) {// check whether the variable $ bn is null

Include ("$ cmd_dir/site _ $ {site}. php"); // include site _ $ {site}. php In the $ cmd_dir path

...

No matter the $ external _dir directory does not exist, you can use the $ site variable naturally because it does not check the $ site variable. You can specify a remote file to call the variable $ site or a local file. Write the php statement in the specified file, then it will include the file that executes this php statement. just like this

List file directories

It can even be expanded to include some administrator files to improve permissions, typically like vulnerabilities in phpwind and bo-blog. Besides relying on php. set allow_url_fopen in ini to off to prohibit Remote use of files and open_base_dir to prohibit files other than directories. You have to declare in advance which files can only be included, so I will not talk about it here.

2. fopen (), file (), readfile (), openfile (), and so on are also places of special attention. The function itself has nothing to do. Its function is to open the file. However, if the variable is not thoroughly filtered, the source code will be leaked. There will be many such function text forums.

...

$ Articlearray = openfile ("$ dbpath/$ fid/$ tid. php"); // open the $ tid. php file in the $ dbpath/$ fid path.

$ Topic_detail = explode ("|", $ articlearray [0]); // use a delimiter | read the Post content

...

Familiar with this. This is the read. php version of ofstar. $ fid and $ tid are not filtered. If $ tid is specified as a file for submission, the original code is leaked. Just like this.

Http://explame.com/ofstar/read.php? Fid = 123 & tid = ../index

$ Tid will be suffixed with php, so you can directly write the index. This is just an example. Let's take a look.

3. fwrite () and its variant functions. If you do not filter the characters submitted by the user, it is not impossible to write a php backdoor.

4. unlink () function. Some time ago, this function was used to delete any file in phpwind. It is not filtered out for the variables that determine whether to delete the file. The variables can be specified as any files, of course, you can delete any file variable.

5. eval (), preg_replace () functions are used to execute php code. If the string is not filtered, what will happen? I often see some cms functions used in it, think about it. Isn't a php Trojan built based on the eval () Principle?

6. for system (), you will say in php. this is also a good way to disable system functions in ini. But as some programs need it, isn't it necessary? Just like the beautiful php album I saw last time. In addition, you have to pay special attention to the popen (), proc_open (), proc_close () functions, even though they do not have direct output after executing the command, but do you think this is useful to hackers. Here, php provides two functions, escapeshellarg () and escapeshellcmd (), which are used to defend against system function call attacks, that is, filtering.

For hazards, let's take a look at a forum's prod. php.

07 $ doubleApp = isset ($ argv [1]); // initialization variable $ doubleApp

...

14 if ($ doubleApp) // if statement

15 {

16 $ appDir = $ argv [1]; // initialize $ appDir

17 system ("mkdir $ prodDir/$ appDir"); // use the system function system to create a directory $ prodDir/$ appDir

 

It was originally used to create the $ prodDir/$ appDir directory. Then it looks like the program only checks whether $ argv [1] exists and does not need to filter $ argv [1, then you can

/Prod. php? Argv [1] = | ls-la or/prod. php? Argv [1] = | cat/etc/passwd

(Delimiter | here is the UNIX pipeline parameter. You can execute multiple commands .)

By now, you should know the common vulnerability types.

 

 

Special attention to special characters

For special characters, there is a sentence called All puts is invalid. This sentence is very common in foreign articles. All inputs are harmful. You should never worry about what users enter. To deal with these dangers, programmers are busy filtering out a large number of characters, lest they miss something. What about some programmers? It seems that you have never paid attention to these issues and have always opened the door to vulnerabilities. Let's take a look at the following things.

1. In fact, the most critical component of a program's vulnerability is the dollar symbol with the $ symbol, which is the most reassuring for developers. For those looking for a vulnerability, holding the variable is everything. Just like the directory traversal bug, many email programs exist, and developers have considered it very well. Some even add the network hard disk.

Http://mail.com/file.php? Id = 1 & put = list & tid = 1 & file = ./

What if we change the file variable to.../or even a higher level? The directory is traversed.

2. You don't know the cross-site support. Some articles and comments in the search bar, such as the cross-site support in the phpwind attachment some time ago. Of course, for Cross-Site problems, you need to filter far more than angle brackets. You are afraid of missing content when filtering, but you cannot remember to filter.

3. Diagonal bars and reverse Bars: Do you remember the original code leakage at the attachment download location of the magic forum for filtering/and sum?

Attachment. php? Bytes

For filtering .. /problems, such as windows Host not only need to filter .. /also filter .., the windows host will parse it as/. What is the difference between these details and SQL injection?

4. for backquotes (''), backquotes are very powerful in php. They can execute system commands, just like system functions, if a user's malicious statement is executed by it, the server will be compromised. I think you can filter the statements in a down-to-earth Manner in addition to setting the server well.

5. For line breaks and NULL characters, such as ", x0B ,,,