About bom. php

During some log analysis recently, we found thousands of logs from bom. php false positives are generally ignored directly (relative to the billions of bases), but with a rigorous attitude, I still checked this file, then I found something interesting. This is an automated scan.

The bom. php file exposes the local file directory and is used for scanning:

 

(Partial scan logs)

What is bom. php?

When it comes to BOM, you may soon think of the UTF-7 bom xss, but what we talk about today is irrelevant to XSS.

The following text is taken from the network:

The Unicode specification has the concept of BOM. BOMByte Order Mark is a Mark of the byte Order. Here we can find a description about BOM: There is a character named zero width no-break space in the UCS encoding, and its encoding is FEFF. FFFE does not exist in the UCS, so it should not appear in actual transmission. We recommend that you ....

 

Currently, when many text editors save files, BOM is included by default:

Similar to WINDOWS notepad and other software, when saving a file encoded in UTF-8, it inserts three invisible characters (0xEF 0xBB 0xBF, BOM) at the beginning of the file ). It is a string of hidden characters, used for the notepad editor to identify whether the file is encoded in UTF-8. For general files, this will not cause any trouble. However, BOM is a big headache for PHP.

 

BOM is a small problem for developers, so bom. php is generated.

Bom. php is a batch clearing of bom characters in files. Currently, this version is widely used on the Internet :,

Http://www.bkjia.com/kf/201205/132869.html

The function is very simple. It is to find the first three characters of the file. If it is a bom character, rewrite the file (remove the BOM character ).

However, this popular bom. php will output all the scan information by default, resulting in sensitive information leakage.

Directory Traversal also exists, leading to more serious problems.

After carefully reading the code, I found that the writing of the file could not be controlled. Therefore, the problem of this file is only due to the leakage of sensitive information.

The Code is as follows:

<? Php

/* Check and clear BOM */

If (isset ($ _ GET ['dir']) {

$ Basedir = $ _ GET ['dir'];

} Else {

$ Basedir = '.';

}

$ Auto = 1;

Checkdir ($ basedir );

Function checkdir ($ basedir ){

If ($ dh = opendir ($ basedir )){

While ($ file = readdir ($ dh ))! = False ){

If ($ file! = '.' & $ File! = '..'){

If (! Is_dir ($ basedir. "/". $ file )){

Echo "filename: $ basedir/$ file". checkBOM ("$ basedir/$ file"). "<br> ";

} Else {

$ Dirname = $ basedir. "/". $ file;

Checkdir ($ dirname );

}

}

} // End while

Closedir ($ dh );

} // End if ($ dh

} // End function

Function checkBOM ($ filename ){

Global $ auto;

$ Contents = file_get_contents ($ filename );

$ Charset [1] = substr ($ contents, 0, 1 );

$ Charset [2] = substr ($ contents, 1, 1 );

$ Charset [3] = substr ($ contents, 2, 1 );

If (ord ($ charset [1]) = 239 & ord ($ charset [2]) = 187 & ord ($ charset [3]) = 191) {

If ($ auto = 1 ){

$ Rest = substr ($ contents, 3 );

Rewrite ($ filename, $ rest );

Return "<font color = red> BOM found, automatically removed. </font> ";

} Else {

Return ("<font color = red> BOM found. </font> ");

}

}

Else return ("BOM Not Found .");

} // End function

Function rewrite ($ filename, $ data ){

$ Filenum = fopen ($ filename, "w ");

Flock ($ filenum, LOCK_EX );

Fwrite ($ filenum, $ data );

Fclose ($ filenum );

} // End function

?>

Execution result:

 

It brings some security risks,For example, it is used to scan database files, back up packaging files, and hide some files.And must be combined with specific scenarios.

 Conclusion:

1. Any small application may be noticed by hackers after it becomes popular.

2. security risks often come from inconspicuous points. The attack succeeds in unexpected ways.

3. The cold vulnerabilities are based on a large number of scans and may also generate results.

 

BTW: The third conclusion cannot be proved directly. However, a recent statistics show that the php cgi vulnerability that has been very popular recently has very few hosts, however, we still found vulnerabilities in hundreds of websites from hundreds of thousands of websites. The proportion is about 100,000, which is not low.

The author is surging