Advanced PHP application vulnerability Review Technology

= Ph4nt0m Security Team =

Issue 0x03, Phile #0x06 of 0x07


| = --------------------------------------------------------------------------- = |
| = ------------------- = [Advanced PHP application vulnerability Review Technology] = --------------------- = |
| = --------------------------------------------------------------------------- = |
| = --------------------------------------------------------------------------- = |
| = ---------------------- = [By www.80vul.com] = ------------------------ = |
| = ------------------------ = [<Www.80vul.com>] = -------------------------- = |
| = --------------------------------------------------------------------------- = |


[Directory]

1. Preface
2. Traditional code auditing technology
3. PHP version and application code Audit
4. Other factors and application code Audit
5. Expand our dictionary
5.1 key of the variable itself
5.2 variable Overwrite
5.2.1 traverse initialization Variables
5.2.2 parse_str () variable Overwrite Vulnerability
5.2.3 import_request_variables () variable Overwrite Vulnerability
5.2.4 PHP5 Globals
5.3 magic_quotes_gpc and code security
5.3.1 what is magic_quotes_gpc
5.3.2 no protection of magic quotes
5.3.3 variable encoding and decoding
5.3.4 secondary attack
5.3.5 new security problems caused by magic quotes
5.3.6 variable key and magic quotation marks
5.4 code injection
5.4.1 functions in PHP that may cause code injection
5.4.2 Variable Functions and double quotation marks
5.5 PHP function vulnerabilities and Defects
5.5.1 PHP function Overflow Vulnerability
5.5.2 other PHP function Vulnerabilities
5.5.3 session_destroy () File Deletion Vulnerability
5.5.4 Random Functions
Special Character 5.6
5.6.1 Truncation
5.6.1.1 include Truncation
5.6.1.2 data Truncation
5.6.1.3 special characters in file operations
6. How to further find a new dictionary
7. DEMO
8. Later
9. Appendix


I. Preface

PHP is a widely used scripting language, especially suitable for web development. Cross-platform, easy to learn, and powerful functions
According to statistics, over 34% of the world's websites have php applications, including Yahoo, sina, 163, sohu, and other large
Portal website. In addition, many named web application systems (including bbs, blog, wiki, and cms) are developed using php,
Discuz, phpwind, phpbb, vbb, wordpress, and boblog. With the hot upgrade of web security, php should
The code security problems of applications are gradually flourishing. More and more security personnel are investing in this field, and more applications
Vulnerabilities in program code are disclosed. To address this situation, many official applications have set up security departments or employ
As a result, many automated and Commercial Code auditing tools have emerged. That's the form.
The trend has led to a situation where the product security factor of large companies is greatly improved, and the obvious vulnerabilities are basically extinct.
All of you know that the auditing technology is useless. We face a lot of tools and the code that Daniel has scanned n times.
Many security personnel are a bit pessimistic, and some official security personnel are also very reassured about their own code, but do not forget "No
There is absolute security. "We should find new ways to mine new vulnerabilities. This article introduces some non-traditional technologies.
Share your experience with you.

In addition, it is particularly noted that many of the vulnerabilities in this article come from the sharing of cattle and friends on the Internet.
Thanks to them ,:)


Ii. Traditional code auditing technology

WEB application vulnerability search mainly involves two elements: variables and functions. That is to say, the exploitation of a vulnerability
The malicious code you submitted must be passed through variable conversion n times and finally passed to the target function for execution. Remember
Is MS a classic saying? "All input is harmful ". This statement only emphasizes the input of variables.
It is interpreted as gpc [$ _ GET, $ _ POST, $ _ COOKIE], but the variable produces n changes during the transfer process. Cause
Many filters are just "paper tigers "! In other words, we will describe code security: "It is harmful for all variables entering the function ".

PHP code auditing is currently the most widely used method: static analysis, which is easily caused by searching
Dangerous functions of security vulnerabilities, commonly used search tools such as grep and findstr. Many automated tools also use regular expressions to search for vulnerabilities.
These functions. The following lists some common functions, that is, the dictionary described below (for the moment ). However, the existing
Dictionary is difficult to find, so we need to expand our dictionary, which is also discussed in this article.

Other methods include modifying the PHP source code to analyze the variable flow or hook dangerous functions to implement the application.
The review of the program code depends on the dictionary we mentioned above.


Iii. PHP version and application code Audit

Up to now, PHP has three major versions: php4, php5, and php6. The usage ratio is roughly as follows:

Php4 68%
2000-2007, No security fixes after 2008/08, and the final version is php4.4.9

Php5 32%
2004-present, Now at version 5.2.6 (PHP 5.3 alpha1 released !)

Php6
At present, many changes have been made in the testing phase, removing many security options such as magic_quotes_gpc.
(This is not the scope of today's discussion)

Due to the lack of automatic upgrade mechanism of php, the current PHP version coexist, and many vulnerabilities are not fixed.
These loophole functions are also the key objects for us to audit WEB application code, and are also an important source of our dictionary.


4. Other factors and application code Audit

Many code auditors can see that security is a whole, and there are many other factors in code security.
Related: for example, the PHP version we mentioned above, the most important is the operating system type (mainly the two camps ).
Win/* nix), WEB server software (mainly iis/apache) and other factors. This is because different systems are different.
Web server has different security features or features, which will be covered in some sections below.

Therefore, when auditing a company's WEB application code, we should understand the systems and WEB server software they use,
PHP version and other information.


5. Expand our dictionary

The following describes some non-traditional PHP application code audit vulnerability types and exploitation techniques in detail.

5.1 key of the variable itself

When it comes to variable submission, many people only see the value of the variable submitted such as GET/POST/COOKIE, but forget some
The program extracts the key of the variable itself into the function for processing.

-- Code -------------------------------------------------------------------------
<? Php
// Key. php? Aaaaaaa = 1 & bbb = 2
// Print_R ($ _ GET );
Foreach ($ _ get as $ key => $ value)
{
Print $ key ."";
}
?>
-------------------------------------------------------------------------------

The above code extracts the key of the variable itself for display. For the above Code, if we submit the URL:

-- Code -------------------------------------------------------------------------
Key. php? <Script> alert (1); </script> = 1 & bbb = 2
-------------------------------------------------------------------------------

This leads to an xss vulnerability. If this key is submitted to functions such as include () or SQL queries
What about it? :)

++
Vulnerability Audit Policy
-------------------------
PHP version requirements: None
System Requirements: None
Audit Policy: read-through code
++


5.2 variable-overwrite)

Many vulnerability lookups know that the extract () function specifies the EXTR_OVERWRITE parameter or
Fixed functions can overwrite variables, but there are many other cases that cause variable overwrite, such:

5.2.1 traverse initialization Variables

See the following code:

-- Code -------------------------------------------------------------------------
<? Php
// Var. php? A = fuck
$ A = hi;
Foreach ($ _ GET as $ key => $ value ){
$ Key = $ value;
}
Print $;
?>
-------------------------------------------------------------------------------

Many WEB applications use the preceding method (note that the loop is not necessarily foreach), such as Discuz! WAP part of 4.1
Code:

-- Code -------------------------------------------------------------------------
$ Chs =;
If ($ _ POST & $ charset! = UTF-8 ){
$ Chs = new Chinese (UTF-8, $ charset );
Foreach ($ _ POST as $ key => $ value ){
$ Key = $ chs-> Convert ($ value );
}
Unset ($ chs );
-------------------------------------------------------------------------------

++
Vulnerability Audit Policy
-------------------------
PHP version requirements: None
System Requirements: None
Audit Policy: read-through code
++


5.2.2 parse_str () variable Overwrite Vulnerability (CVE-2007-3205), mb_parse_str ()

-- Code ------------