This article is mainly on the cause of the PHP Program Vulnerability Analysis and prevention methods for a detailed introduction, the need for friends can come to the reference, I hope to help you.
Misuse of include 1. Vulnerability reason: include is the most commonly used function in writing PHP Web sites and supports relative paths. There are many PHP scripts that directly take an input variable as an include parameter, resulting in arbitrary reference scripts, absolute path leaks and other vulnerabilities. Look at the following code: ... $includepage =$_get["Includepage"]; include ($includepage); ... Obviously, We just need to submit a different includepage variable to get the desired page. If you submit a nonexistent page, you can make the PHP script error and reveal the actual absolute path (the solution to this problem is described in the following article). 2. Vulnerability resolution: The solution to this vulnerability is simple, that is, to determine whether the page exists before the include. Or, more strictly, use arrays to make provisions for files that can be include. Look at the following code: code as follows: $pagelist =array ("test1.php", "test2.php", "test3.php"); Files if (Isset ($_get["Includepage"]) that can be made available are specified here//To determine if there are $includepage { $includepage =$_get[" Includepage "]; foreach ($pagelist as $prepage) { if ($includepage = = $prepage)//Check whether the file is in the Allow list { include ($prepage); $checkfind =true; break; } } if ($checkfind ==true) {unset ($ Checkfind); } else{die ("Invalid reference page!") "); } } This will be a good way to solve the problem. Tips: The functions that have this problem are: require (), require_once (), include_once (), ReadFile() and so on, should also be noted when writing. did not filter the input variables 1. The reason for the vulnerability: This vulnerability has occurred in the ASP, which caused numerous injection holes. But since PHP was less influential at the time, not too many people were able to pay attention. For PHP, this vulnerability has a greater impact than the ASP, because there are more PHP scripts used in the text database. Of course, there is an injection problem with SQL statements. For a more classic example, the: code for the database is as follows: $id =$_get["id"]; $query = "SELECT * from my_table where id= '". $id ."'"; A classic SQL injection vulnerability $RESULT =mysql_query ($query); It is clear that we can use injection to get the rest of the database. Here is no longer detailed description, and ASP injection, we can look at the previous black defense. Then we look at the problem with the text database: copy code code as follows: $text 1=$_post["Text1"]; $text 2=$_post["Text2"]; $text 3=$_post["Text3"]; $FD =fopen ("test.php", "a"); fwrite ($FD, "rn$text1&line; $text 2&line; $text 3"); Fclose ($FD); Text vulnerabilities can be said to be more serious. If we commit a variable to insert a small PHP code, we can another text database test.php into a PHP back door. Even insert the upload code so that we can upload a perfect php back door. Then elevate the permissions, and the server is yours. 2. Vulnerability resolution: The solution to this vulnerability is simply to filter all the submitted variables in a strict manner. Replace some of the sensitive characters. We can use the Htmlspecialchars () function provided by PHP to replace the content of HTML. Here's an example: code is as follows://structuring Filter functions function flt_tags ($text) &NBsp { $badwords =array ("Exercise", "fuck");//Glossary filter list $text =rtrim ($text); foreach ($badwords as $badword)// Here is the word filter { if (Stristr ($text, $badword) ==true) {die ("Error: You submit the content contains sensitive words, please do not submit sensitive content." "); } } $text =htmlspecialchars ($text); HTML replacement //These two lines replace carriage return with $text =str_replace ("R", "", $text); $text =str_replace ("n", "", $text); $text =str_replace ("&line;", "│", $text); Text Database Separator "&line;" Replace with Full-width "│" $text =preg_replace ("/s{2}/", "", $text); Space to replace the Chinese Network Management Alliance $text =preg_replace ("/t/", "", $text); or space replacement if (GET_MAGIC_QUOTES_GPC ()) {$text =stripslashes ($text);}//If Magic_quotes is turned on, replace return $ text; } $text 1=$_post["Text1"]; $text 2=$_post["Text2"]; $text 3=$_post["Text3"); //filter All input $text 1=flt_tags ($text 1); $text 2=flt_tags ($text 2); $text 3=flt_tags ($text 3); $FD =fopen ("test.php", "a"); fwrite ($FD, "rn$text1&line; $text 2&line; $text 3"); FCLOSE ($FD); After replacing and filtering, you can safely write data to the text or database. Admin not complete 1. Vulnerability reason: We write scripts in PHP, usually involving administrator permissions issues. Some scripts only make "yes" judgments on administrator rights, but often ignore "no" judgments. In the case of register_globals open in the PHP configuration file (4.2.0 after the version is closed by default, but many people open it for convenience, which is extremely dangerous behavior), there will be a submission variable posing as an administrator. Let's take a look at the example code: code as follows: $cookiesign = "Admincookiesign"; To determine whether the admin COOKIE variable $adminsign =$_cookie["sign"]; Get user's cookie variable if ($adminsign = = $cookiesign) { $admin =true; } if ($admin) { echo "is now an admin state. "; } Looks like a safe look, hehe. Now let's assume that the PHP configuration file is register_globals open. We submit such an address "test.php?" Admin=true ", the result see? We do not have the correct cookie, but because Register_globals is turned on, the admin variable we submitted is automatically registered as true. And the script lacks "no" judgment, which makes us successfully get the administrator's permission through Admin=true. This problem exists in most websites and forums. 2.: Solve this problem, we only need to add to the script to the administrator "No" judgment can be. We still assume that Register_globals is open in the PHP configuration file. Look at the code: code as follows: $cookiesign = "Admincookiesign"; To determine whether the admin COOKIE variable $adminsign =$_cookie["sign"]; Gets the user's cookie variable if ($adminsign = = $cookiesiGN) { $admin =true; } else { $admin =false; } if ($admin) {echo "is now an administrator state. "; } In this way, even if an attacker submits a admin=true variable without the correct cookie, the script will set the $admin to false in future judgments. This solves some of the problems. However, since $admin is a variable, a vulnerability in subsequent script references may cause a new crisis if the $admin is assigned a value. Therefore, we should use constants to hold the decision of administrator permissions. Use the Define () statement to define an admin constant to record administrator permissions, which can be followed by an error if the assignment is assigned again, for protection purposes. Look at the following code: copy code code as follows: $cookiesign = "Admincookiesign"; To determine whether the admin COOKIE variable $adminsign =$_cookie["sign"]; Get user's cookie variable if ($adminsign = = $cookiesign) { define (admin,true); } else { Define (admin,false); } if (admin) {echo "is now an administrator state." "; } It is worth noting that we used the Define statement, so before calling the admin constant, do not use the variable symbol $, but the admin and!admin. Text database exposure 1. Vulnerability reasons: has said before, because the text database has great flexibility and does not require any external support. Plus, PHP has a very strong ability to handle files, so the text database is widely used in PHP scripts. There are even a few good forum programs that use a text database. But there is a loss, the text database security is also lower than other databases. 2. Vulnerability resolution: text database as an ordinary file, it can be downloaded, just like an MDB. So we need to protect the text database by protecting the MDB.Change the suffix name of the text database to. Php. And joins in the first row of the database. The text database acts as a PHP file and exits execution on the first line. This is to return an empty page to protect the text database. Error Path disclosure 1.: PHP encounters an error, it gives the location, line number, and cause of the error script, such as: Notice:use of Undefin ED constant test-assumed ' test ' in d:interpubbigflytest.php on line 3 A lot of people say it's not a big deal. But the consequences of revealing the actual path are unthinkable, and for some intruders, this information is very important, and in fact there are many servers that are now in question. Some network administrators simply put the PHP configuration file display_errors set to off to solve, but I think this method is too negative. There are times when we really need PHP to return the wrong information for debugging. And you may need to give the user an account when you make an error, or even navigate to another page. 2. Vulnerability resolution: PHP provides a functional function Set_error_handler () of custom error handling handles from 4.1.0, but very few scripting people know. In a number of PHP forums, I've only seen a handful of them deal with this situation. The use of Set_error_handler is as follows: string Set_error_handler (callback Error_Handler [, int error_types]) Now we Use custom error handling to filter out the actual path. Code is as follows://admin for Administrator's identity, true to administrator. //Custom error-handling functions must have these 4 input variables $errno, $errstr, $errfile, $errline, otherwise invalid. function My_error_handler ($errno, $errstr, $errfile, $errline) { ///If not admin filter the actual path if (!admin) { $erRfile=str_replace (GETCWD (), "", $errfile); $errstr =str_replace (GETCWD (), "", $errstr); } Switch ($errno) { case e_error: echo "ERROR: [ID $errno] $errstr (line: $errline of $errfile) n"; &n Bsp Echo program has stopped running, please contact the administrator. ' Exit script exit; break; case e_warning: Echo ' WARNING: [ID $errno] $errstr (line:; //encountered an error level error) $errline of $errfile) n "; break; default: //Do not show notice-level errors break; } } &NB Sp Set error handling to My_error_handler function Set_error_handler ("My_error_handler"); ... Can be a good solution to the contradictions of security and debugging convenience. And you can also spend some thought, make the error hint more beautiful to match the website style. But note that two points are: (1) e_error, E_parse, E_core_error, e_core_warning, E_compile_error, E_compile_ Warning is not handled by this handle, which is displayed in the most primitive way. However, these errors are either compiled or the PHP kernel fails, which is not normally the case. (2) after using Set_error_handler (), error_reporting () will be invalidated. That is, all errors (except those mentioned above) will be handed to the custom function for processing. Other information about Set_error_handler (), you can refer to the official PHP manual. Post vulnerabilities 1. Cause of the vulnerability: &NBSP; As has said before, it is a bad habit to rely on register_globals to register variables. In some of the message and forum programs, but also to strictly check the way to get the page and the time interval to submit. To prevent the drip-posting and external submissions. Let's take a look at the following message the code for this program: code is as follows: ... $text 1=flt_tags ($text 1); $text 2=flt_tags ($text 2); $text 3=flt_ tags ($text 3); $FD =fopen ("data.php", "a"); fwrite ($FD, "rn$text1&line; $text 2&line; $text 3" ); fclose ($FD); Obviously, if we submit the URL "post.php?text1=testhaha&text2=testhaha&text3= testhaha". The data will be written to the file normally. This program does not detect the source of the variable and how the browser obtains the page. If we repeat this page repeatedly, we will have a flood effect. Now there are some software use this loophole to send ads in the forum or message book, this is shameful behavior (my friend's message in 1 weeks was filled with more than 10 pages, helpless). 2.: In the process of data processing and save before, first of all to determine the browser to obtain page mode. Use the $_server["request_method" variable to get the browser's way to get the page. Check to see if it is "POST". Use the session in the script to record whether the user submits the data through the normal path (that is, the page that fills in the submission). or use $_server ["http_referer"] to detect, but this is not recommended. Because some browsers do not have referer set, some firewalls will also block referer. In addition, we also need to check the content of the submission to see if there are duplicate content in the database. Take the message as an example, use the session to determine: fill in the content of the page, we at the Forefront plus: $_session["Allowgbookpost"]=time (); Registration time In the receipt of the message data and save the page we also use the session before the processing of the following: Code as follows: if (Strtoupper ($_server["Request_method"])!= "POST") {die ("error: do not submit externally.") "); } Check to see if the page acquisition method is post if (!isset ($_session["Allowgbookpost"]) or (Time ()-$_session["Allowgbookpost"] <)) {die ("Error: do not submit externally.") "); } Check the time to fill in the message if (Isset ($_session["Gbookposttime"]) and (Times ()-$_session["Gbookposttime"] <)) {die (" Error: No less than 2 minutes at the interval of two submissions. "); } Check message interval unset ($_session["Allowgbookpost"]); Log off the Allowgbookpost variable to prevent one entry to fill the page multiple submissions $_session["Gbookposttime"]=time (); Register time to send messages, prevent flooding or malicious attacks ... data processing and save