This post was last edited ,.
I saw this post in other forums and it feels very good. so I will share it and discuss it with you.
Author: jing0102 Original article: Are you worried about how to learn and audit PHP code?
0x01 code auditing Code auditing is a source code analysis technology designed to detect program errors, security vulnerabilities, and violations of program specifications. Our code audit targets include: java, C, C #, ASP, PHP, JSP, and. NET, which are not limited to reviewing the following languages in Windows and Linux systems. Of course, php code auditing is popular today, because PHP is also one of the mainstream WEB security development languages.
0x02 how to learn PHP code auditing Now that we know what code auditing means, we need to know that to find vulnerabilities, defects, and errors in the PHP source code, we must learn the corresponding source code language (PHP ). ① Understand the PHP syntax ② Understanding PHP code ③ Understand related PHP dangerous functions (for example, system () exec ()) ④ A tool that can be located, traced back, and searched (recommended: TommSearch and SeayPHP source code audit tools) ⑤ Look at other people's analysis processes 6. conduct actual mining
0x03 how to audit PHP code ① first conduct a local penetration test through the local, once found wrong, you can use TommSearch to locate the relevant files (if it is the framework of the location needs to be very cumbersome (Framework positioning, you can refer to the article: http://darkm01lym0on.blog.163.com/blog/static/2567990922016019105947508/), but if not the framework, you can directly locate the URL file) ② Tracking code ③ Take appropriate test notes ④ Audit ended Next, I will test the source code of my webmaster's house. : Http://down.chinaz.com/soft/33915.htm E. g just downloaded a PHP message and the system just looked at it. We can see that it is a fk1.php file. check the source code of this file:
- $ Username = $ _ POST ["username"]; // The value of the username parameter passed by the variable username post is the same as the values below
- $ Qq =$ _ POST ["qq"];
- $ Email = $ _ POST ["email"];
- $ Homepage = $ _ POST ["homepage"];
- $ Face = $ _ POST ["face"];
- $ Title = $ _ POST ["title"];
- $ Content = $ _ POST ["content"];
- $ Time = date ('Y-m-d H: I: s ');
- $ Ip = $ _ SERVER ['remote _ ADDR ']; // record your IP address
- $ SQL = "insert into leavewords (username, qq, email, homepage, face, leave_title, leave_contents, leave_time, ip) values ('$ username', $ qq, '$ email', '$ homepage',' $ face', '$ title',' $ content', '$ time',' $ IP ')"; // insert the values of these messages using insert
- Mysql_query ($ SQL); // execute the statement
[Color = rgb (85, 85, 85 )! Important] We can see that the submitted message content is inserted into the database by executing the mysql statement without being processed. The code also shows that the audit is required, so we can conclude that the audit can be performed in the background. I have inserted the payload of script alert (1) script on the front desk to submit a message:
Submitted successfully: Battle background: Go to message management: A pop-up box pops up, and the code is successfully executed. With this XSS storage vulnerability, XSS can be used to COOKIE the background administrator.
----------------------- E. g end ----------------------- The above is a simple audit idea. you can learn more about it!
0x04 Road summary of code auditing To be honest, I 've been on the code auditing Road for a year, and I 've also tried to give up, but I still stick to it. Although the technology is not refined, I hope my learning experience can help you. 1. more instances are supported. 2. focus more on PHP code functions 3. the most important thing is the most difficult: persistence Hope everyone will promote each other in the future! Thank you!
-------- This article is reproduced from: I spring and autumn Forum |