Code auditing Overview

Code auditing Overview

0x00 Introduction

I have read all the PHP code auditing books written by seay. as a little bit of code auditing, I hope to provide my gains to some people who are just like me, as well as an overall framework and common vulnerability functions. This is also a learning note for this book. You can take a look at this book based on my thought. :)

0x01 overall

The objective of learning code audit is to independently monitor the code security of a CMS. Its general ideas include:

Read the full-text code from the functional function code, such as common_fun.php in the include folder or a file with a keyword similar to this. Check the configuration file, the file with the config keyword, find the connect () function of the mysql. class. php file, and check whether there is a vulnerability during database connection. Continue to read the home page file, index. php: understand which functions and files are called when the program is running using index. the PHP file is used as the benchmark. You can expand and read the included files on a layer-by-layer basis to understand the functions of the files. Then, you can access the homepage file of the functional folder for additional reading. 0x02 various holes A. the file operation vulnerability does not require file name parameters. Do not allow users to control the permission of parallel users .., /, \ check the input parameters, make restrictions, stop the program to execute 1. file Inclusion Vulnerability:

(1) local files include:

It usually exists in module loading and template loading. cache calling includes functions: include ()/include_once (), require ()/require_once () to find controllable variables.

(2) remote files include:

Prerequisites: allow_url_include = on is not as frequent as local inclusion.

(3) File Inclusion truncation:

% 00 truncation (php version less than 5.3) question mark truncation (the request parameter is equivalent to the question mark after the question mark, pseudo truncation) English (.) backslash (/) truncation 2. file Read (download) vulnerability:

Search for key functions:

File_get_contents (), highlight_file (), fopen (), read file (), fread (), fgetss (), fgets (), parse_ini_file (), show_source (), file () and so on

3. File Upload Vulnerability:

Search for key functions:

Move_uploaded_file () then checks whether the code that calls this function is in a restricted upload format or can be bypassed.

(1) unfiltered or local Filtering: files in PHP format can be directly uploaded without being filtered by the server.

(2) blacklist extension Filtering:

Incomplete restrictions: IIS supports parsing. asp,. cdx,. asa,. cer, and so on by default. The extension can be bypassed:

The file format is not allowed. php, but we can upload the file name as 1.php (note that there is a space behind it)

(3) file header content-type verification bypass:

Getimagesize () function: verifies that the file header is GIF89a and returns true. To limit the value of $ _ FILES ["file"] ["type"] is to manually limit content-type to controllable variables.

(4) Prevention:

Use in_array () or use third-party equal to = to compare the extension. To save the uploaded file, rename it. The rule uses the timestamp to splice the random number: md5 (time () + rand )). 4. File Deletion vulnerability:

Search for key functions:

Unlink () uses backtracking variables to delete session_destroy () in earlier versions and has been fixed.

Metinfo Arbitrary File Deletion vulnerability:

$ Action = delete: delete the. SQL file. If the file is not an SQL file, delete the submitted file name.

Target.com/recovery.php? & Action = delete & filename =.../../index. php

B. Code Execution Vulnerability 1. Code Execution function:

Key search functions: eval (), assert (), preg_replace (), call_user_func (), call_user_func_array (), array_map ()

(1) preg_replace () function:

Mixed preg_replace (mixed $ pattern, mixed $ replacement, mixed $ subject [, int $ limit =-1 [, int & $ count])

When the e modifier exists at $ pattern, $ replacement is executed as php code.

(2) mixed call_user_func (callable $ callbank [, mixed $ parameter [, mixed $ ...) :

The first parameter is the callback function, and the second parameter is the callback function parameter.

(3) eval () and assert ():

PHP code can be executed when the assert () parameter is a string

[Differentiation ]:

eval(" phpinfo(); ");【√】 eval(" phpinfo() ");【X】assert(" phpinfo(); ");【√】 assert(" phpinfo() ");【√】

2. Dynamic Function execution:

Dynamic Function BACKDOOR:

#!php

3. Command Execution function:

Key search functions: system (), exec (), shell_exec (), passthru (), pcntl_exec (), popen (), proc_open ()

(1) popen and proc_open ():

#!php> /Users/bingdaojueai/Desktop/1.txt', 'r' ); ?>

Then, the content in 1.txt is the result after the command is executed.

(2) run the command against quotation marks:

Echo whoami; you can directly execute the command

Difference between double quotation marks and single quotation marks:

#!php$a = 1echo " $a "    output：1echo ' $a '    output：$a

When using double quotation marks, variables can be parsed directly, resulting in code execution vulnerability.

C. variable Overwrite Vulnerability 1. improper function usage: int extract (array & $ var_array, int $ extract_type = EXTR_OVERWRITE, string $ prefix = null) void parse_str (string $ str, array & $ arr) bool import_request_variables (string $ type, string $ prefix) 2. $ variable overwrite:

D. Logical Vulnerabilities

Questions to consider:

Can the program re-install and modify the password? Is there an excessive privilege to modify another user's password to retrieve the password verification code? Is it possible to brute force crack the cookie? Can it predict the existence of the verification bypass? 1. Is it equal to the existence of the judgment bypass:

(1) in_array ():The type is automatically converted before comparison.

(2) is_numeric ():When the input parameter is hex, the system directly passes through and returns true. MYSQL can directly use hex Encoding instead of string plaintext for secondary injection, which may cause XSS vulnerability.

(3) Double equals = and third equals at =:

Double equals performs class conversion during variable comparison, which is the same as in_array. Level 3 TypeAnd ValueIn comparison, it is more secure. 2. Excessive permissions in the Account System: horizontal excessive permissions: User A can perform all permissions on user B as user B. If user A and user B have the same permissions.Vertical unauthorized access: User A can perform all permissions on user C as user C, provided that user C has higher permissions than user.

(1) No exit/return/die:

#!php

Test will still be output, replaced with the installation process, and PHP will continue.

(2) Payment vulnerability:

The client changes the unit price. The client changes the total price and number of purchases. The server does not verify the price strictly.

Time Difference of repeated packet sending:

#!php

Vulnerability functions may be caused:Str_replace ()

#!php$b";$c = str_replace($a,'',$b);echo trim($c);?>

E. Session Authentication Vulnerability

COOKIE verification: No SESSION verification is used to save the information directly in the COOKIE.

Find the Passing Process of parameters passed into the SQL statement to backtrack the variable to the original function to see if the algorithm stored in the cookie is reversible and MD5 is more secure than sha1 to decrypt sha1. The website is limited to only one user. log on to an IP address at the same time

When auditing code, view the logon code

F. Secondary vulnerability 1. Type: Not a logic issue, but a credibility issue. The complexity of business logic is proportional to the trigger rate of secondary vulnerabilities. Shopping Cart/order/reference data/Article editing/Draft ==> SQL injection/XSS

2. tips:

(1) drill the space escape characters such as GPC:

$ _ SERVER variables not protected by GPC: After PHP5, the headers obtained by $ _ SERVER are no longer affected by GPC. Even if special characters are enabled, they are not escaped and injected.

Encoding problem conversion:

Wide byte injection of GBK: % Df 'single quotes are automatically converted to (% 5c), and % df and % 5c are connected together to form a single quotation mark. [Encoding conversion problem during php interaction with mysql]

Mb_convert_encoding ():

#!php

(2) string problems:

Use the error message to find sensitive information

String truncation:

% 00 null character truncation: [PHP version less than 5.3]

#!php?>

Iconv function character encoding truncation: [required for PHP version]

#! Phpchr (128)-chr (255) can be truncated "; // 1? 2 echo iconv ("UTF-8", "GBK", $ a); // 1?>

Php: // input/output stream:

#! Php1.php? File = php: // filter/convert. base64-encode (the content is base64 encoded)/resource1_example.txt (Remote file)

Php code parsing Tag:

<Script language = "php">... </Script>: Available after php3.0.4<%... %>: Asp tag. asp_tags = on is required. The default value is off.

Regular Expression:

No matching start position specified by ^ and $ is used: special characters are not escaped:

Error injection:

Use windows findfirstfile:To search for the 12345.txt file, you can use 1 <to replace or 12 <. You cannot use a single "<" or ">", because a single character only represents one character, two represents multiple characters.

0x03 End

Setting myself on the road to security is both an interest and an accident. I chose white box because I like php. After all, I first learned about code auditing. seay's books helped me a lot and held my thigh.(I am a cute girl paper)I hope this article will help people who are just like me. It takes two days to summarize it. If there are any defects, I will wait for you to point out.

Auditing without development is a hooligans! :)