Common Vulnerabilities in php programs and how to mine Vulnerabilities

Title: Common Vulnerabilities in php programs and how to mine Vulnerabilities
Author: Xiao Dan
The article I wrote for you is mainly about some penetration experience related to simple vulnerability mining in php.
1. File writing Vulnerability
One of the first types of analysis is the file writing vulnerability. I remember that many programs died on this vulnerability.
$ File = .... /Then a defined variable name/info. php.
Php and asp are different. Some asp databases may be in the asa format. Therefore, some vulnerabilities are caused by messages on the front end. Of course, the premise is that related characters are not filtered. Insert a sentence directly
And connect. Of course, php also has such a vulnerability. For example, a simple message page is usually written directly to the database and then the other page calls the content in the database. It usually filters out invalid characters. One program that died on the message board was the Emperor's CMS. It seemed to be injected through the message board. Of course, I will not analyze all the details.
2. Background Verification
Some background applications only use cookies for verification, which is very dangerous. The value of Adminname is the admin id.
As for these table fields, you can install them without looking at the source code to build a local environment. As for the management account, you can find it at the front end or guess it. I will not list some common ones. If you do not have this account, you will be prompted.
You can also use a universal password to log on to the background.
There is another 2B program. It is called the Website Information Management System of maxing php.
His background verification was a pain point.
 
This problem is very serious. No matter whether your account or password is wrong, you will be given a session. Then we only need to enter the account password and jump to index. php.
 
3. injection point.
If a program breaks down the injection point, you can forcibly insert some important information, including the account and password. Ps // to find the injection point, you should learn to combine the source code to blow up the account password not much explanation.
A few days ago, I saw a big bull. I forgot how to do this. I think it is hard to understand how to exploit wvs and php code to audit vulnerabilities for new beginners. Some key things need to be searched manually. You must be patient and attentive. The three are indispensable.
Looking for injection points is nothing more than looking at the source code combined with practice, experience is of course convenient. I mainly introduce two types of search injection and cookie injection)
 
4. Registration Vulnerability
Some program registration pages do not filter out invalid characters, so it is easy to inject them.
Of course, there are some clever uses. For example, if you register a 2.php; 1 user, the uploaded image address is 2.php1.jpg or 2.php/ xx.jpg. Many of them have their own flexibility.
 
5. Arbitrary download vulnerabilities and external connections
Download. php? Jh5zIw = 20 & m = 2 & f = ../include/config. inc. php
We can use ../to list the first-level directories. To download some important information about the database,
The typical issue is phpcms2008. The problem lies in the fact that $ I, $ m, and $ f are all parameters in the address bar that are not filtered out.
I don't know much about it. It is generally reflected in the installation file.
The traversal vulnerability is similar to the arbitrary Download Vulnerability.
The whole server can be traversed by using any construction. Of course, many programs will restrict important directories.
6. inscription files and verification problems
There seems to be a lot of procedures in obstetrics and gynecology. Let me give an example.
I mainly talk about some background Ming files. For example, no verification...
 
So let's look at a verified
Ps // Why can't I insert images?
 
<?
/*---------
XXXX --
Xiaodan_t1@126.com -------*/
Error_reporting (0 );
Require_once ('data. php ');
Require_once ('../include/common. inc. php ');
Require_once ('../include/config. php ');
Require_once ('../include/cj. php ');
If ($ _ COOKIE ['x _ cooker']! = $ Adminname or $ _ COOKIE ['y _ cooker']! = Md5 ($ password )){
Echo "<script> location. href = 'index. php'; </script> ";
Exit ();
}
?>
 
This uses the require function. When we open this page, we first execute this function. Of course, it is not to say that it is absolutely safe to verify. Because of the special nature of the require function, poor use will also bring serious and fatal security risks. The next article will show you an example.
Not yet resumed...
7. Upload Vulnerability
Most uploads are not filtered, use a third-party upload tool, or use a custom name.
Here is an example of group buying every day. Because the local directory contains mod. php, we found a background file in the background file. Previously, the upload was filtered out, but a custom path name vulnerability was found in the Code. You can upload Trojans in combination with the environment. Paste the code.
 
$ Dir = './'. $ dir;
Require_once LIB_PATH. 'upload. han. php ';
 
$ Upload_handler = new UploadHandler ($ _ FILES, $ dir, 'uploads', true );
 
In addition, I also want to extend the upload function. Of course it is not in the php field.
There was a novel program that uploaded the profile picture. Because external js is referenced, we can use Firefox or other tools to modify the source code and directly upload Trojans.
 
8. Code Execution Vulnerability
It is usually reflected in the fact that an array or function is not initialized. Then, arbitrary code can be submitted for execution.
Generally, if such a vulnerability occurs, you can directly use getshell.
Typically, the eval parameters in the showmessage functions of dz 7.1 and 7.2 are not initialized, so the getshell is generated later.
This problem also occurs in php168 6.02. If you search for it yourself, I will not describe it in detail.
 
9. Plug-In Vulnerabilities
Some large programs are generally difficult to find vulnerabilities. Of course not none. At this time, we can find some plug-in vulnerabilities.
For example, wordpress. Plug-in vulnerabilities, such as comment plug-ins, AD plug-ins, and background upload plug-ins are often exposed. The previous time I saw a tool dedicated to scanning wordpress plug-in vulnerabilities. Of course, such vulnerabilities have limitations.
From: http://www.hncxiaodan.com/2012_01_73.html