The topic of scripting security always seems endless, and if you go to all kinds of bugtraq abroad, you'll find that more than half are related to scripting, such as SQL Injection,xss,path disclosure,remote commands Execution such words abound, we look after the use of the only catch broiler? For those of us who want to do web security, it is better to learn, but all things catch the root, we want not fish but fishing. In the country, a variety of PHP Programs 1.0 version, 2.0 version like springing up, but, everyone is concerned about some well-known CMS, Forum, blog programs, few people in those not famous for the program to do security detection, for more and more PHP programmers and webmasters, In addition to relying on the server's fortress settings, the PHP program itself is more secure than you have to know.
Some people say that you do PHP security is nothing more than to engage in the injection and cross-station what what, wrong, if so, a MAGIC_QUOTES_GPC or server security settings let us all have no way to go: (. What I'm going to talk about today is not the injection, not the cross-site, but some of the security details that exist in the PHP program. Ok! cut to the chase.
Pay attention to the filtering of some functions
Some functions are often used in programs, such as include (), require (), fopen (), fwrite (), ReadFile (), unlink (), eval (), and their variant functions, and so on. These functions are very practical, practical does not mean to give you more worry, you have to pay for them more snacks. :)
1.include (), require () and fopen (), include_once (), require_once () these can be remotely called files, for their harm, Google search you will be very clear, for the included call of the variable is not filtered good, You can include the file arbitrarily to execute it. For instance, look at print.php.
...
if (empty ($bn)) {//check if the variable $bn is empty
Include ("$cfg _dir/site_${site}.php"); To include the site_${site}.php in the $cfg_dir path.
...
Regardless of the $cfg_dir directory, $site this variable you can use naturally, because he did not check the $site variable AH. You can call the variable $site the specified remote file, or it can be a local file, write the PHP statement in the file you specified, and then it will have to execute the file containing the PHP statement. Just like that.
List file directories
It can even be extended to include some of the administrator files and elevate permissions, typically as previously phpwind,bo-blog vulnerabilities. In addition to relying on php.ini Allow_url_fopen set to off to prohibit remote use of files and Open_base_dir prohibit the use of files outside the directory, you have to declare in advance what can only contain the files, here is not much to say nonsense.
2.fopen (), file (), ReadFile (), OpenFile (), etc. are also places of extraordinary attention. The function itself is nothing, their function is to open the file, but if the variable filter is not thorough, it will reveal the source code. There will be a lot of such function text in the forum.
...
$articlearray =openfile ("$dbpath/$fid/$tid. php"); Open $dbpath/file for this path $fid $tid.php
$topic _detail=explode ("|", $articlearray [0]); Read the contents of a post with a separator |
...
It looks familiar, this is Ofstar previous version of read.php, $fid and $tid without any filtering, $tid designated as a file submission, the original code leakage occurred. Just like this.
Http://explame.com/ofstar/read.php?fid=123&tid=. /index
$tid will be appended with the PHP suffix, so write index directly. This is just an example, and then look at it.
3.fwrite () and its variant functions this vulnerability would like to think that, for user-submitted characters are not filtered, write a PHP back door is not unavailable.
4.unlink () function, some time ago, phpwind Delete any file is the use of this function, for determining whether to delete the variable is not filtered, the variable can be specified as arbitrary files, of course, you can delete arbitrary file variables.
5.eval (), preg_replace () function, their role is to execute PHP code, if the string has not been filtered, what happens, I often see some CMS inside use, think, a word of the PHP Trojan is not based on the principle of eval () made?
6. For systems () These system functions, you would say that in php.ini the system function is forbidden, yes, this is a good way, but like some programs need, that is not to use it? Just like the last time I saw a nice set of PHP albums. In addition to Popen (), Proc_open (), Proc_close () functions you also have to pay special attention to, although they do not have direct output after the command, but you think this is the end of the hackers do not use it. Here PHP provides two functions, Escapeshellarg (), Escapeshellcmd (), which are used to fight against system functions called attacks, that is, filtering.
For a hazard, for example, let's look at a forum prod.php
$DOUBLEAPP = Isset ($argv [1]); Initialize variable $doubleapp
...
if ($DOUBLEAPP)//if statement
15 {
$appDir = $argv [1]; Initialize $appdir
System ("mkdir $prodDir/$appDir"); To create a directory $proddir/using system function Systems $appDir
Originally to create $proddir/$appDir directory, and then it appears that the program only detects the existence of $argv[1], lack of $argv[1] necessary filtering, then you can
/prod.php?argv[1]=|ls-la or/PROD.PHP?ARGV[1]=|CAT/ETC/PASSWD
(Separator | Here is the Unix pipeline parameter, you can execute multiple commands. )
Here, the common type of vulnerability should be aware of the point.
Attention to extraordinary characters
For extraordinary characters, there is a sentence called all puts is invalid. This is a common phrase in a foreigner article. All inputs are harmful. You should never worry about the user input, in order to deal with these hazards, programmers are busy filtering a lot of characters, for fear of missing something. And what about some programmers? Never seem to pay attention to these problems, is always open the door of loopholes. Do not say nonsense, or first look at these things.
1. In fact, the most important loophole in the program, the most worrying for developers is the dollar sign with the $ sign, variable, for the person who is looking for a loophole, grasping the variable two words is everything. Like the directory traversal of this bug, a lot of mail programs exist, developers consider very thoughtful, and some even add the network hard disk This thing, good is good, like
http://mail.com/file.php?id=1&put=list&tid=1&file=./
If we change the file variable to a./. /even higher? This is how the directory is traversed.
2. Angle brackets "<>" Cross station you will not know, some search bar, articles, messages, like the previous time Phpwind attachment where the cross-site and so on. Of course, for cross-site problems, you have to filter far more than the angle brackets. Not afraid to filter out what, but afraid you can't think of to filter.
3. Diagonal and anti-skew lever: for/and filter, remember the Magic Forum attachment download The original code leaked it?
Attachment.php?id=684&u=3096&extension=gif&attach=.............includesconfig.php&filename=1. Gif
For filtering: /problems, like Windows host not only to filter: /also filter:, Windows host pair will resolve to/, these details compared with SQL injection, what is called deep?
4. For the anti-quote ("), the anti-quote is very powerful in PHP, it can execute system commands, like system () these systems functions, if the user's malicious statements are executed by it will harm the server, I think in addition to the server settings are very good, for them, you still have to filter the good.
5. For line breaks, null characters, and so on, like ", x0b,,,
http://www.bkjia.com/PHPjc/629780.html www.bkjia.com true http://www.bkjia.com/PHPjc/629780.html techarticle the topic of scripting security always seems endless, and if you go to all kinds of bugtraq abroad, you'll find that more than half are related to scripting, such as SQL Injection,xs ...