PHP code audit learning Summary

Source: Internet
Author: User

0 × 01 Introduction

PHP is a widely used scripting language, especially suitable for web development. It features cross-platform, easy to learn, and powerful functions. According to statistics, more than 34% of websites worldwide have php applications, including Yahoo, sina, 163, sohu, and other large portal websites. In addition, many named web application systems (including bbs, blog, wiki, and cms) are developed using php, such as Discuz, phpwind, phpbb, vbb, wordpress, and boblog.
With the upgrade of web security hotspots, php application code security issues gradually flourish. More and more security personnel are investing in this field, and more application code vulnerabilities are exposed. In the face of this situation, the "Attacker" of the PHP vulnerability will receive fewer and fewer vulnerabilities. However, since traditional audit methods cannot achieve the goal of discovering vulnerabilities, why not try new audit methods and ideas?
In this article, I mainly provide you with some experience in learning PHP code audit and my thoughts on the audit process. The content mentioned in this article is very simple, but we hope to bring you some ideas and have new ideas on code auditing or vulnerability mining.

0 × 02 at the beginning of the audit

The purpose of code auditing is to discover the vulnerabilities that can be exploited, so we do not have to fully understand the code throughout the article, but it is necessary to make some preparations before the beginning, just like before penetration, we also need to collect enough target information, just like developing penetration plans using tools.

2.1 Process

When I first started to practice auditing, I got a set of source code. What I did right away was to drop it into the tool, scan sensitive functions, trace it one by one, and find the entry point. However, several source codes are audited in this way, and it is a waste of time to find this method, because every time I keep looking for some common functions defined in the source code during the Backtracking process. Without understanding the entire source code process, it wastes a lot of time and effort in the process of finding these general functions.
So I adjusted my audit process again. After obtaining the source code, read the code from where it starts (usually the index file under the root directory) in the executed order until it initializes the content, and the basic functions. In this way, you can clearly understand the structure of the entire source code, which function file is placed in which folder, and which file the common function is placed in. This is helpful when we read the code that is "suspicious" and has problems later. For example, when we see a common function, we can quickly switch to the common function file, find the implementation code of this function. This method has many benefits, so I will not list them here.

2.2 understand

Process optimization helps us avoid unnecessary waste of time and effort in subsequent audits. Before reading the code in depth, you can understand every functional point of the entire Code, every input box, and the vulnerabilities and related repair solutions that he has encountered. This will greatly improve our auditing efficiency.
When you understand every function of the source code, if you can observe the changes in the url, you may be able to skip many useless branches in the Process of reading the code later.
When testing each input box, if you carefully observe the id or name of the input box in the HTML source code, this may help you locate the exploitation point faster in the subsequent audit process.
Try to understand the vulnerabilities that have occurred in the source code and the related repair solutions, which is a good shortcut in code auditing. Although a set of source code may not be completed by one person, it must be based on a framework. programmers who code this set of source code will develop around this framework, they must abide by the rules of the Framework, and learn about these vulnerabilities, maybe they can find common mistakes. If you can understand the detailed details of these vulnerability fixes, it will be better, because with the upgrade and change of the Web platform or the emergence of new technologies, these patches may become a decoration.

Plan 2.3

It is a good habit to do things in a planned manner. The plan can help us identify what we have achieved and what problems we face can be called failure. In this way, we can avoid "decisive" abandonment due to poor mood of a day, and we can also avoid putting time into an impossible task.
In the process of code auditing, I have summarized two points that must be clarified in the preliminary plan,
1. What vulnerabilities are you looking?
2. How long does it take to complete the audit?
The specific vulnerability can help us to more accurately and comprehensively collect information when collecting relevant information (for example, the function dictionary that causes the problem.
Determine the time range of the entire audit. The time can be used as the quantitative criteria of the audit to accurately determine whether the audit is successful. Of course, the planned time can be adjusted in different situations or procedures.

0 × 03 vulnerability nature

The essence of a program is variables and functions, and the vulnerability cannot be separated from these two elements. Let's take a look at the vulnerability conditions first.
1. Controllable Variables [all input is harmful]
2. Variables arrive at useful functions [dangerous functions] [all variables entering the function are harmful]
The vulnerability exploitation effect depends on the function. Therefore, the following section describes the two elements in the vulnerability mining process.

0 × 04 vulnerability Mining

The content in this chapter will not go deep into the vulnerability mining skills, because each skill is willing to involve a technology, A single skill can be published as an article. So what I 've mentioned in this chapter is just a basic content of vulnerability mining. The purpose is also very simple. In a metaphor, I just opened a window for people trapped in high-rise buildings. As for how to climb down this building, this chapter will not be involved. Of course, it would be nice if you thought you could take the stairs.
In the previous chapter, we mentioned that the two major elements of the vulnerability are controllable variables and the functions that controllable variables can enter. In this case, we will start from these two aspects.

Starting from the variable tracing, we are like being in the center circle. We have to deal with many "paths", but not every "path" can reach a triangle (function ).

Therefore, in the general manual code audit process, the Metropolis chooses to find the dangerous function, and then traces back to the input variable method based on the variable in the dangerous function.
My audit method also tends to look for variables through functions. Although this method works well, we should not let go of variable tracking. If you have a good automatic variable tracking tool, you are lucky to be able to complete this task without much effort. If you perform manual audits, we recommend that you collect the "final form" (so-called final form, that is, the form in which the user passes in to the program in various ways after various processing and waiting for the call ). This helps us to quickly determine whether a function can be used when tracking dangerous functions.

0 × 05 Summary

In this part, I will give you some good methods and some content that must be accumulated in learning audit.

5.1 Accumulation

1. analyze and understand each Vulnerability (PoC)
2. Analyze the patches or repair methods of the fixed vulnerabilities (DEDE and discuz global variables overwrite the second exploitation of the vulnerability)
3. General configurations and common configurations for platform building

5.2 exercise

1. Read the big source code to understand the code execution process.
2. Explore small source code vulnerabilities, practice + confidence
3. Develop PoC to gain an in-depth understanding of the vulnerability exploitation process

0 × 06 Thoughts

In this section, I will list the questions that I think of during the process of learning and practicing code auditing, but I don't have the answer. We hope that we can discover new ideas while thinking.

6.1 how to jump out of traditional thinking

Many official applications have set up security departments or hired security personnel to perform Code audits. As a result, many automated and commercialized code audit tools have emerged. That is, the situation has led to a situation where the product security factor of a large company is greatly improved, and the obvious vulnerabilities are basically extinct. The auditing technologies that everyone knows are useless.
There is no absolutely secure code. We need to jump out of the traditional mindset to obtain new vulnerabilities. This is also the so-called "jump out of the picture to see the painting", but how to jump out is what we want to think about now.

6.2 feasibility of automated variable tracking

During the process of learning and practicing code auditing, I did not find an automatic tool for variable tracking. Most of them are tools for searching dangerous functions. Traditional code audits are static-based, and variable tracking requires dynamic implementation, which is also the main cause of variable tracking and heavy workload.
Based on this problem, you have an idea that you can add a specific variable to a code debugging tool to change or run the pause function before certain functions. In this way, we can set the controllable variables we need to track in the Code audit process. When the value of the variable changes, we can immediately understand the situation.
You can also create a script to list the functions required or possibly experienced by specific variables. In this way, we can combine the results of dangerous function tracking to find the intersection, greatly improving the efficiency and effect.

0 × 07 reference

1. WEB code auditing and penetration testing (PPT) by 80vul
2. Advanced PHP application vulnerability Review Technology by 80vul
3. instance analysis explanation opens the door to code auditing by 90sec

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.