First, let's take a look at some basic concepts of php. ini. Blank characters and rows starting with semicolons are ignored. Set the command format as follows: directive = value command name (directive) is case sensitive! Therefore, "foo = bar" is different from "FOO = bar ". The value can be:
1. A string defined by quotation marks (for example, "foo ")
2. A number (integer or floating point number, for example, 0, 1, 34,-1, 33.55)
3. a PHP constant (for example, E_ALL, M_PI)
4. An INI constant (On, Off, none)
5. An expression (for example, E_ALL &~ E_NOTICE)
Another option is to set a Boolean value. If 1 is On, it is enabled. If 0 is Off, It is disabled. Php. ini is divided into many parts, such as module, php global configuration, database configuration, and so on. 1 is a basic example of php. ini. After learning about the basic concepts, we can start our abnormal configuration journey.
Figure 1
The first important parameter is register_globals. this configuration affects how php receives the passed parameters. To put it bluntly, register_globals indicates registration as a global variable. Therefore, when this parameter is set to On, the passed value will be directly registered as a global variable for direct use. When the value of this parameter is Off, we need to get it from a specific array. Most php vulnerabilities at www.milw0rm.com are exploited when Register_Globals is On. Therefore, we strongly recommend that you change this parameter to Off, in the current top version of php, this parameter is Off by default. If you are using an old version, you must modify it here.
The second important parameter is magic_quotes_gpc. If you set magic_quotes_gpc to Off, php will not escape four types of characters (single quotation marks), "(double quotation marks), (backslash), and empty characters, in this case, the server may be injected illegally. However, if you set Magic_quotes_gpc to On, php will give $ _ POST, $ _ GET, $ _ if the preceding four characters exist in the COOKIE submitted variables, the backslashes are added. this will greatly improve the security of php. We strongly recommend that you set Magic_quotes_gpc to On.
The third important thing Is display_errors. Why is this parameter important? Because there are no developers who will not make mistakes, the display_errors parameter of php helps developers locate and determine these errors. However, if the information provided by php is known to hackers, this would be a bad thing. As shown in figure 2, the web directory is leaked because display_errors is not set. This is a very important information for hackers, because many times penetration requires the knowledge of web directories, such as webshell writing. Therefore, we strongly recommend that you set this parameter to Off.
Figure 2
The fourth important parameter is safe_mode, which is a common security mode. The php security mode is a very important embedded security mechanism that can control some functions in php, such as system () and many file operation functions, access to some key files is not allowed, such as/etc/passwd, but the default php. ini does not enable the security mode. We can open it. Safe_mode = on.
The fifth parameter is open_basedir. Using the open_basedir option, you can control the PHP script to access only the specified directory. This prevents the PHP script from accessing files that should not be accessed, and limits the harm of webshell to a certain extent, generally, we can set it to only access the website directory (assume that the website directory is E: test): open_basedir = E: test. The sixth parameter is disable_functions, the use of disable_functions can restrict some functions that are very threatening to the system.
For example, we can see the php environment variables on the page with the phpinfo () function in the first part. You can also use functions such as system and exec to execute system commands. Here we recommend the following filter functions. Disable_functions = phpinfo, passthru, exec, system, chroot, scandir, chgrp, chown, shell_exec, proc_open,
Proc_get_status, ini_alter, ini_alter, ini_restore, dl, pfsockopen, openlog, syslog, readlink, symlink,
Popepassthru, stream_socket_server. If you do not know a function, you can search for the function by google to determine whether your server is disabled.
The seventh parameter is the Com component. A security vulnerability exists in the PHP script platform on Windows, allowing PHP to allow attackers to use COM () Even in secure mode (safe_mode () function to create system components to execute arbitrary commands. The vulnerability occurs because although the system () and pathru () Functions of the PHP platform in security mode are disabled, the setting of com. allow_dcom is still true. Attackers can use the COM () function to create system component objects to run system commands.
If the default Apache settings or the Web server runs with Loacalsystem or Administrators permissions, attackers can use this vulnerability to improve their permissions. Therefore, we must disable the com. allow_dcom parameter. The default value is True. We need to modify this parameter to com. allow_dcom = false. The eighth parameter is expose_php. This parameter determines whether PHP is exposed and installed on the server. 3. If this parameter is set to On, the php version will be leaked. Our recommended value is Off.
Figure 3
Basically, we have finished introducing the parameters. Of course, php. ini also needs to be configured. Most of the settings have nothing to do with security, and most of them have to do with the PHP running effect (such as optimization, if you are interested, refer to the official php manual for details. Note: After modifying php. ini, you must restart IIS. Otherwise, the content you set will not take effect immediately.
Source: Chinadu's Blog http://www.4shell.org original address: html "> http://www.4shell.org/archives/1221.html