PHP Fuzzing action-source code Audit

Author: Shahin Ramezany
Riusksk (quange: http://riusksk.blogbus.com)

Directory:
Section 1:
20 PHP source code quick auditing methods

Section 2:
PHP source code auditing automation (PHP Fuzzer)

Risk Level:
■ Low
■ Medium
■ High

Before starting PHP code analysis, you must complete the following two tasks:
1. Install the PHP program;
2. Use an editor that supports PHP code highlighting (such as Emeditor-Notepad ++ ).
The methods provided in the following sections are only used as a reference for simple attacks and defense. This article aims to introduce Attack and Defense methods.
Note 1: Some of these topics are copyrighted by Wikipedia.
Note 2: The following variables must be found in the PHP source code:

$ _ SERVER
$ _ GET
$ _ POST
$ _ COOKIE
$ _ REQUEST
$ _ FILES
$ _ ENV
$ _ HTTP_COOKIE_VARS
$ _ HTTP_ENV_VARS
$ _ HTTP_GET_VARS
$ _ HTTP_POST_FILES
$ _ HTTP_POST_VARS
$ _ HTTP_SERVER_VARS

The above variables are all input variables in PHP.
Note 3: For more information about these variables, visit the official PHP website www.php.net.

Section 1: 20 PHP source code quick auditing methods
1-Cross Site Scripting (XSS)/CRLF [Medium]
XSS is a type of computer security vulnerability in WEB programs. It allows injection of malicious code, such as HTML code and client scripts, into users' WEB pages. Attackers can exploit the cross-site scripting vulnerability to bypass access control, such as the same origin policy ). These vulnerabilities can be used to construct phishing and browser attacks.

Attack:
Attackers inject HTML code into their requests.
Exp 1:
<? Php
$ Error_message = $ _ GET [error];
Print $ error_message;
?>
Index. php? Error = <script> alert (document. cookie) </script>
Exp 2:
<Html>
<Body>
<Input name = "show_courses" value = "<? Php echo $ _ GET [show_courses];?> ">
</Body>
</Html>
# Http: // FIG: 81/1. php? Show_courses = "> <script> alert (document. cookie); </script>

Defense:
<? Php
$ Error_message = $ _ GET [error];
Print htmlspecialchars ($ error_message );
?>

More information:
Http://ha.ckers.org/xss.html
Http://en.wikipedia.org/wiki/Cross-site_scripting
Http://www.googlebig.com/forum/cross-site-scripting-attack-and-defense-guide-t-178.html

2-SQL Injection [medium]
SQL injection is a technology that uses WEB program data layer security vulnerabilities for code injection. When the embedded SQL statement is not properly filtered in the data entered by the user, or the user is not strictly restricted in the input, malicious code is executed, this vulnerability may cause SQL injection. This is a common security vulnerability that can occur in embedded programming or scripting languages at any time.

Attack:
SQL injection is one of the most serious vulnerabilities found during PHP code auditing. For more information about such attacks, see the references provided below, this is just a brief description of such vulnerabilities.

Example 1:
<? Php
$ Id = $ _ GET [id];
$ Query = "SELECT * FROM users WHERE id =". $ id .";"
...
?>
Index. php? Id = 1 + UNION + SELECT + 1, @ version, 3,4, 5 + from + users /*

Example 2:
# Login. php:
<?
// Login. php -- SQL Injection Vulnerable page
// Attack and defense php apps book
// Shahriyar-j
$ User = $ _ POST [user];
$ Pass = $ _ POST [pass];
$ Link = mysql_connect (localhost, root, pass) or die (Error:. mysql_e
Rror ());
Mysql_select_db ("SQL _inj", $ link );
$ Query = mysql_query ("SELECT * FROM SQL _inj WHERE user =". $ user. "AND pas
S = ". $ pass." ", $ link );
If (mysql_num_rows ($ query) = 0 ){
Echo "<scripttype =" text/javascript "> commandid location.href?index.html; </SC
Ript> ";
Exit;
}
$ Logged = 1;
?>

When a user (possibly an attacker) sends $ _ POST [user] and $ _ POST [pass] to login. php, these variables are directly stored in the SQL Request command. If the attacker sends:
$ User = 1 OR 1 = 1
$ Pass = 1 OR 1 = 1
This will bypass login. php login verification, and readers should pay attention to this type of code.

Defense:
The following is a common anti-injection code:
<? Php
$ Title = $ _ POST [title]; // user input from site
$ Description = $ _ POST [description]; // user input from site
// Define the cleaner
$ Dirtystuff = array ("", "\", "/", "*", "", "= ","-
"," # ","; "," <","> "," + "," % ");
// Clean user input (if it finds any of the values above, it will replace it
Whatever is in the quotes-in this example, it replaces the value with nothing)
$ Title = str_replace ($ dirtystuff, "", $ title); // works!
$ Description = str_replace ($ dirtystuff, "", $ description); // works!
// Input: I "like/green <** veget = a-bles>; and <pizza **
// Output: I like green vegetables and pizza
// Input: a; drop table users; SELECT * FROM data WHERE name LIKE %
// Output: aDROP TABLE users select from data WHERE name LIKE
?>
<: It is best to use the whitelist filtering method>

For more information:
Http://en.wikipedia.org/wiki/ SQL _injection
Http://drewish.com/files/ SQL Injection Overview.ppt
Http://www.php.net/manual/en/security.database.sql-injection.php

Attack instance:
Http://www.milw0rm.com/papers/241
Http://www.milw0rm.com/papers/202

2-HTTP Response Splitting [Medium]
HTTP response splitting is a WEB program vulnerability that can cause invalid filtering of input values by application or environment settings. It can also perform cross-site scripting and cross-user attacks, WEB Cache Poisoning and other similar attacks.

Important HTTP header lists:

In PHP, we can use the "header" function to set the HTTP header. In some PHP source code, you can find functions such as "header" and "$ _ SERVER. Some parameters in the "$ _ SERVER" function contain user input data:
REQUEST_URI, PATH_INFO, QUERY_STRING
Example 1:
<? Php
Redirect_page =$ _ GET [page];
Header ("Location:". redirect_page );
?>
Redirect. php? Page = http://www.abysssec.com
For $ _ SERVER:
<? Php
Echo "Welcome From". $ _ SERVER [HTTP_REFERER];
?>

You can use the Mozilla Firefox plug-in "Tamper Data" to send Common HTTP headers:
Https://addons.mozilla.org/en-US/firefox/addon/966
 
Example 2:
<? Php
$ Name = "test"; // senders name
$ Email = "email@adress.com"; // senders e-mail adress
$ Recipient = $ _ GET [to]; // recipient
$ Mail_body = "The text for the mail..."; // mail body
$ Subject = "Subject... "; // Subject
$ Header = "From:". $ Name. "<". $ email. "> ";
Mail ($ recipient, $ subject, $ mail_body, $ header); // mail command :)
?>

CRLF is another method of HTTP Response Splitting. In the preceding example, the $ recipient variable in row 4 does not detect all input data, so that attackers can add "CC ":
The default input is:
$ Headers = "From: myplace@here.com ";
$ Headers. = "CC: sombodyelse@noplace.com ";
"CC" and "From" are separated.

Pollution input:
Mail. php? To = info@test.comCC: sombodyelse@noplace.com

Defense:
1-check the input value of the Mail Header
2-you can enter the URL in the following way:
<? Php
$ Id = $ _ GET [url_id];
If ($ id = 1 ){
Header ("Location:". redirect_page );
}
?>

And:

<? Php
Echo "Welcome From". htmlspecialchars ($ _ SERVER [HTTP_REFERER]);
?>
Attack instance:
(Video): http://www.milw0rm.com/video/watch.php? Id = 28
Http://www.securiteam.com/unixfocus/6F00Q0K6AK.html
Http://o0o.nu /~ Meder/o0o_Blogger_HTTP_response_splitting.txt
Http://www.securityfocus.com/archive/1/369405

4-Dynamic assignment