How php code detects vulnerabilities that are not open-source

Source: Security Focus
Author: T_Torchidy (jnchaha_at_163.com)

Currently, many php software vendors have begun to use Zend encryption to encrypt their products for some purposes. When customers use it, they do not know the details in the program, it is indeed difficult for those who engage in security, so some vendors began to think that Zend products are safe. But in fact, even if you do not know the original code and do not consider Zend cracking, we can also use some features of Php to obtain some commercial logic and information of the program to detect program vulnerabilities.
There are generally three security methods for testing programs. The first is completely unaware of the source code and the details of internal processing of the program, the details of the program and possible problems are completely guessed by the input parameters. The other is to get the program code to know the code processing process, analyze the code to obtain the program problems. Another method is the gray-box testing in the middle. You can know some details about the program. Here we may want to talk about this method, because we know that Zend's so-called encryption is actually converting PHP code into an intermediate code, on hosts that support Zend encryption, they are eventually translated into the underlying code for execution like normal PHP files, but the source code is invisible. Note that the encryption code runs in the environment provided by us. The language environment he uses is PHP on our machine, the selected database and other storage systems are the file systems we provide or databases such as Mysql, which is much more usable than the pure black box test, because we have full control over the operating environment, and even most of the processing results are visible to us, we have the opportunity to drill down.
Then let's talk about common vulnerabilities in PHP code. Common Vulnerabilities include SQL injection, file inclusion, code execution, Xss injection, and logic errors. When we know the code, we can easily detect most of the vulnerabilities. However, because the code encryption becomes invisible, only the general black box testing method can be used to detect some common vulnerabilities, however, some variables are not initialized and some logical errors are powerless. The following describes how to detect program security issues at the application layer.

The first is how to "debug" the encrypted PHP script. The debugging here actually refers to how to run the encrypted PHP script in a controllable environment, the method I used here is to create a PHP file to include the encrypted PHP file to be debugged. Before the include operation, we can set the debugging code, after the include statement is executed, you can use the method mentioned later to view the script information. For example, to debug zend. php, the encrypted file, you can use the following method:

 

Eg <? Php
// Some code before running
Echo "Just a example ";
Include zend. php;
Echo "OK ";
// Some running code
?>

 

In this way, things in zend. php will be affected by our influence.

The next step is to probe the code. Fortunately, PHP provides a lot of functions for us to use. For example, some useful ones are:

Get_defined_vars returns an array composed of all Defined variables (PHP 4> = 4.0.4, PHP 5)
Get_declared_classes returns an array composed of the names of the defined classes (PHP 4, PHP 5)
Get_defined_constants returns an array composed of the names of defined constants.
Get_defined_functions returns the Defined Function
Get_included_files
......

You can check in the php manual and use these functions to do many things. For example, we know that zend is an encrypted file. php contains what we really want, such as the database account password, such as an encrypted Key, such ...... then we can include this file using the above method, and then use the get_defined_vars function to view the information. The example is as follows:

 

Eg <? Php
Include zend. php;
Print_r (get_defined_vars );
?>

 

How are you doing? Similarly, some programmers usually put some functions in a PHP file, and we can get the functions defined in this PHP file in the same way.

In some program cracking, there is often a saying called Hook. In fact, we can also perform simple Hook during our testing. The SQL query of a site often contains a lot of information. If you know that you want to perform an operation, the SQL query is very useful for our test. We have several methods, such as changing the mysql_query function of php, to do something about Mysql. Here we should simply look at what the application layer can do! Generally, PHP Code encapsulates Mysql operations into a file, so we can replace the file and implement the functions they need, in this example, the SQL statements run by him are broken down and saved (Thx Saiy). Then we can analyze these SQL queries. In the same way, we can make a false Function to guess the functions of some functions. In a false Function, use the following func_get_args Function to intercept the input parameters. Of course, this is still unclear about the internal details of the function, but it is often enough to reduce the black box from the file level to the function level.
What can we do for the program itself? For the security of a program, we usually focus on the method of processing parameters. How does the program treat dangerous functions? Does the variable have incorrect initialization ...... wait, we can probably do these things through the above ideas :)

1. Use PHP to set the parameter Processing Method of the guess Program

A PHP program processes parameters. in code, it is very important for a program to process the variables we submit. For example, some programs can run the same way when register globals is off to be compatible with all PHP environments, in addition, addslashes is usually used to handle the issue of the program when the GPC is off, but not all programs can handle the issue correctly. ini settings can roughly predict how the program processes input parameters. For example, we set register globals to off, and then include a file (such as index. php), and then in the final print_r ($ GLOBALS) of the Code, check whether the parameters we have submitted exist in the current symbol table. If so, the program will release the variables, then we submit some dangerous variables such as php? _ POST = aaaaa and check the content of $ _ POST to see if there is a problem with variable overwrite. The Code process is as follows:

 

Eg <? Php
Include index. php;
Print_r ($ GLOBALS );
?>

Of course, you must set register global = off.

2. Use PHP's own error mechanism

During PHP running, some information in the program can be captured based on the custom error level. By default, the uninitialized information is not judged, however, variables without initialization can provide us with useful information. Some common file inclusion vulnerabilities are caused by variable initialization. When we set the running-level error to NOTICE, we can see this information, but it does not rule out that some programs artificially modify the running-level during the running process. I will discuss this method later. After finding the uninitialized variable, we can try to submit it. Looking at the reflection of the program, combined with functions and variable name guessing program writing, we can usually exploit some vulnerabilities.

3. Integrate with php Extension

As a result, PHP provides some query system status functions, such as get_defined_vars provided above. However, these functions are far from enough, however, PHP itself does not overwrite the original functions of the system like js, which means that function redefinition is not allowed, which brings us trouble. For example, we want to track whether the program calls the preg_replace function, there is no way to know the parameter format in it, but it is possible to use PHP extension. We can implement this using a Hook method. For example, if you want to investigate preg_replace, we will first Dump the preg_replace function from the function table into preg_replace_bak, and then create_function to create our own function. Our function is very simple, save the parameter and call the original preg_replace_bak function and return the result. This allows you to monitor the call of this function in the script. Here is a simple code for deleting a function from the function table:

Delete a php extension code for a function.

 

PHP_FUNCTION (fuck_fun)

{

Char * function;
Int function_len;
Zval ** findfun;

If (ZEND_NUM_ARGS ()! = 1 & #124; & #124; zend_parse_parameters (ZEND_NUM_ARGS () TSRMLS_CC, "s", & function, & function_len) = FAILURE ){
WRONG_PARAM_COUNT;
}

TSRMLS_FETCH ();

If (zend_hash_find (EG (function_table), function, strlen (function) + 1, (void **) & findfun) = SUCCESS ){
Php_printf ("Find function % s OK", function );
}
Else {
Php_printf ("Cannt find function % s", function );
}

If (zend_hash_del (EG (function_table), function, strlen (function) + 1) = SUCCESS ){
Php_printf ("% s Unregister OK", function );
}
Else {
Php_printf ("% s Unregister Faild", function );
}
RETVAL_LONG (42 );
Return;
}

4. Continue? The next step is to modify the PHP kernel, which is a bit out of the scope of this article. The article should note that encryption is not everything. By modifying the program running environment and some tips, and then combining the black box testing method, it is possible to find out the security vulnerabilities of encrypted programs, I have detected some encryption programs in China, and there are still some large vulnerabilities :)