How to Use Session files for attacks?
PHP 4 or the latest version provides support for sessions. Its main function is to save the status information between pages in a PHP program. For example, when a user logs on to the website, the fact that the user logs on and the information about the user logs on to the website will be saved in the session, when he browsed around the website, all PHP code can obtain the status information.
In fact, when a session is started (in fact, it is set to automatically start at the first request in the configuration file), a random "session id" will be generated ", if the remote browser always submits this "session id" when sending requests, the session will remain. This is easily achieved through cookies, or by submitting a form variable (including "session id") on each page. A PHP program can use session to register a special variable. Its value will exist in the session file after each PHP script ends, and will be loaded into the variable before each PHP script starts. The following is a simple example:
<? Php Session_destroy (); // Kill any data currently in the session $ Session_auth = "shaun "; Session_register ("session_auth"); // Register $ session_auth as a session variable ?> |
The new PHP version automatically sets the value of "$ session_auth" to "shaun". If they are modified, the modified values will be automatically accepted in future scripts, this is indeed a good tool for Stateless Web, but we should be careful.
An obvious problem is to ensure that the variables do come from the session. For example, if the above code is given, if the subsequent script is as follows:
<? Php If (! Empty ($ session_auth )) // Grant access to site here ?> |
The above Code assumes that if "$ session_auth" is assigned a value, it is from the session rather than from the user input. If an attacker assigns a value through form input, you can obtain access to the site. Note that the attacker must use this attack method before the session registers the variable. Once the variable is put into the session, it will overwrite any form input.
Session data is generally stored in a file (the location is configurable, generally "/tmp"), and the file name is generally similar to "sess _ <session id>, this file contains the variable name, variable type, variable value, and some other data. In a multi-host system, files are saved as users running Web servers (generally nobody, therefore, malicious site owners can create a session file to obtain access to other sites, and even check the sensitive information in the session file.
The Session mechanism also provides another convenience for attackers to save their input in a remote system file. In the preceding example, an attacker needs to place a file containing PHP code in a remote system. If the file cannot be uploaded, he usually uses session to assign a value to a variable according to his own wishes, and then guesses the location of the session file. He knows that the file name is "php <session id> ", therefore, you only need to guess the directory, and the directory is generally "/tmp ".
In addition, attackers can specify a "session id" (such as "hello") at will, and then use this "session id" to create a session file (such as "/tmp/sess_hello "), however, "session id" can only be a combination of letters and numbers.
How do I use data types for attacks?
PHP has loose data types, and variable types depend on their context. For example, "$ hello" starts with a string variable and its value is "", but when it is evaluated, it becomes an integer variable "0 ", this may sometimes lead to unexpected results. If the value of "$ hello" is "000" or "0" is different, the results returned by empty () will not be true.
Arrays in PHP are associated arrays, that is, the index of arrays is string type. This means that "$ hello [" 000 "]" and "$ hello [0]" are different.
When developing a program, we should carefully consider the above issues. For example, we should not test whether a variable is "0" in one place, and use empty () in another place () to verify.
How can I use error-prone functions to perform attacks? The following is a detailed list of error-prone functions:
<PHP code execution>
Require (): Read the content of the specified file and interpret it as PHP code.
Include (): Same as above
Eval (): run the given string as PHP code.
Preg_replace (): when used with the "/e" switch, the replacement string is interpreted as PHP code.
<Command Execution>
Exec (): Execute the specified command and return the last line of the execution result.
Passthru (): run the specified command to return all results to the client browser.
'': Run the specified command to return all results to an array.
System (): Same as passthru (), but does not process binary data
Popen (): run the specified command to connect the input or output to the PHP file descriptor.
<File leakage>
Fopen (): Open the file and correspond to a PHP file descriptor.
Readfile (): Read the content of the file and output it to the client browser.
File (): Read the entire file into an array.
How to enhance PHP security?
All the attacks we introduced above can be well implemented for the default installed PHP4, but the PHP configuration is very flexible. By configuring some PHP options, we may completely resist some of these attacks. Below we classify some configurations according to the implementation difficulty:
* Low difficulty
** Medium and low difficulty
* ** Medium difficulty
* *** Difficult
If you use all the options provided by PHP, Your PHP will be safe, even for third-party code, because many of the functions are no longer usable.
* *** Set "register_globals" to "off"
This option will disable PHP from creating global variables for user input. That is to say, if the user submits the form variable "hello", PHP will not create "$ hello ", instead, only "HTTP_GET/POST_VARS ['hello']" will be created. This is an extremely important option in PHP. Disabling this option will cause great inconvenience to programming.
* ** Set "safe_mode" to "on"
When this option is enabled, the following restrictions are added:
1. Restrict which command can be executed
2. Restrict which function can be used
3. File Access restrictions based on script ownership and target File Ownership
4. Disable File Upload
This is a "great" option for ISP, and it can greatly improve PHP security.
** Set "open_basedir"
This option can prevent file operations outside the specified directory, effectively eliminating attacks on local files or remote files by include (). However, you still need to pay attention to file upload and session file attacks.
** Set "display_errors" to "off" and "log_errors" to "on"
This option prohibits the display of error information on the webpage, but records it into the log file, which effectively prevents attackers from detecting functions in the target script.
* Set "allow_url_fopen" to "off"
This option disables the remote file function.