PHP Code Audit Basics

One, GPC

1. Integer type not affected by GPC
2. $_server variable is not protected by GPC
3. $_files variable is not protected by GPC
4. Wide byte injection
5. Database operations easy to forget to add single quotation marks where: in ()/limit/order By/group by
6. Only the value of the variable is filtered, but no key is filtered (some programs use key in the code, such as bringing in SQL statements)
7. php5.3 later $_request no longer contain $_cookie (may result in incomplete filtering)
8. When GPC is on, the GPC does not handle the key of the first dimensional variable in the case of PHP4 and php<5.2.1
9. After the parameters are filtered and other operations are performed, such as substr,str_replace, this may cause the escape character to be deleted

Second, the characteristics

Functions/Syntax	features
In_array	Type conversion of data prior to comparison
Is_numeric	Hexadecimal can bypass
Intval	Converts a string into a type, as long as the first character is a number to convert successfully
Iconv	Cause string truncation
= = and = = =	Double equals on both sides if the variable types are different, type conversions are done
` `	Anti-quote Command execution
“”	Double quote variable parsing
$a ($b)	Dynamic function execution
Is_file	Use wildcard characters (<,>) to bypass

Iii. Dangerous functions

• Code execution

1. Eval
2. Preg_replace
3. Assert
4. Call_user_func
5. Call_user_func_array
6. Create_function
7. Array_map

• file contains

1. Include
2. Require
3. Require_once
4. Include_once

• File read

1. File_get_contents
2. Highlight_file
3. fopen
4. ReadFile
5. Fread
6. Fgetss
7. Fgets
8. Parse_ini_file
9. Show_source
10. File ()

• File Upload

1. Move_uploaded_file

• Command execution

1. Exec
2. System
3. Popen
4. PassThru
5. Proc_open
6. Pcntl_exec
7. Shell_exec
8. ` `

• Variable override

1. $$
2. Extract
3. Parse_str
4. Mb_parse_str
5. Import_request_variables

• Encoding and decoding of variables

1. Stripslashes
2. Base64_decode
3. Rawurldecode
4. UrlDecode
5. Unserialize
6. Iconv
7. Mb_convert_encoding

• Cross-site Scripting

1. Echo
2. Print
3. Printf
4. sprintf
5. Print_f
6. vprintf
7. Die
8. Var_dump
9. Var_export

• Deserialization

1. Serialize
2. Unserialize
3. __construct constructor function
4. __destruct Destruction function
5. __tostring automatically called when the object is printed
6. Automatic invocation of __sleep serialization
7. __wakeup automatically called when deserializing

• Enumeration

1. When Rand uses RAND to process sessions, attackers are prone to brute force to crack the session

Iv. reading Skills

1. Read from the index file to learn about the program run process
2. What security procedures are being handled at the entrance of the inspection program
3. Check what security is being handled at the database entrance
4. Check the code at the database connection
5. Check login, register, retrieve password, bind mailbox, file management and file upload function points
6. The process of procedure invocation and the flow of input data are cleared, which saves a lot of time and can be used to find a loophole.

V. NEW skills

1. file contains truncation new pose: http://www.hackersb.cn/hacker/105.html

   $a = $_get[' file ']; Include $a. '. html.php ';

In the case where the protocol can be controlled, a new hello.html.php is created, the content is phpinfo (), then compressed into a zip, and then accessed Http://localhost/test/blog.php?file=zip://test.zip%23hello
Note: The variable name needs to be at the beginning to control the protocol

1. function as above, protocol replacement for Phar, access by: http://localhost/test/blog.php?file=phar://1.zip/1.php

PHP Code Audit Basics