PHP code audit vulnerability fuzzy Testing
Preparations before auditing:
1. Install the php Program (phpStudy is recommended)
2. Highlight Editor (Sublimetext Notepad ++ is recommended)
3. Create a new text file and copy the following variables. These variables need to be searched in the source code in the audit.
######################
$_SERVER $_GET $_POST $_COOKIE $_REQUEST $_FILES $_ENV $_HTTP_COOKIE_VARS $_HTTP_ENV_VARS $_HTTP_GET_VARS $_HTTP_POST_FILES $_HTTP_POST_VARS $_HTTP_SERVER_VARS ######################
**************************************** **************************************** **************
Audit method:
1. SQL Injection (SQL Injection vulnerability)
As a vulnerability with the highest severity and hazard, we have to talk about its audit methods first;
Example 1:
#index.php<?php $id= $_GET['id']; $query= "SELECT * FROM users WHERE id= ' “ .$id." ;" ... ?>
The above code is translated as follows:
index.php?id=1+UNION+SELECT+1,@@version,3,4,5+from+users/*
Example 2:
#login.php<?#Login.php(hacklele)#$user = $_POST['user'];$pass = $_POST['pass']; $link = mysql_connect('localhost', 'root', 'pass') or die('Error: '.mysql_e rror()); mysql_select_db("sql_inj", $link); $query = mysql_query("SELECT * FROM sql_inj WHERE user ='".$user."' AND pas s ='" .$pass. "'",$link);if (mysql_num_rows($query) == 0) {echo"<scripttype=\"text/javascript\">window.location.href='index.html';</script>";exit; } $logged = 1;?>
When a user (possibly an attacker) sends $ _ POST ['user'], $ _ POST ['pass'] to login. in php, these variables are directly stored in SQL request commands. If the attacker sends:
$ User = 1 'OR '1' = '1
$ Pass = 1 'OR '1' = '1
This will bypass login. php login verification, and readers should pay attention to this type of code.
**************************************** **************************************** **************
Loding ......