PHP code Audit

PHP is a widely used scripting language, especially suitable for web development. It features cross-platform, easy to learn, and powerful functions. According to statistics, more than 34% of websites worldwide have php applications, including Yahoo, sina, 163, sohu, and other large portal websites. In addition, many named web application systems, including bbs, blog, wiki, and cms, are developed using php, such as Discuz, phpwind, phpbb, vbb, wordpress, and boblog.

With the upgrade of web security hotspots, php application code security issues gradually flourish. More and more security personnel are investing in this field, and more application code vulnerabilities are exposed. In the face of this situation, the "Attacker" of the PHP vulnerability will receive fewer and fewer vulnerabilities. However, since traditional auditing methods cannot achieve the goal of discovering vulnerabilities, why not try new auditing methods and ideas? The purpose of code auditing is to discover the vulnerabilities that can be exploited, so we do not have to fully understand the code throughout the article, but it is necessary to make some preparations before the beginning, just like before penetration, we also need to collect enough target information, just like developing penetration plans using tools.
The essence of a program is variables and functions, and the vulnerability cannot be separated from these two elements. Let's take a look at the vulnerability formation conditions 1. all input of controllable variables is harmful. when a variable arrives at a function that has exploitation value, [dangerous function] all variables that enter the function are harmful.] The exploitation effect of the vulnerability depends on the function. Therefore, the following section describes the two elements in the vulnerability mining process.

Security of a website involves many aspects. Code security is an important factor. Code audit is used to improve code security. So let's talk about code audit, this time we use dvwa.
DVWA (DamnVulnerableWebApplication) DVWA is a set of WEB vulnerability testing programs written in PHP + Mysql for teaching and detecting conventional WEB vulnerabilities. Includes SQL injection, XSS, blind injection, and other common security vulnerabilities.
The following is a simple example of code Auditing Based on the three levels of SQL Injection code in dvwa.
First, compare the php code at the low, medium, and high levels: Low:

650) this. width = 650; "style =" float: none; "title =" 1.png" alt = "21366692.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133K546-0.png "/>

Medium:

650) this. width = 650; "style =" float: none; "title =" 2.png" alt = "212018566.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133K3V-1.png "/>

High:

650) this. width = 650; "style =" float: none; "title =" 3.png" alt = "212019214.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133G147-2.png "/>

The red box contains the differences between the three types of code. It is found that there is one more sentence from low to medium, and one more sentence from medium to high.
The sqlinjection of dvwa contains an input box. Input 1 in three levels and the result is the same. The address bar of the browser changes to http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1 & Submit = Submit # The following figure appears in the input box:

650) this. width = 650; "style =" float: none; "title =" 4.png" alt = "212019395.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133MK9-3.png "/>

1. When 1' is entered at the low level, the browser address bar becomes: http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1' & Submit = Submit # the following error occurs: YouhaveanerrorinyourSQLsyntax; Comment "1" 'atline12. When it is in the medium level, enter 1'. the address bar is the same as the low level, error message: YouhaveanerrorinyourSQLsyntax; Comment '\ "atline13. If you look at the high Level, enter 1'. The Address Bar remains unchanged. No error occurs and no normal query results are displayed. Normally, when you enter 1 in the input box and query the user with id = 1 from the database, the query statement is SELECTfirst_name, last_nameFROMusersWHEREuser_id = '$ id', the user information with id = 1 is obtained.
However, an error occurs at the low and medium levels after a single quotation mark is added at the end of 1. Check the picture above: the input is not processed at the low level, directly put the items entered by the user into the query statement for query; added the mysql_real_escape_string () function at the medium level, which is a special character in the character string used in the escape SQL statement, it is like adding \ before single quotes in the error prompt \;
Another stripslashes () function is added in front of the escape function at the high level. This function removes the backslash added by the addslashes () function, because at the high level, the magic_quotes_gpc of php is on, automatically run the addslashes () function for all GET, POST, and COOKIE data. Therefore, it is obvious to use stripslashes () function to inject SQL statements at three levels. Low: http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1orderby2 +-+ & Submit = Submit #

650) this. width = 650; "style =" float: none; "title =" 5.png" alt = "212019298.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133G2C-4.png "/>

Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1' orderby2 +-+ & Submit = Submit #

650) this. width = 650; "style =" float: none; "title =" 6.png" alt = "212019265.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133L219-5.png "/>

Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1' unionselect1, 2 +-+ & Submit = Submit #

650) this. width = 650; "style =" float: none; "title =" 7.png" alt = "21999940.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133KH2-6.png "/>

Http: // localhost/dvwa/vulnerabilities/sqli /? Id = 1' unionselect1, concat_ws (char (32, 58, 32), user (), database (), version () +-+ & Submit = Submit #

650) this. width = 650; "style =" float: none; "title =" 8.png" alt = "212019605.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133K457-7.png "/>

In this way, the current user, database, and php versions are exploding. Concat_ws is a function in mysql. In medium, special characters are automatically escaped by backslash, which breaks the query statement. An error is prompted on the page. In high mode, the id will only display the correct information normally, the rest will not contain any information. In addition, there are two differences in the high level, which determine whether the input is a number and include its value in single quotes to ensure that invalid characters do not work.

650) this. width = 650; "style =" float: none; "title =" 9.png" alt = "212020519.png" src =" http://www.bkjia.com/uploads/allimg/131228/11133L925-8.png "/>

Php code of the high level has reached a fairly high level of security, but it cannot be said to be the most secure, because there may still be vulnerabilities. Code audit is to check the defects and error information in the source code, analyze and find the security vulnerabilities caused by these problems, and provide code revision measures and suggestions. This allows you to find and eliminate problems in the system development and O & M phases.

This article is from the "no trace" blog and will not be reproduced!