This article mainly describes the common attack methods for PHP websites, including common SQL injection, cross-site attack types. Several important parameter settings of PHP are also introduced. The following series of articles will stand in the attacker's perspective, revealing PHP security issues for you, while providing a corresponding solution.
The following are the main types of attacks for PHP websites:
1. Order Injection (Command injection)
2. Eval Injection (eval injection)
3. Client-side scripting Attack (script insertion)
4. Cross-site scripting attacks (Scripting, XSS)
5. SQL injection attack (SQL injection)
6. Cross-site request forgery attack (forgeries, CSRF)
7. Session hijacking (Sessions hijacking)
8, session fixed attack (session fixation)
9. HTTP response Split attack (HTTP Response splitting)
10 Files Upload Vulnerability (file Upload Attack)
11. Directory Traversal Vulnerability (directory traversal)
12. Remote file contains attack (inclusion)
13. Dynamic function Injection Attack (Variable Evaluation)
14. URL attack (URL attack)
15. Form submission Spoofing attack (spoofed form submissions)
16. HTTP request Spoofing Attack (spoofed HTTP requests)
Each subsequent installment will introduce the principles of these vulnerabilities and how to defend them.
A few important php.ini options:
Registerglobals
The default value of Php>=4.2.0,php.ini's register_globals option is preset to OFF when Register_globals
When set to ON, the program can receive various environment variables from the server, including the variables submitted by the form, and because PHP does not have to initialize the value of the variable beforehand, which leads to a large security risk.
Example 1:
Check_admin () is used to check the current user permissions, and if the admin setting is $is_admin the variable is true, then the following determines whether this variable is true and then performs some management operations.
ex1.php
if (Check_admin ())
{
$is _admin=true;
}
if ($is _admin)
{
Do_something ();
}
?>
This section of code does not initialize $is_admin to Flase, if Register_globals is on, then we submit http://www.sectop.com/ex1.php?is_admin=true directly, You can bypass the validation of Check_admin ():
Example 2:
ex2.php
if (Isset ($_session["username"))
{
Do_something ();
}
Else
{
Echo"You are not logged in!";
}
?>
When Register_globals=on, we commit http://www.sectop.com/ex2.php?_session[username]=dodo, we have this user's permission so no matter register_ Globals why, we have to remember that for any transmitted data to be carefully verified, the variables are initialized.
Safe_mode
In Safe mode, PHP is used to restrict access to documents, restrict access to environment variables, and control the execution of external programs. Enable
Safe Mode must set Safe_mode=on in PHP.ini
1. Restricting file access
Safe_mode_include_dir= "/path1:/path2:/path3"
Separate folders separated by colons
2. Restricting access to environment variables
Safe_mode_allowed_env_vars=string
Specifies that the PHP program can change the prefix of the environment variables, such as: Safe_mode_allowed_env_vars=php_, when the value of this option is NULL, then PHP can change any environment variables
Safe_mode_protected_env_vars=string is used to specify the prefixes of environment variables that the PHP program cannot change.
3. Restricting the execution of external programs
Safe_mode_exec_dir=string
The folder path specified by this option affects system, exec, Popen, PassThru, and does not affect Shell_exec and "".
Disable_functions=string
Different function names are separated by commas, and this option is not affected by Safe mode.
Magicquotes
Used to automatically escape the input information of the PHP program, all single quotes ("'"), double quotes ("" "), backslashes (" \ ") and null characters (NULL) are automatically added with backslashes to escape magic_quotes_gpc=on to set Magicquotes to ON, It affects HTTP request data (GET, POST, Cookies) programmers can also use Addslashes to escape submitted HTTP request data, or use Stripslashes to remove escapes.
PHP Vulnerability Full solution (a) the security of the PHP website