5. the file upload mechanism of php is to keep the files uploaded by users in php. the temporary directory defined by the upload_tmp_dir of ini (the default is the temporary directory of the system, such as:/tmp). a random temporary file similar to phpxXuoXG is executed, and the program ends. 5. file Upload
Php's file upload mechanism is to keep user-uploaded files in php. the temporary directory defined by upload_tmp_dir of ini (the default is the temporary directory of the system, such as:/tmp). a random temporary file similar to phpxXuoXG is ended, the temporary file is also deleted. PHP defines four variables for the uploaded file: (for example, the form variable name is file and register_globals is enabled)
$ File # is to keep a temporary file (such as/tmp/phpxXuoXG) on the server)
$ File_size # Size of the uploaded file
$ File_name # original name of the uploaded file
$ File_type # file Upload type
This upload code contains a major title for reading arbitrary files and executing commands.
The following request can copy the/etc/passwd file to the web Directory/usr/local/apache/htdocs/test (note: This directory must be in the attack.txt file under nobodywritable:
Then you can use the following request to read the password file:
Http: // victim/test/attack.txt
Attackers can copy the php file to another extended name to leak the script source code.
Attackers can customize the value of the file_name variable in the form to upload any file with write permission.
Attackers can also upload PHP scripts to execute host commands.
Solution:
After the PHP-4.0.3 supply the is_uploaded_file and move_uploaded_file function, you can check whether the file is the file uploaded by the user, so as to avoid copying the system file to the web Directory.
Use the $ HTTP_POST_FILES array to read the file variables uploaded by the user.
Strictly check the uploaded variables. For example, it is not a php script file.
Keeping PHP scripts in the web Directory can prevent programmers from copying system files to the web Directory by using the copy function. Move_uploaded_file is not restricted by open_basedir, so you do not need to modify the upload_tmp_dir value in php. ini.
Use phpencode to encrypt the PHP script to avoid leaking the source code due to copy control.
Strictly configure the file and directory permissions and only allow the uploaded directory to be writable by the nobody user.
You can modify httpd. conf to describe the function of uploading directories to PHP:
Php_flag engine off
# Replace php3 with php3_engine off
Restart apache. the php file in the upload directory cannot be described by apache. even if the php file is uploaded, there is no title and the source code can only be directly displayed.
6. execute commands
The following code snippet is extracted from PHPNetToolpack. for details, see:
PHP command fulfillment functions include system (), passthru (), popen (), and. It is very dangerous to execute a function using commands with caution. If the application is required, the user input must be strictly checked.
Solution:
Request the programmer to apply the escapeshellcmd () function to filter shell commands that the user enters.
Enable safe_mode can do a lot of fulfillment command title, but pay attention to the PHP version must be the latest, less than the PHP-4.2.2 may bypass the safe_mode limit to execute the command.
7. SQL _inject
The following SQL statement has a title if no variable is processed:
Select * from login where user = '$ user' and pass =' $ pass'
Attackers can enter either a user name or a password into either of them, or 1 = '1, to bypass verification.
Fortunately, PHP has a default option magic_quotes_gpc = On, which enables addslashes () to control variables from GET, POST, and COOKIE. The preceding SQL statement is changed:
Select * from login where user = '1 \ 'or
1 = \ '1' and pass = '1 \ 'or 1 = \ '1'
This prevents such SQL _inject attacks.
For numeric fields, many programmers write as follows:
Select * from test where id = $ id
Because the variables are not expanded with single quotes, SQL _inject attacks will occur. Thanks to the simple functions of MySQL, there are no SQL statements for SQL Server and other databases to execute commands, and the mysql_query () function of PHP only promises to execute one SQL statement, therefore, the use of semicolons to separate multiple SQL statements does not work. However, attackers can at least make query statements wrong, leak system information, or unexpected situations.
Solution:
The request programmer filters the variables submitted by all users to be placed in SQL statements.
Even for numeric fields, variables must be expanded in single quotes. MySQL will process the strings as numbers.
In MySQL, users with high-level permissions of PHP programs are not allowed to control their own libraries. This also avoids the attack of selecting into outfile title for program rendering.
8. warnings and error messages
By default, PHP displays all warnings and error messages:
Error_reporting = E_ALL &~ E_NOTICE
Display_errors = On
This is very useful during development and debugging. you can immediately find the program error based on the warning information.
During official exploitation, warnings and error messages left users at a loss, and leaked the physical path of the script to the attacker, providing favorable information for further attacks. In addition, because I did not visit the wrong place, I could not correct the program errors in time. Therefore, it is wise to record all the warning and error information of PHP to a log file, that is, not to expose the physical path to attackers, but to let them know the location of program errors.
Fixed the Error handling and logging section in php. ini:
Error_reporting = E_ALL
Display_errors = Off
Log_errors = On
Error_log =/usr/local/apache/logs/php_error.log
Restart apache and check that the file/usr/local/apache/logs/php_error.log must be writable by the nobody user.
9. disable_functions
If you feel that some functions are still threatening, you can set disable_functions in php. ini (this option cannot be set in httpd. conf), for example:
Disable_functions = phpinfo, get_assist_var
Multiple functions can be specified and separated by commas. After apache is restarted, phpinfo and get_cfg_var functions are disabled. We recommend that you close the phpinfo and get_cfg_var functions. These two functions leak server information easily and are useless.
10. disable_classes
This option is available only from the beginning of the PHP-4.3.2, it can disable some classes, if there are multiple class names separated by commas. Disable_classes cannot be set in httpd. conf. it can only be modified in the php. ini configuration file.
11. open_basedir
The preceding analysis routine also mentioned multiple times that open_basedir is used to restrict the script control path. here we will first introduce its features. The restriction specified by open_basedir is actually a prefix, not a directory name. That is to say, 'open _ basedir =/dir/encl' will also promise to visit '/dir/include' and '/dir/encs' if they exist. If you want to restrict access to a specified directory only, end the path with a slash. For example, 'open _ basedir =/dir/incl /'.
You can set multiple directories. in Windows, separate directories with semicolons. Use colons to separate directories in any other system. As an Apache module, the open_basedir path in the parent directory is continuously active.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.
