Php vulnerability and code Auditing

Code auditing at Party A's company is generally dominated by white boxes, with only a few vulnerabilities, XSS, SQL injection, command execution, upload vulnerability, local inclusion, remote inclusion, Permission Bypass, and information leakage.

1. xss + SQL Injection

XSS and SQL Injection occupy the largest part of the data. For framework types or public files, we recommend that you filter XSS and SQL Injection in public files. Write a filter function as follows:

$ _ REQUEST = filter_xss ($ _ REQUEST );
$ _ GET = filter_xss ($ _ GET );
$ _ POST = filter_xss ($ _ POST );
$ _ COOKIE = filter_xss ($ _ COOKIE );

$ _ POST = filter_ SQL ($ _ POST );
$ _ GET = filter_ SQL ($ _ GET );
$ _ COOKIE = filter_ SQL ($ _ COOKIE );
$ _ REQUEST = filter_ SQL ($ _ REQUEST );

Here we need to note that although $ _ REQUEST is equal to $ _ GET + $ _ POST, they are independent arrays, that is, assume that the value of $ _ GET is changed, however, the value of $ _ REQUEST is still the original value, so it cannot be dropped during filtering. Other values such as $ _ FILE can be ignored.

The simplest filter_xss function is htmlspecialchars ()

The simplest filter_ SQL function is mysql_real_escape_string ()

Of course, everyone knows that this filter_ SQL filter can only filter injection of the character type and search type, but it cannot be used for the number type, but it also indicates that after this layer of filtering, you only need to pay attention to the number-type SQL statement at the end of the article. You can use intval to filter the statements, which makes it much easier.

2. Command Execution

For command execution, you can start with keywords, which can be divided into three categories

(1) php code execution: eval

(2) shell Command Execution: exec, passthru, system, shell_exec, etc.

(3) File Processing: fwrite, fopen, mkdir, etc.

Pay attention to whether the parameters of these types are controllable.

3. Upload Vulnerability

The upload vulnerability is also a key concern. We need to carefully analyze its handling process. There are many ways to bypass the upload, and the safest way is: the file name is randomly named and the suffix is whitelist. The second thing to note is that there may be more than one file to be uploaded. You may encounter such a situation where a third-party editor is included in a directory.

File Inclusion vulnerabilities include (), include_once (), require (), require_once (), file_get_contents (), etc.

The most common function is to download files, such as download. php? File =..././etc/passwd.

4. Permission Bypass

There are two types of Permission Bypass:

(1) Unauthorized access to background files. If the background file does not contain session verification, this issue may occur.
(2) No user isolation, such as mail. php? Id = 23 shows your mail, so change the ID, mail. php? Id = 24 to view others' emails. It is convenient to write code. All the emails are stored in a data table with uniform IDs. You only need to retrieve them by id when displaying the front-end, however, user isolation is not performed to determine the ownership, which may lead to unauthorized access.

This is a common example. This vulnerability is often discovered when a bank is evaluated.

5. Information Leakage

Information Leakage is a low-risk vulnerability. For example, the column directory is a deployment issue, but it has nothing to do with code auditing. Such vulnerabilities need to be prevented, such as brute-force paths and brute-force source code. I have encountered such code

<? Php if (empty ($ _ GET ['a']) {…} ?>

On the surface, there seems to be no problem, but when the request changes to xx. php? When a [] = 1, that is, when the parameter is changed to an array, an error will occur, causing the path to leak. If you use isset, the error will not occur. Of course, it is too troublesome to guard against each other, we recommend that you disable the error prompt in the configuration file, or add the following code to the public file to disable the error display function:

<? Php error_reporting (0);?>
 
Of course, vulnerabilities are far more than that. Other non-mainstream ones such as cookie forgery and CSRF will not be introduced.