PHP vulnerability mining ideas + instances

I have recently studied PHP vulnerability mining, summarized some of the vulnerabilities I have discovered, sorted out some ideas, and asked various gods to supplement, criticize, and guide them ~

All examples in this article are from vulnerabilities that have been made public by the vendor on wooyun.

Because it is an instance analysis, the basic knowledge should be Baidu, and not all of them should be pasted in front.

 

0x01: search for all user controllable variables (GET/POST/COOKIE/referer)

Cause: all user input is harmful. Code audit focuses on functions and variables. First, let's see where there will be input.

Possible scenarios:

A) id = $ _ GET ['id'];

Possible problems:

SQL Injection with no filter: http://www.bkjia.com/Article/201311/256941.html

$ Id = trim ($ _ GET ["id"]);

// The query statement is directly entered below

If ($ db-> query ("update ". getdbname ('dance '). "set CS_TID = ". $ tid. "where cs_user = '". $ cscms_name. "'and
 

Of course, this is a scenario where no filtering is performed after GET.

B) id = intval ($ _ GET ['id']);

Possible problems: intval is useless for the struct type. How does the struct type variable handle it?

If the numeric type addslashes is used, pay attention to the digital blind injection (see c2 analysis)

C) $ tid = XX_Request ("tid ");

It is very common to use a defined security filter function to process variables. Many frameworks provide solutions, but it is also common to package one by yourself.

Possible problems:

C1) Have you forgotten to use this processing function?

Http://www.bkjia.com/Article/201311/256941.html

$ Tid = CS_Request ("tid"); // use the safe CS_request addslash $ id = trim ($ _ GET ["id"]); // Heheh, the music item is directed to tiange, CS_Request cried

In fact, I forgot to use this function to filter out the above example.

C2) Is the function itself safe?

(New) Cheng's dance CMS three-step GETSHELL (instance demonstration + Source Code Analysis)

$t_Val = $magic?trim($_GET[$pi_strName]):addslashes(trim($_GET[$pi_strName])); 

Addslashes is used, which means it is more difficult to escape single quotes. You need to find statement injection without single quotes.

Addslashes only processes single quotes and slashes. Therefore, injection statements such as 134 and 1 = 1 cannot be filtered. Please note that Baidu does not have single quotes.

In the following statement, $ cscms_name is protected by single quotes, while $ id is not protected by single quotes.

$db->query("update ".Getdbname('xiaoxi')." set CS_DID=1 where CS_ID=".$id." and cs_usera='".$cscms_name."'"); 

Therefore, the id triggers blind injection.

C3) Can the filter function meet the special requirements of business logic?

Negative orders, change the number of votes, and various business logic problems may occur.

It is a pity that I have not encountered this problem. If I encounter it later, I will update it to the article.

D) Don't forget that we can control variables such as referer.

Possible problems:

Although GET/POST filtering is found, referer and cookie are easily ignored.

$ _ SERVER ["HTTP_REFERER"] example:

Injection caused by improper handling of MacCMS 6.x referer

Sorry, this has not been made public as of today. You can check it out later.

$ _ COOKIE ['xxx'] example:

TCCMS full-version COOKIE injection (demonstrated)

$ SQL = "select password from". $ _ Obj-> table. "where id =". $ _ COOKIE ['userid'];

The situation is the same as that in GET, but it is a little troublesome to perform operations during injection. I will not stick the SQLMAP tutorial here, So Baidu will not be able to inject cookies.

E) There are other input variables. Please add them to your experts!

Currently, we understand how the program processes user input in general.

0x02: Search $ _ COOKIE separately to analyze the logic of identity authentication.

Cause: identity authentication is a "high-risk" part of the business logic. Most of the high-risk vulnerabilities are found here.

Possible scenarios:

A) No cookie is processed, and all sessions are processed directly.

Then you can directly read the authentication algorithm when you read the code later.

B) the authentication algorithm is too weak (computed using controllable cookies), reducing the difficulty of identity forgery.

(New) Cheng's dance CMS three-step GETSHELL (instance demonstration + Source Code Analysis)

Step 2: counterfeit identity

elseif($_COOKIE['CS_Login']!=md5($_COOKIE['CS_AdminID'].$_COOKIE['CS_AdminUserName'].$_COOKIE['CS_AdminPassWord'].$_COOKIE['CS_Quanx'])){ 

What is the significance? COOKIE can be controlled. Of course, the program has other verifications. Here is just an example. This sentence is meaningless.

In fact, the CMS algorithm in the vulnerability is not followed by the Verification code written by the admin in config during authentication, but the difficulty has been lowered.

C) directly Bypassing

If case B has no other verification, it bypasses

At present, we only verify the login logic, and then need to analyze the degree of precision of Permissions

0x03: search all file operation functions and analyze their logic

Cause: file operation functions are sensitive functions. vulnerabilities in business logic may cause arbitrary file operations.

Possible scenarios:

A) Arbitrary File Download

Appcms Latest Version 1.3.708 Arbitrary File Download

<?php  if(isset($_GET['url']) && trim($_GET['url']) != '' && isset($_GET['type'])) {      $img_url = base64_decode($_GET['url']);      $shffix = trim($_GET['type']);  header("Content-Type: image/{$shffix}");  readfile($img_url);} else {die('image not find');  } ?>

PS: due to business logic problems, it is impossible to discover through automatic scanning, and filtering for SQL and HTML does not play a major role.

The biggest role of Arbitrary File Reading is to read config. php and sensitive files in various systems (how to crack the physical directory? See 0x04)

B) write any file

The biggest application for writing arbitrary files is to write a Trojan. The biggest obstacle is to bypass the filtered HTML characters such as: <>. The solution is to use base64 in a large number of applications.

C) delete any file

Sorry, I haven't seen it yet. How nice to see it?

To delete any file, you can delete install. lock and reinstall CMS.

D) other operations, please add

File operations can be combined with brute-force Directories

0x04: pop-up physical directory

Cause: in the previous section, we may be able to operate files at will, but we did not get the physical directory address of the website. We can use the black box to constantly try to read c: \ boot. ini and/etc/passwd to try to judge, but it is not reliable

How to do: Use php vulnerability hunter to automatically scan. This can indeed be used to scan with a tool, because the damage to this directory is too low, and must be combined with other vulnerabilities to do so, therefore, CMS usually has such vulnerabilities. I mean vulnerabilities that can be scanned.

Appcms Latest Version 1.3.708 Arbitrary File Download

If you do not know the physical path, you can use a tool to scan and then read

0x05: Search eval, preg_replace or something to see if there is any command to execute.

Cause: PHP code can be directly executed, that is, a Trojan can be written (file_put_contents). Of course, you need to find a writable directory.

I have never been able to find an example here, and I have never practiced it myself. How many examples can be provided for each high-handed instance?

0x06: you can start to read the code. From index, note the data transmission and output functions.

Cause: if common modeled vulnerabilities do not exist, we need to analyze the entire system. Therefore, we need to perform a full and thorough audit, which is more effort-saving than continuing to search for variables separately and then tracking.

Possible scenarios:

A) The previous filters are all in vain.

Not public. Update the article after publishing. This is a storage-type xss.

B) Secondary Injection

Because the values retrieved from the database in secondary development are not filtered, injection is performed. Because the values are not obtained directly from user input, it is difficult to find out the values in the previous steps.

Oh, please give me an example. I have never met myself.

C) Parallel permissions, arbitrary voting, unauthorized access, etc. 0x07 Summary

At present, I know this. I hope it will be helpful for new users who are new to PHP code audit vulnerability mining, because I just started learning PHP vulnerability mining soon, I hope that you can provide extensive learning suggestions and ideas, criticize and correct the mistakes in the article, and hope that experts can take examples to guide you.