phptaint-detection of Xss/sqli/shell injected PHP extension Module
Web penetration is accustomed to using black box or gray box aspects to detect a Web application is a vulnerability, this detection method can mask many vulnerabilities, especially in the program logic. But if you can match the white Box source audit (can also be called loophole mining), the effect will be better, of course, labor costs will increase, among them, for the source audit work will be handed to who do, is a more controversial topic, is the development, testing or security personnel?
Personally think, development if can do a rough source self-examination, and then security (weak no security personnel, to the white box Testers) responsible for the overall source code review, will be an excellent arrangement.
In addition to the cost of manpower, there is a question of trust, is it willing to open the source to security personnel? This is more sensitive, but from a technical point of view, the skills to master the source audit is a very good addition points.
This article will introduce two open source PHP source audit tools, which taint suitable for the development of source code self-examination, rips suitable for security source review.
First, taint
1. Introduction
PHP taint a php extension module for detecting Xss/sqli/shell injections. Principle, check some key functions (whether directly using (not filtered or escaped processing) data from $_get,$_post,$_cookie, such as the use of the hint.
can be used for PHP source audit, to quickly locate the vulnerability is helpful
2. Installation
First step: Download and install taint
wget http://pecl.php.net/get/taint-1.2.2.tgz (Download latest taint) tar zxvf taint-1.2.2.tgzcd Taint-1.2.2phpize (if the command is not found, write the path/usr/local/php5/bin/phpize)./configure--with-php-config=pathmakemake Install
Step Two: Modify the php.ini configuration file to support the Taint module
Increase
Extension=/usr/lib/php5/20090626+lfs/taint.sotaint.enable=1display_errors = onerror_reporting = E_ALL & ~E_ Deprecatedapache2ctl restart
Note: The extension can only be opened in the development environment
Step three: Test whether the module is open
Vim phpinfo.php
<? Phpphpinfo (); ?>
As shown, it means that the extension is successfully opened
3, test (with DVWA as the main test object)
Instance 1:sql Injection Vulnerability
$user = $_get[' username '); $pass = $_get[' password '); $pass = MD5 ($pass); $qry = "select * from ' users ' WHERE user= ' $user ' and password= ' $pass '; "; $result = mysql_query ($qry) or Die ('<pre>'. Mysql_error (). '</pre>');
Run the page with the warning message as shown below
Warning:mysql_query (): SQL statement contains data that might be tainted in/var/www/dvwa/vulnerabilities/brute/source/l ow.php on line 11
If the PHP source uses the following function, no warning is issued
Mysql_real_escape_string (do not escape% with _) stripslashesis_numeric
Example 2: Command execution vulnerability
<?PHPif(isset($_post[' Submit '])){$target=$_request[' IP '];//Determine OS and execute the ping command.if(Stristr(Php_uname(' s '),' Windows NT ')){$cmd=shell_exec(' ping '.$target);Echo' <pre> '.$cmd.' </pre> ';}Else{$cmd=shell_exec(' ping-c 3 '.$target);Echo' <pre> '.$cmd.' </pre> ';}}?>
Run the page with the warning message as shown below
Warning:shell_exec (): CMD statement contains data that might be tainted In/var/www/dvwa/vulnerabilities/exec/source/low . PHP on line 15
Example 3: File containment Vulnerability (often associated with directory Traversal vulnerability)
<? Php$file = $_get [' file ']; include ($file); ?>
Run the page with the warning message as shown below
Warning:include (): File path contains data that might is tainted in/var/www/dvwa/vulnerabilities/fi/index.php on line 35
Instance 4:XSS Vulnerability
<?PHPif(!array_key_exists("Name",$_get)||$_get[' name ']==NULL||$_get[' name ']=="'){$isempty=true;}Else{Echo' <pre> ';Echo' Hello '.$_get[' name '];Echo' </pre> ';}?>
Run the page with the warning message as shown below
Example 5: Code Execution eval
<? Php$cmd = $_get [' cmd ']; Eval ("$cmd;") ); ?>
Example 6: File read operations
<?PHPPrint";$path=$_get[' path '];$contents=file($path);foreach($contents as$line _num=$line){Echo"line #<b>{$line _num}</b>:".Htmlspecialchars($line)."<br>\n";}?>
Second, RIPS
Taint can alert the development at runtime, the harm caused by unfiltered parameters. and centralized PHP source code security Audit work is to give rips more friendly. We will use the above example code to check the tool, the report is as follows
Shows that the tool found 7 security holes, the effect is good.
PHP Source code Audit is a very mature problem, the network has a lot of details on how to do the source audit information, but also open source a lot of source auditing tools, thanks to these information sharing people.