Some ideas about attacking PHP framework

Write in front

Understand some of the mainstream development framework and the current program design concepts, including some of the web design trends and concepts. Also in my own perspective to explain how to see a PHP program, the method is suitable for the above open source framework and some internal development framework (as long as you can see the source code).

Selection of Frames

thinkphp V3.2

CodeIgniter V2.2.2

Laravel V5.1

Select the above three frames also think that these three frames are more representative! Thinkphp (TP) is very popular in China, especially in small companies. CodeIgniter (CI) is a traditional and very popular framework, and is also a very mature framework, as far as I know Sina most of the stations are written in this framework. Laravel is a design-filled framework that applies all the new technologies currently on PHP, and draws on a large number of Java and Python framework design structures, and is the most popular Laravel framework currently under investigation.

Understanding Framework

:laravel-> CodeIgniter (CI)->thinkphp (TP) in turn

The middle CI does not contain composer.json This file, this is the PHP package management configuration file, in the 3.0+ version of CI also added PHP package management, it is really convenient for most programmers. Such a directory structure is obvious and can be seen at a glance.

Basic Design Patterns for frames

The basic design pattern is the MVC design pattern. Note: Multilayer layered mode is HMVC mode. HMVC is the MVC that decomposes a client application into a hierarchical parent-child relationship.

File location for MVC

See a CMS program first is to find the controller code in which location, followed by the location of the model file, the view file at the end, but I really found in the framework development of the program to find the model control code and found the vulnerability, this programmer is a B dog!

Controller

Laravel-> CodeIgniter (CI)->thinkphp (TP)

Model

Laravel-> CodeIgniter (CI)->thinkphp (TP)

Database Connection File

TP: (General 2.0|3.0)

(application) \ (Home) \conf\config.php

(application) default to application, discouragement modified, can be viewed directly index.php

(home) project directory, varies by project!

' Db_type ' = ' mysql ',//database type ' db_host ' + ' localhost ',//server address ' db_name ' = ' chopperproxyl ',//database name ' Db_user ' =& Gt ' Root ',//username ' db_pwd ' + ' root ',//password ' db_port ' + 3306,//Port ' db_prefix ' = ' xl_ ',//database table prefix

CI: (General 2.0|3.0)

(application) \config\database.php

General is a fixed form application, discouragement modify the same can be index.php inside to see the project name.

Laravel: (one app in 5.0|4.0 directory)

This thing is special! In the code directory there is an. env file, which contains some configuration of the project, where you can set the database connection information. (Of course not)

You can also write directly in the file:

config\database.php file

Define the default database type

Note: Specific configurations may be of two types, defined in env, or written to a file. If two sets of configurations are present in the configuration file, the system may use multiple databases.

It's over!?

This is the most basic thing in a few frameworks, it would be interesting to write down some of the security aspects and some of your own ideas.

SQL Operations Model

In the process of PHP development, two techniques are generally used.

Technology One:

Active

Record (ORM)

ORM Technology: Object-relational

Mapping, map the table structure of the relational database to the object.

For example

In thinkphp:

In CI:

Two: Query constructor mode

Defines an abstract database class that contains various methods that are commonly used. For example: in the Laravel

Note: The difference between the two methods is simply that you need not to go to the top of the model file.

SQL injection problems that may exist:

1. Because of the complexity of the business, SQL statements are sometimes perverted, and almost every framework supports the use of native SQL statements.

Ci:

Tp:

Laravel:

Note: All of the parameters in these ways are not filtered, and the underlying parsing is not injected, which can cause injection.

2. Incorrect security function usage (precompiled)

TP Official Method:

If you use more than 3.1 versions, it is recommended that you use a preprocessing mechanism to ensure more security when using string conditions, for example:

$Model->where ("id=%d and

Username= '%s ' and xx= '%f ' ", Array ($id, $username, $xx))->select ();

or use:

$Model->where ("id=%d and

Username= '%s ' and xx= '%f ' ", $id, $username, $xx)->select ()

The underlying implementation principle: Get the function input parameter, all parameters are addslashes once, and then use vsprintf to format the string. Problem: If the Number field is brought into%s, and there is no quotation marks, it can be injected.

3, where sub-query key field controllable

CI: Controller Code

Model Code:

The value field in the query array is processed, but not for the key field.

Access to view:

Laravel: The same problem exists in the same Laravel framework.

Where $type can be controlled as a result of injection.

Note: thinkphp This framework does not, it wrote the way to parse where the sentence, although it is safe at this point, but the biggest accident in history is it.

URL Routing

Generally see a CMS is to find the URL corresponding to the code is what, so that the way to audit! One of the concepts in Web development is URL semantics.

The traditional URL

https://g.wen.lu/search?newwindow=1&site=&source=hp&q=URL+%E8%AF%AD%E4%B9%89%E5%8C%96&btnG= Google+%e6%90%9c%e7%b4%a2&gws_rd=cr&ei=jli4vex_bciy0gsnjzvgda

Is the form of the parameter = value.

Made a semantic URL

Http://blog.suchasplus.com/2008/10/uri-pretty-and-url-mapping-with-apache-and-php-how-to.html

The simple explanation is that you can tell from the URL what data or features the page is showing, which is a trend in web development later on. Not only are these three frameworks, but other frameworks or frameworks you develop will have this functionality. As an advanced PHP framework, there is the function of routing binding! A route binding is a specific controller that corresponds to a user's access URL to a project. (in the code audit process is how to access the corresponding code through the URL)

Laravel:

App\http\routes.php in the project directory

Ci:

Tp:

Like TP this framework, to 3.2 The default URL way is still

http://serverName/index.php/module/Controller/operation

This stupid way. However, there is also the ability to route bindings.

Find Configuration Items

' url_router_on ' = true,

Then look for configuration items

Url_route_rules

Note: With these configuration items you can quickly find the corresponding controller code for the URL! Another reason to say this is that you may be exposed to the rest mode URL later, and this is a trend!

The same URL may correspond to several different controller codes. The HTTP protocol has a get POST PUT Delete method. Web program is to delete and change, the corresponding operation is curd, directly corresponding to the method is:

c corresponds to post,r corresponding to get,u corresponding to put,d corresponding to delete

The specific code is to invoke the corresponding controller by judging the request method.

Framework filtering mechanism (points to be noted in the audit process)

One: Filtering for URLs

Due to the relationship of URL routing, the present framework is more or less filtered or verified in the Get mode.

Tp:

1, for example, \d limit the parameter can only be a number.

2, or use a regular way to match, to achieve the effect of filtering.

Ci:

The same is true for CI filtering, which is to use regular to match.

Laravel:

You can also define a filter when you define a URL route, and use the Where function to restrict the type of the parameter directly on the route.

Or there is a boot function in the file app\providers\routeserviceprovider.php, you can define the global filter, which can be found in this area.

Second: Filtering for the receiving parameters

Now the framework will generally rewrite $_get/$_post/$_request, self-built system input, and then these inputs have some parameters can choose whether to filter.

Tp:

overridden function I ()

Usage

I (' get.id '); | I (' post.id ');

By setting the default value, the filter function is set to achieve the filter effect.

I (' get.name ', ' Test ', ' htmlspecialchars ');

Ci:

All system methods in CI are beginning with $this. The overridden input function $this->input

Usage

$this->input->post (' something ');

The second parameter for the input is for XSS only, and set to True will go through the Xss_clean function of the CI mole once.

Laravel:

This one's hanging! This thing defines itself as a middleware middleware type (borrowed from Java). The role of middleware is to perform layer-by-layer inspection and filtering, or even outright rejection, before the HTTP request actually touches the application. Generally used to do permission validation, parameter filtering, data encryption and decryption, and so on. All middleware is under the App\http\middleware directory, depending on the situation to see if the filter is written in this area.

Overridden input functions

Request $request

$request->input (' IP ');

The second parameter only has the effect of setting the default value, and there is no actual filtering.

Three: The default setting of global security mechanism

Ci:

There is also a default parameter

$config [' global_xss_filtering '] = TRUE;

All parameters are passed through the Xss_clean function again after opening.

Tp:

Global Filter Parameters

' Default_filter ' => ' Strip_tags,stripslashes ',

The receiving data is filtered sequentially.

Laravel:

Default enabled global CSRF filtering (for reference to the Django framework).

The other looks like it's gone. 0-0

Some of the things that come to mind when you write a process from each framework

1, when the test if a normal request is not access to data, you can add the HTTP header

X-requested-with:xmlhttprequest

is the AJAX request. It is now common for programmers to write pure API interfaces that differentiate between direct access and Ajax, which can reduce data requests by seven or eight.

For example:

Laravel:

Ci:

Tp:

Constant Is_ajax judge whether it is AJAX commit, not write!

2, if the upload success of a file, but is not access to, there are several reasons.

. htaccess file restricts access to all files except index.php in the root directory, with URL routing this feature all paths that are not in the route

http://testtest.net/test/test.php

are inaccessible. This is one reason that Django-like frameworks are hard to attack. (PHP is going in a disciplined direction) this time either can overwrite the route file, or can overwrite the corresponding method (this is too difficult, need not destroy the file, just modify the corresponding method.) Laravel Such a framework itself is a public directory when WWW is set (default).

This directory in addition to index.php file Nothing, upload files are generally in the WWW directory of the outer directory, can not be directly accessed. This can only be accessed by jumping to the directory, or the file contains.

Some ideas about attacking PHP framework