Welcome to the network security forum and interact with 3 million technical staff to access functions: system (), passthru (), popen (), exec () database operation functions: exec, system, popen, passthru, proc_open, shell_exec Execute Command Pipeline character % | test for example 0 | dirc: | role of Dual-vertical bars. If the preceding statement is incorrect
Welcome to the network security forum and interact with 3 million technical staff> enter functions: system (), passthru (), popen (), exec () database operation functions: exec, system, popen, passthru, proc_open, shell_exec Execute Command Pipeline character % | test e. g. 0 | dir c: | role of Dual-vertical bars. If the preceding statement is incorrect
Welcome to the network security forum and interact with 3 million technical staff> enter
Function:
System (), passthru (), popen (), exec ()
Database operation functions:
Exec, system, popen, passthru, proc_open, shell_exec
Execute Command Pipeline character % |>
Test: 0 | dir c:
| Double vertical bars. If the preceding statement is incorrectly executed, the following statement is executed.
For example, xx "+ | + whoami + | + echo
-----------------------------------------------
[3]. File-transfer sion
Function:
Include (), require (), include_once (), require_once ()
Remote File Inclusion Vulnerability requirements
Allow_url_fopen () allow_url_include () file_get_contents ()
Bypass: zlib: // and ogg ://
Versions later than 5.2.0
Data: // text/plain; base64, PD9waHAgcGhwaW5mbygpOz8 + //
@ Eval (file_get_contents ('php: // input'); // POST phpinfo ();
With % 00 truncation, the new version automatically escapes \ 0
-----------------------------------------------
[4]. CSRF
CSRF Protection Policy
1> verify the http-referer Field
Low Security and easy to forge
2> Add and verify the token in the request address
The token can be stored in the session after the user logs on. During each request, the token is taken out of the session, and the requested token is compared to prevent CSRF
GET method: http: // url /? = Token
However, the html code generated after loading the dynamic page must be manually added as hard-coded.
The security weakness of this method is that, for example, hacker can construct an environment to steal tokens and construct csrf attacks in areas with frequent interactions such as forums.
Therefore, manually disable referer
3> customize attributes in the HTTP header and verify the attributes. Use the XMLHttpRequest class.
This method is usually used for asynchronous page refreshing by Ajax.
However, it is adaptable and has great limitations on the existing website architecture.
-----------------------------------------------
[5]. XSS (Cross Site Script)
Reflective and storage
Control various input variables of $ _ GET, $ _ POST, and $ _ COOKIE
Use the htmlspecialchars () function for basic filtering
Automated exploitation with CSRF
-----------------------------------------------
[6]. File_Upload
Function: move_uploaded_file ()
Variable: $ _ FILES
PHP File Upload using form for file upload must use multipart/form-data for post to complete file data transfer
Php uses the $ _ FILES system function parameters and the move_upload_file function to upload temporary FILES generated by the $ _ FILES global variable to the specified directory.
$ _ FILES ['files'] ['name'] original name of the client file
$ _ FILES ['files'] ['type'] MIME type of the file
$ _ FILES ['files'] ['SIZE'] size of the uploaded file
$ _ FILES ['files'] ['tmp _ name'] indicates the temporary file name stored, which is generally the default file name.
$ _ FILES ['files'] ['error'] error code used to upload the file
Defense methods:
1> determine the mime type file type, such as $ _ FILES ['files'] ['type'] = "image/jpeg", and determine the file size, for example, $ _ FILES ['files'] ['SIZE'] <10000 & $ _ files ['files'] ['SIZE']> 100
2> specifies the upload file name, such as the time-dependent generation of hash(time).jpg, etc.
3> determine the file based on the file suffix
For example, file_ext = substr ($ filename, $ strrpos ($ filename, '.') + 1 );
Check whether there may be logic problems such as dual-extension and secondary upload breakthrough.
4> the server tries to render the file to determine whether it is an image.
5> File Upload types are not subject to client js script restrictions
6> whitelist rules
FAQs about apache Server Upload Security
1> upload with. htaccess
AllOverride ALL allows child rules to overwrite parent rules
Add AddType Application/x-httpd-php. jpg to. htaccess
2> file name resolution Vulnerability
*. Php.123
In. htaccess add AddHandler php5-script. php, the file name with PHP extension name can be PHP script execution, such as x.php.jpg
. Php3. php4 Extension
Iv. Configuration
1> pay attention to vulnerability information and update versions in a timely manner
2> php. ini httpd. conf. htaccess file configuration
1) safe_mode Configuration
2) Disable register_globals.
3) open_basedir configuration to prevent Directory Traversal
4) Close allow_url_fopen
5) disable_functions Configuration
6) Open magic_quotes_gpc
7) error_reporting = E_ALL &~ E_NOTICE
8) display_errors = Off to prevent attackers from obtaining more information.
9) expose_php = Off hide version information
3> minimize other account permissions on the server
4> third-party security reinforcement Software Installation
5> call a third-party security protection file to configure php. ini
Include_path = ".:/php/shortdes"
Auto_pretend_file = "anti-inj.php"
Auto_appent_file =
V. Ideas
When I first started practicing auditing, I got a set of source code. What I did right away was to drop it into the tool, scan sensitive functions, trace it one by one, and find the entry point. However, auditing is a waste of time. Every time we trace back, we constantly look for some common functions defined in the source code. Without understanding the entire source code process, it wastes a lot of time and effort in the process of finding these general functions.
So I adjusted my audit process again. After obtaining the source code, read the code from where it starts (usually the index file under the root directory) in the executed order until it initializes the content, and the basic functions. In this way, you can clearly understand the structure of the entire source code, which function file is placed in which folder, and which file the common function is placed in. This is helpful when we read the code that is "suspected" and has a problem later. For example, when we see a common function, we can quickly switch to the common function file, find the implementation code of this function.
Vi. Summary
Code auditing, like reverse engineering, requires patience and care.
In addition, focusing on the latest vulnerabilities on the vulnerability release platform and tracking and analyzing them is also a quick way to improve your capabilities.
[1] [2]