System Security: php security code audit summary

Welcome to the network security forum and interact with 3 million technical staff to access functions: system (), passthru (), popen (), exec () database operation functions: exec, system, popen, passthru, proc_open, shell_exec Execute Command Pipeline character % | test for example 0 | dirc: | role of Dual-vertical bars. If the preceding statement is incorrect

Welcome to the network security forum and interact with 3 million technical staff> enter functions: system (), passthru (), popen (), exec () database operation functions: exec, system, popen, passthru, proc_open, shell_exec Execute Command Pipeline character % | test e. g. 0 | dir c: | role of Dual-vertical bars. If the preceding statement is incorrect

Welcome to the network security forum and interact with 3 million technical staff> enter

Function:

System (), passthru (), popen (), exec ()

Database operation functions:

Exec, system, popen, passthru, proc_open, shell_exec

Execute Command Pipeline character % |>

Test: 0 | dir c:

| Double vertical bars. If the preceding statement is incorrectly executed, the following statement is executed.

For example, xx "+ | + whoami + | + echo

-----------------------------------------------

[3]. File-transfer sion

Function:

Include (), require (), include_once (), require_once ()

Remote File Inclusion Vulnerability requirements

Allow_url_fopen () allow_url_include () file_get_contents ()

Bypass: zlib: // and ogg ://

Versions later than 5.2.0

Data: // text/plain; base64, PD9waHAgcGhwaW5mbygpOz8 + //

@ Eval (file_get_contents ('php: // input'); // POST phpinfo ();

With % 00 truncation, the new version automatically escapes \ 0

-----------------------------------------------

[4]. CSRF

CSRF Protection Policy

1> verify the http-referer Field

Low Security and easy to forge

2> Add and verify the token in the request address

The token can be stored in the session after the user logs on. During each request, the token is taken out of the session, and the requested token is compared to prevent CSRF

GET method: http: // url /? = Token

However, the html code generated after loading the dynamic page must be manually added as hard-coded.

The security weakness of this method is that, for example, hacker can construct an environment to steal tokens and construct csrf attacks in areas with frequent interactions such as forums.

Therefore, manually disable referer

3> customize attributes in the HTTP header and verify the attributes. Use the XMLHttpRequest class.

This method is usually used for asynchronous page refreshing by Ajax.

However, it is adaptable and has great limitations on the existing website architecture.

-----------------------------------------------

[5]. XSS (Cross Site Script)

Reflective and storage

Control various input variables of $ _ GET, $ _ POST, and $ _ COOKIE

Use the htmlspecialchars () function for basic filtering

Automated exploitation with CSRF

-----------------------------------------------

[6]. File_Upload

Function: move_uploaded_file ()

Variable: $ _ FILES

PHP File Upload using form for file upload must use multipart/form-data for post to complete file data transfer

Php uses the $ _ FILES system function parameters and the move_upload_file function to upload temporary FILES generated by the $ _ FILES global variable to the specified directory.

$ _ FILES ['files'] ['name'] original name of the client file

$ _ FILES ['files'] ['type'] MIME type of the file

$ _ FILES ['files'] ['SIZE'] size of the uploaded file

$ _ FILES ['files'] ['tmp _ name'] indicates the temporary file name stored, which is generally the default file name.

$ _ FILES ['files'] ['error'] error code used to upload the file

Defense methods:

1> determine the mime type file type, such as $ _ FILES ['files'] ['type'] = "image/jpeg", and determine the file size, for example, $ _ FILES ['files'] ['SIZE'] <10000 & $ _ files ['files'] ['SIZE']> 100

2> specifies the upload file name, such as the time-dependent generation of hash(time).jpg, etc.

3> determine the file based on the file suffix

For example, file_ext = substr ($ filename, $ strrpos ($ filename, '.') + 1 );

Check whether there may be logic problems such as dual-extension and secondary upload breakthrough.

4> the server tries to render the file to determine whether it is an image.

5> File Upload types are not subject to client js script restrictions

6> whitelist rules

FAQs about apache Server Upload Security

1> upload with. htaccess

AllOverride ALL allows child rules to overwrite parent rules

Add AddType Application/x-httpd-php. jpg to. htaccess

2> file name resolution Vulnerability

*. Php.123

In. htaccess add AddHandler php5-script. php, the file name with PHP extension name can be PHP script execution, such as x.php.jpg

. Php3. php4 Extension

Iv. Configuration

1> pay attention to vulnerability information and update versions in a timely manner

2> php. ini httpd. conf. htaccess file configuration

1) safe_mode Configuration

2) Disable register_globals.

3) open_basedir configuration to prevent Directory Traversal

4) Close allow_url_fopen

5) disable_functions Configuration

6) Open magic_quotes_gpc

7) error_reporting = E_ALL &~ E_NOTICE

8) display_errors = Off to prevent attackers from obtaining more information.

9) expose_php = Off hide version information

3> minimize other account permissions on the server

4> third-party security reinforcement Software Installation

5> call a third-party security protection file to configure php. ini

Include_path = ".:/php/shortdes"

Auto_pretend_file = "anti-inj.php"

Auto_appent_file =

V. Ideas

When I first started practicing auditing, I got a set of source code. What I did right away was to drop it into the tool, scan sensitive functions, trace it one by one, and find the entry point. However, auditing is a waste of time. Every time we trace back, we constantly look for some common functions defined in the source code. Without understanding the entire source code process, it wastes a lot of time and effort in the process of finding these general functions.

So I adjusted my audit process again. After obtaining the source code, read the code from where it starts (usually the index file under the root directory) in the executed order until it initializes the content, and the basic functions. In this way, you can clearly understand the structure of the entire source code, which function file is placed in which folder, and which file the common function is placed in. This is helpful when we read the code that is "suspected" and has a problem later. For example, when we see a common function, we can quickly switch to the common function file, find the implementation code of this function.

Vi. Summary

Code auditing, like reverse engineering, requires patience and care.

In addition, focusing on the latest vulnerabilities on the vulnerability release platform and tracking and analyzing them is also a quick way to improve your capabilities.

[1] [2]