The idea of php4-loophole mining

Vulnerability Mining Ideas

Conditions for vulnerability formation

1. Variable can be controlled

2. A variable can reach a function with useful value (dangerous function)

The impact of the vulnerability

The effectiveness of the exploit depends on the final function function, and what kind of function the variable enters.

Hazard function

File contains: Contains vulnerability

Code execution: Executing arbitrary code vulnerabilities

Command execution: Execute arbitrary command vulnerability

File system operations: File (directory) read-write delete and other vulnerabilities

Database operations: SQL injection Vulnerability

Data display: Client vulnerabilities such as XSS

........................

The nature of code auditing

Find the vulnerability = = Find the corresponding variable and function

Common Code Audit Ideas

1, according to the sensitive keyword backtracking parameter transfer process "reverse tracking"

excellent : Just search response sensitive keywords

lack of thorough understanding of the overall framework of the program

2. Find controllable variables, forward tracking variable transfer process

3, look for sensitive function points , read through the function Point code

File upload function, file management function, login authentication function, retrieve password function, etc.

4. Read through the full text code directly

Special attention:

1, function set file (e.g.: Functions/common): Some common functions, provided to other files unified call

2, configuration file (config) "Note: to notice whether the parameter value is enclosed in single or double quotes"

3. Security filter File

4, Index File "recommendation: First a few core directory of the index file is simply read it again"

Excellent: better understand the program architecture and business logic, can dig higher quality loopholes, suitable for the veteran

Short : time-consuming and relatively large

The idea of php4-loophole mining