What are the main ways to attack PHP websites?

1. Order Injection (Command injection)

2. Eval Injection (eval injection)

3. Client-side scripting Attack (script insertion)

4. Cross-site scripting attacks (Scripting, XSS)

5. SQL injection attack (SQL injection)

6. Cross-site request forgery attack (forgeries, CSRF)

7. Session hijacking (Sessions hijacking)

8, session fixed attack (session fixation)

9. HTTP response Split attack (HTTP Response splitting)

10 Files Upload Vulnerability (file Upload Attack)

11. Directory Traversal Vulnerability (directory traversal)

12. Remote file contains attack (inclusion)

13. Dynamic function Injection Attack (Variable Evaluation)

14. URL attack (URL attack)

15. Form submission Spoofing attack (spoofed form submissions)

16. HTTP request Spoofing Attack (spoofed HTTP requests)

Each subsequent installment will introduce the principles of these vulnerabilities and how to defend them.

A few important php.ini options

Register Globals

The default value of the Register_globals option for Php>=4.2.0,php.ini is preset to off, and when Register_globals is set to ON, the program can receive various environment variables from the server, including the variables submitted by the form. And because PHP does not have to initialize the value of the variable beforehand, which leads to a large security risk.

Example 1:

Check_admin () is used to check the current user permissions, and if the admin setting is $is_admin the variable is true, then the following determines whether this variable is true and then performs some management actions

ex1.php

if (Check_admin ())
{
$is _admin = true;
}
if ($is _admin)
{
Do_something ();
}
?>

This section of code does not initialize $is_admin to Flase, if Register_globals is on, then we submit http://www.sectop.com/ex1.php?is_admin=true directly, You can bypass the validation of Check_admin ()

Example 2:

ex2.php

if (Isset ($_session["username"))
{
Do_something ();
}
Else
{
echo "You are not logged in!";
}
?>

When Register_globals=on, we submit =dodo]http://www.sectop.com/ex2.php?_session[username]=dodo, we have this user's permission

So regardless of register_globals why, we have to remember that for any transmitted data to be carefully verified, the variable is initialized

Safe_mode

In Safe mode, PHP is used to restrict access to documents, restrict access to environment variables, and control the execution of external programs. Enable Safe Mode must set Safe_mode = on in php.ini

1. Restricting file access

Safe_mode_include_dir = "/path1:/path2:/path3″

Separate folders separated by colons

2. Restricting access to environment variables

Safe_mode_allowed_env_vars = string

Specifies that the PHP program can change the prefix of the environment variables, such as: Safe_mode_allowed_env_vars = Php_, when the value of this option is NULL, then PHP can change any environment variables

Safe_mode_protected_env_vars = string

Prefix used to specify an immutable environment variable for PHP programs

3. Restricting the execution of external programs

Safe_mode_exec_dir = string

The folder path specified by this option affects system, exec, Popen, PassThru, and does not affect Shell_exec and "".

Disable_functions = string

Different function names are separated by commas, and this option is not affected by Safe mode

Magic Quotes

Used to automatically escape the input information of the PHP program, all single quotes ("'"), double quotes ("" "), backslashes (" \ ") and null characters (null), are automatically escaped with backslashes

MAGIC_QUOTES_GPC = On is used to set the magic quotes to on, which affects HTTP request data (GET, POST, Cookies)

Programmers can also use Addslashes to escape submitted HTTP request data, or use Stripslashes to remove escape

