5, file upload
PHP's file upload mechanism is a temporary directory that the file uploaded by the user is preserved in the PHP.INI's UPLOAD_TMP_DIR (default is a temporary directory of the system, such as: / TMP), a random temporary file similar to phpxxuoxg, the program execution ends, this The temporary file is also deleted. PHP defines four variables to the uploaded file: (If the form variable name is file, and register_global is open)
$ file # is a temporary file saved to the server (such as / tmp / phpxxuoxg)
$ file_size # Upload the size of the file
$ file_name # Original name of the upload file
$ file_type # Type of upload file
Recommended Use:
$ Http_post_files ['file'] ['TMP_NAME']
$ Http_post_files ['file'] ['size']
$ Http_post_files ['file'] ['Name']
$ Http_post_files ['file'] ['Type']
This is the simplest file upload code:
//test_5.php
IF (Isset && $ File! = "None") {
Copy ($ file, "/usr/local/apache/htdocs/upload/". $ file_name);
Echo "file". $ file_name. "Upload success! Click
Continue to upload ";
EXIT;
}
?>
Content = "text / html; charSet = GB2312">
Such an upload code has a major issue that reads any file and execute commands.
The following request can copy the / etc / passwd document to the web directory / usr / local / apache / htdocs / test (Note: This directory must be written) Attack.txt file:
http://victim/test_5.php? Upload = 1 & file = / etc / passwd & file_name = attack.txt
You can then use the following request to read the password file:
http://victim/test/attack.txt
An attacker can copy the PHP file into other extensions, leak the script source code.
An attacker can customize the value of the File_Name variable in the Form, and upload the file override any write-free file.
An attacker can also upload the PHP script to execute the host's command.
Solution:
PHP-4.0.3 provides the is_uploaded_file_uploaded_file function, which can check if the file is uploaded by the user, thereby avoids copying the system file to the web directory.
Use the $ http_post_files array to read the file variable uploaded by the user.
Strictly check the uploading. For example, it is not allowed to be a PHP script file.
PHP script operation restrictions on the web directory to avoid programmers to copy the system file to the web directory using the COPY function. Move_uploaded_file is not limited by Open_BASEDIR, so there is no need to modify the value of UPLOAD_TMP_DIR in php.ini.
Encrypt the PHP script with phpencode to avoid the source code due to the COPY operation.
Strictly configure the permissions of the files and directories, only the uploaded directory allows the Nobody user to be written.
Remove the PHP interpretation function for the upload directory, you can implement the httpd.conf:
PHP_FLAG ENGINE OFF # If it is PHP3 to change to php3_ENGINE OFF
Restart the apache, the PHP file of the Upload directory cannot be explained by Apache, even if there is no problem, it can only display the source code directly.
6, command execution
The following code snippet is taken out from the PHPNetToolPack, and the detailed description is shown in:
http://www.securityfocus.com/bid/4303
//test_6.php
System ("Traceroute $ A_QUERY", $ RET_STRS);
?>
Since the program does not filter the $ A_QUERY variable, the attacker can add the execution command with a semicolon.
Attacker Enter the following request can execute the CAT / etc / passwd command:
http: //victim/test_6.php? a_query = www.example.com; cat / etc / passwd
The execution function of PHP is SYSTEM (), PASSTHRU (), POPEN () and ``, etc. The command execution function is very dangerous and useful. If you want to use it, you must strictly check the user input.
Solution:
The programmer is required to use the escapeshellcmd () function to filter the shell command you entered.
Enabling SAFE_MODE can eliminate a lot of execution commands, but pay attention to the version of PHP must be the latest, less than PHP-4.2.2 may bypass the SAFE_MODE limit to execute the command.
7, SQL_INJECT
The following SQL statement will have problems if the variable is not handled:
Select * from login where user = '$ user' and pass = '$ pass'
An attacker can enter 1 'or 1 =' 1 bypass authentication.
But fortunately, PHP has a default option MAGIC_QUOTES_GPC = ON, this option makes it from GET, POST, COOK
The variable of IE automatically adds the addslashes (). The above SQL statement becomes:
Select * from login where user = '1 /' OR
1 = / '1' and pass = '1 /' or 1 = / '1'
This avoids such SQL_INJECT attacks.
For digital types of fields, many programmers will write this:
SELECT * from test where id = ID
Since the variables are not extended with single quotes, they will cause SQL_INJECT attacks. Fortunately, the mysql function is simple, there is no SQL SQL statement that executes commands, and the php mysql_query () function is only allowed to execute a SQL statement, so the attack of a semicolofan separated multiple SQL statements cannot work. However, the attacker can at least let the query statement error, the information of the leak system, or some unexpected situations.
Solution:
The programmer is required to filter the variables submitted to the SQL statement for all users.
Even the fields of the digital type, the variables must be extended with single quotes, and MySQL will handle the string into a number.
Users who do not give PHP programs high-level permissions in MySQL only allow operations to their own libraries, which also avoids program problems by Select Into Outfile ... this attack.
8, warning and error message
PHP defaults all warnings and error messages:
Error_Reporting = E_ALL & ~ E_NOTICE
Display_errors = on
This is very useful when developing commissioning is usually developed, and it can be found immediately according to the warning information. When officially applied, warnings and error messages allow users to do what they do, and gave attackers leaked the physical paths where the script is located, providing favorable information for the attacker's further attack. And because you have not accessed the wrong place, you can't modify the program in time. So record all warnings and error messages of PHP to a log file, that is, do not give an attacker to leak a physical path, and let yourself know the program error.
Modify PHP.INI About Error Handling and Logging Some of the content:
Error_Reporting = E_ALL
Display_errors = OFF
Log_ERRORS = ON
Error_log = /usr/local/apache/logs/php_error.log
Then restart Apache, note that the file /us/local/apache/logs/php_error.log must allow Nobody users to be written.
9, disable_functions
If some functions are threatened, you can set the disable_functions in php.ini (this option cannot be set in httpd.conf), such as:
Disable_functions = phpinfo, get_cfg_var
You can specify a plurality of functions and separate them with a comma. After restarting Apache, PHPINFO, GET_CFG_VAR functions were banned. It is recommended to turn off the function phpinfo, get_cfg_var, which is easy to leak server information, and there is no practical use.
10, disable_classes
This option is only available from PHP-4.3.2, which can disable certain classes, if there are multiple comma-separated class names. Disable_classes cannot be set in httpd.conf, which can only be modified in the php.ini profile.
11, Open_Basedir
In the previous analysis routine, it also mentioned that using Open_BaseDir is restricted with Open_BaseDir, which is described here. The restriction specified by Open_Basedir is actually a prefix, not a directory name. That is, "Open_BaseDir = / DIR / INCL" will also allow access to "/ DIR / include" and "/ Dir / INCLS" if they exist. If you want to limit access to only the specified directory, the path name is ended with the slash. For example: "open_basedir = / dir / incl /".
You can set multiple directories, in Windows, separate the directory with a semicolon. Separate the directory in any other system. As an Apache module, the OPEN_BASEDIR path in the parent directory is automatically inherited.
Fourth, other
Security configuration
1. Cancel other users to read and write execution rights for common, important system commands
The general administrator maintained only one normal user and management user, in addition to these two users, the less the other users can perform and access, so cancel other users to read and write the common, important system commands can be used. In the program or service
Bring great confused attackers when vulnerabilities. Remember that the permissions must be read, otherwise it can be performed with /lib/ld-linux.so.2 / bin / ls under Linux.
If you want to cancel something, if you are in the Chroot environment, this work is relatively easy, otherwise this work is still a bit challenge. Because execution permission to cancel some programs will cause some service to run abnormal. The MAIL function of PHP requires / bin / sh to call Sendmail to send a letter, so / bin / bash execute permission cannot be removed. This is a more tired job, 2. Remove the read rights of other users of Apache logs
Apache's Access-Log provides a convenient door to some programs that have a vulnerability. By submitting a URL containing a PHP code, you can enable the Access-log to include the PHP code to the Access-log, which is possible to obtain local access.
If there are other virtual hosts, you should also remove the read rights of other users of the log file.
Of course, if you configure PHP as previously introduced, it is generally unable to read the log file.
