2. Tech
  3. How to attack common vulnerabilities in PHP programs (on)

How to attack common vulnerabilities in PHP programs (on)

xiaoxiao2021-03-06  71

How to attack common vulnerabilities in PHP programs (on) Original: Shaun Clows Translate: AnalysisT Translated this Articles, because the current articles on CGI security are taken as an example, and there are few articles specifically describe ASP, PHP or JSP security. This article of Shaun Clowes is more comprehensive in the security issues of PHP. Since the original text is relatively long, and a considerable part is the basic knowledge of the background or PHP of the article, it does not involve PHP security, so I have no translation. If you want to know about this, please refer to the original text. The article mainly analyzes the security of PHP from global variables, remote files, file uploads, library files, session files, data types, and easy error-in functions, and some useful advice on how to enhance PHP security . Ok, talk less, we are justified! [Global Variables] Variables in PHP do not require prior notes, they will automatically create during the first use, and their types do not need to be specified, they will automatically determine according to the context environment. From a programmer's perspective, this is undoubtedly an extremely convenient processing method. Obviously, this is also a very useful feature of rapid development of languages. Once a variable is created, you can use anywhere in the program. The result of this feature is that the programmer rarely initializes the variable. After all, when they created the first time, they are empty. Obviously, the main function of PHP-based applications is generally accepted by users (mainly form variables, upload files, and cookie, then process the input data, and then return the results to the client browser. In order to enable the PHP code to access the user's input as easy, PHP is actually handled by these input data as global variables. For example:

is clear, this will display a text Box and submit button. When the user clicks on the commit button, "Test.php" handles the user's input, when "Test.php" is running, "$ Hello" will contain the data entered in the text box. From here we should see that an attacker can create any global variables in accordance with their own will. If the attacker does not call "Test.php" through the form input, but enter http: //server/test.php? Hello = hi & setup = no directly in the browser address bar, then, not only "$ Hello" is created "$ Setup" is also created. Translator Note: These two methods are also what we usually say "POST" and "GET" methods.

The following user authentication code exposes security issues caused by the global variable of PHP: The above code first checks if the user's password is" Hello ". If you match, set" $ auth "to" 1 ", which is authenticated. If "$ Suth" is "1", some important information will be displayed. The surface looks correct, and we have a considerable number of people doing this, but this code has made a mistake, it assumes that "$ auth" is empty when there is no set value, but does not think of an attacker You can create any global variables and assign values. Through similar "http://server/test.php? Auth = 1" method, we can completely deceive this code so that it believes that we have been certified. Therefore, in order to improve the security of the PHP program, we cannot believe any variables that are not clearly defined. This can be a very difficult task if there are many variables in the program. A commonly used protection is to check the variables in the array http_get [] or post_vars [], depending on our submissions (GET or POST). When the PHP is configured to open the "TRACK_VARS" option (this is the default value), the variable submitted by the user can be obtained in the total variable and the array mentioned above. However, it is worth explanating that PHP has four different array variables to process users' input. HTTP_GET_VARS array is used to process variables submitted by the GET method, and the http_post_vars array is used to process variables submitted by the POST mode, and the http_cookie_vars array is used to process variables submitted as a cookie header, and for http_post_files arrays (the new PHP is only available), it is completely An alternative way for users to submit variables. A user's request can easily put the variables in these four arrays, so a secure PHP program should check these four arrays. [Remote File] PHP is a language with rich feature, providing a large number of functions that make the programmer to implement a feature. But from the perspective of security, the more functions, the harder it is, the harder, the remote file is a good example of this problem: / n ");?> The above script tries to open the file" $ filename ", if you fail, you will display an error message. Very obvious, if we If you can specify "$ filename", you can use this script to browse any files in the system. However, this script still has a less obvious feature, that is, it can read files from any other web or FTP site. Actually Most file processing functions for PHP transparently, for example, if specified "$ filename" is "http: //target/scripts/..

转载请注明原文地址:https://www.9cbs.com/read-121254.html

9cbs

New Post(0)