PHP program common vulnerability attack

zhaozj2021-02-16  66

[Global variable]

Variables in PHP do not need to be declared in advance, they will be automatically created during the first use, and their types do not need to be specified, they will automatically determine according to the context environment. From a programmer's perspective, this is undoubtedly an extremely convenient processing method. Obviously, this is also a very useful feature of rapid development of languages. Once a variable is created, you can use anywhere in the program. The result of this feature is that the programmer rarely initializes the variable, after all, they are empty when they created the first time.

Obviously, the main function of PHP-based applications is generally accepted by users (mainly form variables, upload files, and cookie, then process the input data, and then return the results to the client browser. In order to enable the PHP code to access the user's input as easy, PHP is actually handled by these input data as global variables.

E.g:

Obviously, this will display a text box and submit button. When the user clicks on the commit button, "Test.php" handles the user's input, when "Test.php" is running, "$ Hello" will contain the data entered in the text box. From here we should see that an attacker can create any global variables in accordance with their own will. If the attacker is not called "Test.php" through the form input, but directly in the browser address bar, http: //server/test.php? Hello = Hi & set ...      恰? / A > $ hello "is created," $ setup "is also created.

Translator Note: These two methods are also what we usually say "POST" and "GET" methods. The following user authentication code exposes security issues caused by the global variable of PHP:

IF ($ Pass == "Hello") $ auth = 1; ... if ($ auth == 1) Echo "some important information";?>>>

The above code first checks if the user's password is "Hello". If you match, set "$ auth" to "1", that is, by authentication. If "$ Suth" is "1", some important information will be displayed.

The surface looks correct, and we have a considerable number of people doing this, but this code has made a mistake, it assumes that "$ auth" is empty when there is no set value, but does not think of an attacker You can create any global variables and assign a value, by "http://server/test.php? Auth = 1" ... and 丫 丫   ? / A>

Therefore, in order to improve the security of the PHP program, we cannot believe any variables that are not clearly defined. This can be a very difficult task if there are many variables in the program.

A commonly used protection is to check the variables in the array http_get [] or post_vars [], depending on our submissions (GET or POST). When the PHP is configured to open the "TRACK_VARS" option (this is the default value), the variable submitted by the user can be obtained in the total variable and the array mentioned above.

However, it is worth explanating that PHP has four different array variables to process users' input. HTTP_GET_VARS array is used to process variables submitted by the GET method, and the http_post_vars array is used to process variables submitted by the POST mode, and the http_cookie_vars array is used to process variables submitted as a cookie header, and for http_post_files arrays (the new PHP is only available), it is completely An alternative way for users to submit variables. A user's request can easily put the variables in these four arrays, so a secure PHP program should check these four arrays. [Remote File] PHP is a language with rich feature, providing a large number of functions that make the programmer to implement a feature. But from a safe point of view, the more features, the harder it is, the harder it is, the remote file is a good example of this problem:

IF ($ fd = fopen ("$ filename", "r")) Echo ("Could Not Open File &: $ FileName / N");?>

The upper script attempts to open the file "$ filename" if it fails to display the error message. Obviously, if we can specify "$ filename", you can use this script to browse any files in the system. However, this script still has a less obvious feature, which is to read files from any other web or FTP site. In fact, most file processing functions of PHP are transparent to the processing of remote files.

For example: If the "$ filename" is "http: //target/scripts/..

转载请注明原文地址:https://www.9cbs.com/read-15138.html

New Post(0)