[Library file] As we discussed earlier, include () and require () are mainly to support the code base, because we generally put some frequently used functions in a separate file, this independent file is the code base. When you need to use a function, we can use this code base to the current file. Initially, when people develop and publish PHP programs, in order to distinguish between code libraries and main programming, they are generally set to the code library file, but they quickly discovered that this is a mistake, because such files Unable to be parsed as a PHP code correctly by the PHP interpreter. If we directly request this file on the server, we get the source code of the file, because when PHP is used as the module of the Apache, the PHP interpreter is based on the file extension decision whether to resolve to PHP. Code. The extension is specified by the site administrator, generally ".php", ".php3", and ".php4". If important configuration data is included in a PHP file with no suitable extension, the remote attacker is easy to get this information. The simplest solution is to give each file all the extensions of a PHP file, which prevents the problem of leaking source code, but has produced a new problem, by requesting this file, an attacker may make this The code running in the context environment runs independently, which may result in all the attacks discussed earlier. Here is a very obvious example: in main.php:
IN libdir / loadLanguage.php:
When "libdir / loadLanguage.php" is called "main.php", it is quite safe, but because "libdir / loadLanguage has" .php "extension, remote attacker can directly request this file and can be arbitrary Specifies the value of "$ LANGDIR" and "$ Userlang". [Session file] PHP 4 or updated version provides support for Sessions, which is the main role to save status information between pages and pages in the PHP program. For example, when a user logs in to the website, he logs in this fact and who landed into this website is saved in the session, and all PHP code can get these status information when he browsses everywhere in the website. In fact, when a session starts (actually set to automatically start in the configuration file), a random "session ID" is generated, if the remote browser is always submitted when sending a request If this "session ID", session will remain. This is easy to implement by cookies, or by submitting a form variable (including "session ID") by each page. The PHP program can register a special variable with session, which will be loaded into the variable before each PHP script is started after each PHP script. Here is a simple example:
The new version of PHP will automatically set the value of "$ session_auth" to "Shaun". If they are modified, the subsequent scripts will automatically accept the modified value, which is really very good for the stateless web. Tools, but we should also be careful. A obvious question is to ensure that the variable is indeed from session, for example, given the above code, if the subsequent script is the following:
The above code assumes that if "$ session_auth" is set, it is from session, not from the user input, if the attacker is set by the form, he can get access to the site. Note that the attacker must use this attack method before the SESSION is registered. Once the variable is placed in the session, it will override any form input. Session data is generally saved in the file (location is configurable, generally "/ tmp"), file name is generally similar to "sess_", this file contains variable name, variable type, variable value, and some other data . In a multi-host system, because the file is saved in a user identity (generally nobody), the malicious site owner can get access to other sites by creating a session file, and can even check the session file. Sensitive information in. The session mechanism also provides another convenient place for the attacker to save your own input on the remote system file. For the above example, the attacker needs to place a file containing the PHP code in the remote system. If you cannot use the file If you do it, he usually uses sessions to assign a value as a variable, then guess the location of the session file, and he knows that the file name is "PHP
", So you only need to guess the directory, and the directory is generally" / tmp ". In addition, the attacker can arbitrarily specify" session id ", then create a session file (for example," with this "session ID" (for example TMP / sess_hello "), but" session id "can only be a letter and a digital combination. [Data Type] PHP has a relatively loose data type, and the variable is dependent on the context environment they are located. For example:" $ Hello "start It is a string variable, the value is "", but when the value is evaluated, it becomes a shaped variable "0", which may sometimes lead to some unexpected results. If "$ Hello" is "000" or for "0" is different, and the results returned by EMPTY () are not true. The arrays in the PHP are associated arrays, that is, the index of the array is a string type. This means "$ Hello [" 000 " ] "And" $ hello [0] "are also different. When the developer should carefully consider the above problems, for example, we should not test a certain variable is" 0 "in a place, while in additional places Empty () is verified. [Easy to error) When we analyze the vulnerabilities in the PHP program, if you get the source code, then a list of enabled functions is very much. If we can change remotely The parameters of these functions, then we are likely to find the vulnerabilities. The following is a list of more detailed error:
