How to attack common vulnerabilities in PHP programs

xiaoxiao2021-03-06  21

By Shaun Clowestranslated by Analysist

http://www.china4lert.org/

[Library file] As we discussed earlier, include () and require () are mainly to support the code base, because we generally put some frequently used functions in a separate file, this independent file is the code base. When you need to use a function, we can use this code base to the current file. Initially, when people develop and publish PHP programs, in order to distinguish between code libraries and main programming, they are generally set to the code library file, but they quickly discovered that this is a mistake, because such files Unable to be parsed as a PHP code correctly by the PHP interpreter. If we directly request this file on the server, we get the source code of the file, because when PHP is used as the module of the Apache, the PHP interpreter is based on the file extension decision whether to resolve to PHP. Code. The extension is specified by the site administrator, generally ".php", ".php3", and ".php4". If important configuration data is included in a PHP file with no suitable extension, the remote attacker is easy to get this information. The simplest solution is to give each file all the extensions of a PHP file, which prevents the problem of leaking source code, but has produced a new problem, by requesting this file, an attacker may make this The code running in the context environment runs independently, which may result in all the attacks discussed earlier. Here is an obvious example: in main.php: IN libdir / loadLanguage.php: When "libdir / loadLanguage.php" is called "main.php", it is quite safe, but because " Libdir / loadLanguage "has an extension of" .php ", so remote attacker can request this file directly, and can specify" $ langdir "and" $ userlang "value. [session file] PHP 4 or updated version Support for sessions, its main role is to save status information between pages and pages in the PHP program. For example, when a user logs in to the website, he logs in to this website and who is saved in Session. In the case of browsing in the website, all PHP code can get these status information. In fact, when a session starts (actually set to automatically start in the configuration file), Just generate a random "session ID", if the remote browser is always submitted to this "session ID" when sending a request, Session will remain. This is easy to implement by cookie, or by submitting one by each page The form variable (including "session ID") is implemented .PHP program can register a special variable with session, which will be loaded in the session file after each PHP script, will be loaded before each PHP script begins Variables.

Here is a simple example: New version PHP automatically sets the value of "$ session_auth" to "Shaun". If they are modified, the subsequent scripts will automatically accept the modified value, which is really a very good tool for the stateless Web, but We should also be careful. A obvious question is to ensure that the variable is indeed from sessions, for example, given the above code, if the subsequent script is the following: Above The code is assumed that if "$ session_auth" is set, it is from the session instead of input from the user. If the attacker is set by the form, he can get access to the site. Note that the attacker must use this attack method before the SESSION is registered. Once the variable is placed in the session, it will override any form input. Session data is typically saved in the file (location is configurable, generally "/ tmp"), the file name is generally similar to "sess_ ", this file contains variable name, variable type, variable value, and Some other data. In a multi-host system, because the file is saved in a user identity (generally nobody), the malicious site owner can get access to other sites by creating a session file, and can even check the session file. Sensitive information in. The session mechanism also provides another convenient place for the attacker to save your own input on the remote system file. For the above example, the attacker needs to place a file containing the PHP code in the remote system. If you cannot use the file If you do it, he usually uses sessions to assign a value for a variable, then guess the location of the session file, and he knows that the file name is "php ", so you only need to guess the directory, and the directory Generally "/ TMP". In addition, the attacker can specify "session ID" (for example, "Hello"), then create a session file (such as "SESSION ID"), but "session ID" can only be letters and numbers combination. [Data Type] PHP has a relatively loose data type, and the type of variable depends on the context environment they are located. For example: "$ hello" begins to be a string variable, value "", but when evaluating, it becomes "0", which may sometimes lead to some unexpected results. If the value of "$ hello" is "000" or "0" is different, the results returned by EMPTY () will not be true. The arrays in PHP are associated arrays, that is, an index of an array is a string type. This means "$ Hello [" 000 "]" and "$ hello [0]" are also different.

The above problem should be carefully considered, for example, we should not test whether a variable is "0" in a place, and use EMPTY () in another place to verify. [Easy to error "] When we analyze the vulnerabilities in the PHP program, if you get the source code, then a list of easy error is very much. If we can remotely change the parameters of these functions, then we are likely to discover the vulnerabilities. Here is a list of more detailed error-in-one.: Require (): Read the contents of the specified file and interprets include incrude (): 同 Eval (): Take a given string as a PHP Code execution preg_replace (): When used with the "/ e" switch, the replacement string will be interpreted as a PHP code exec (): execute the specified command, return the last line of the execution result PASSTHRU (): Execute Specify command, return all results to the customer browser ``: Execute the specified command, return all results to an array system (): Tong PASSTHRU (), but does not process binary data POPEN (): Execute the specified command, input or output Connect to the PHP file descriptor FOpen (): Open the file, and correspond to a PHP file descriptor readFile (): read the contents of the file, then output to the customer browser file (): Read the entire file An array of Chinese translator Note: In fact, this list is not very complete, such as "mail ()" or other commands may also execute commands, so you need to add yourself. [How to enhance PHP security] All attacks I have introduced above have good implementation for the default installed PHP 4, but I have repeated many times, PHP configuration is very flexible, by configuring some PHP options, we It is completely possible to resist some of the attacks. Below I have classified some configurations in accordance with the difficulty of implementation: * Low-hardness ** low-difficult *** high-difficult **** high-difficult to classification is just a personal opinion, but I can guarantee if you use PHP All options are provided, then your PHP will be safe, even the third party's code is, because many of these features are no longer available. **** Set "Register_Global" to "OFF" option disables PHP from creating global variables for users, that is, if the user submits the form variable "Hello", PHP does not create "$ Hello", but only creates "Http_get / post_vars ['Hello']". This is an extremely important option in PHP, close this option, which will bring a lot of inconvenience. *** Set "SAFE_MODE" to "on" to open this option, will increase the following limit: 1. Restrict which command can be executed 2. Restriction which function can be used 3. File Access Restrictions on Script Ownership and Target File Ownership 4. Forbidden file upload function This is a great option for ISP, and it can greatly improve the security of PHP. ** Setting "Open_BaseDir" options to disable file operations outside the specified directory, effectively eliminate local files or remote files being attacked by include (), but still need to pay attention to the file upload and session file attack. ** Set "Display_errors" to "OFF", set "log_errors" to "on" this option to disable the error message to display the error message, but record it into the log file, which can effectively resist the function of the attacker to the target script Detection.

* Setting "allow_url_fopen" to "OFF" option can ban remote file function, it is recommended, the article is here, if you want to know some other related information, please refer to the original text: http://www.securereality. com.au/studyinscarlet.txt

"Full text"

转载请注明原文地址:https://www.9cbs.com/read-41865.html

New Post(0)