Security details that exist in PHP programs_PHP Tutorial

The topic of script security seems to be endless. If you often go to various bugtraqs abroad, you will find that more than half of them are related to scripts, such as SQL injection, XSS, Path Disclosure Words like ,Remote commands execution are everywhere. After we read it, is its purpose just to catch chickens? For those of us who want to do web security, it is best to use it to learn, but when we look at the root of everything, what we want is not fish but fishing. In China, various PHP programs version 1.0 and version 2.0 are popping up like mushrooms after a rain. However, everyone is paying attention to some well-known cms, forums, and blog programs, and few people are paying attention to those that are not well-known. For more and more PHP programmers and webmasters, in addition to relying on the fortress settings of the server, you must understand the security of the PHP program itself.

Some people say that your PHP security is nothing more than injection and cross-site. They are completely wrong. If this is the case, a magic_quotes_gpc or some security settings in the server will make us completely dead: (.I What we are going to talk about today is not injection or cross-site, but some security details that exist in PHP programs. OK! Let’s get to the point.

Pay attention to the filtering of some functions

Some functions are frequently used in programs, such as include(), require(), fopen(), fwrite(), readfile(), unlink(), eval() and their variant functions, etc. These functions are very practical. Practicality does not mean that you have to worry more. You have to pay more attention to them. :)

1.include(), require() and fopen(), include_once(), require_once() can all call files remotely. As for their harm, you will know clearly after searching on Google. For the included calls If the variables are not filtered well, you can include any file for execution. For example, look at print.php

...

if (empty ($bn) ) { //Check whether the variable $bn is empty

include ("$cfg_dir/site_${site}.php"); //Include site_${site}.php in the path $cfg_dir

...

No matter whether the $cfg_dir directory exists or not, you can use the $site variable naturally because it does not check the $site variable at all. You can specify the variable $site to call a remote file, or it can be a local file. Write the PHP statement in the file you specify, and then it will include and execute the file containing the PHP statement. Just like this

List file directories

It can even be expanded to include some administrator files and escalate privileges, typically like the previous vulnerabilities of phpwind and bo-blog. In addition to relying on allow_url_fopen in php.ini to be set to off to prohibit remote use of files and open_base_dir to prohibit the use of files outside the directory, you must also declare in advance which files can only be included, so I won’t go into details here.

2. fopen(), file(), readfile(), openfile(), etc. are also areas that should be paid special attention to. The functions themselves are nothing, their function is to open files, but if the variable filtering is not thorough, the source code will be leaked. There are many such function text forums.

...

$articlearray=openfile("$dbpath/$fid/$tid.php"); //Open the $tid.php file in the path $dbpath/$fid

$topic_detail=explode("|",$articlearray[0]); //Use the delimiter | to read the content of the post

...

It looks familiar. This is the previous version of ofstar's read.php. There is no filtering on $fid and $tid. If $tid is specified as a file for submission, the original code will be leaked. Just like this.

http://explame.com/ofstar/read.php?fid=123&tid=../index

$tid will be suffixed with php, so write index directly. This is just an example, so let’s see.

3. If you think about the loopholes of fwrite() and its variant functions, you can imagine that if the characters submitted by the user are not filtered, it is not impossible to write a PHP backdoor.

4.unlink() function. Some time ago, this function was used to delete files arbitrarily in phpwind. There is no filtering of variables to determine whether to delete. The variables can be specified as any files, and of course the variables of any files can be deleted.

5.eval(), preg_replace() functions, their function is to execute php code. What will happen if the string is not filtered in any way? I often see it used in some cms. Think about it, one sentence Isn't the PHP Trojan in this article made based on the eval() principle?

6. Regarding system functions such as system(), you would say to disable system functions in php.ini. Yes, this is also a good idea, but if it is required in some programs, then does it not need to be used? Just like the beautiful php photo album I saw last time. In addition, you have to pay special attention to the popen(), proc_open(), and proc_close() functions. Although there is no direct output after executing the command, do you think this is useful to hackers? Here, PHP provides two functions, escapeshellarg() and escapeshellcmd(). These two functions are used to fight against system function calling attacks, that is, filtering.

As for the harm, let’s take an example. Let’s take a look at prod.php of a certain forum

07 $doubleApp = isset($argv[1]); //Initialize variable $doubleApp

...

14 if( $doubleApp ) //if statement

15 {

16 $appDir = $argv[1]; //Initialize $appDir

17 system("mkdir $prodDir/$appDir"); //Use the system function system to create the directory $prodDir/$appDir

It was originally used to create the $prodDir/$appDir directory. Then it seems that the program only detects whether $argv[1] exists and lacks the necessary filtering of $argv[1]. Then you can do this

/prod.php?argv[1]=|ls -la or /prod.php?argv[1]=|cat /etc/passwd

(The delimiter | here is the UNIX pipe parameter, which can execute multiple commands.)

At this point, you should know a little bit about the common types of vulnerabilities.

Emphasis on extraordinary characters

For extraordinary characters, there is a saying called All puts is invalid. This sentence is very common in foreign articles. All input is harmful. You should never worry about what the user inputs. In order to deal with these hazards, programmers are busy filtering a lot of characters for fear of missing something. And what about some programmers? It seems that these issues have never been paid attention to, and the door to loopholes has always been left open. Without further ado, let’s take a look at the following things.

1. In fact, the most critical loopholes in the program, the ones that make developers worry the most are the dollar signs with $ signs, variables. For those looking for loopholes, grasping the word variable is everything. Just like the directory traversal bug, it exists in many email programs. The developers have considered it very carefully. Some even added a network hard drive, which is good, just like

http://mail.com/file.php?id=1&put=list&tid=1&file=./

What if we change the file variable to ./../ or even higher? The directory is thus traversed.

2. Angle brackets "<>" You don’t know about cross-site, in some search bars, articles, messages, like the cross-site in the phpwind attachment some time ago, etc. Of course, for cross-site issues, you have to filter for much more than just angle brackets. You’re not afraid of missing something when filtering, but you’re afraid that you won’t remember to filter.

3. Sloping bar and anti-sloping bar: For / and filtering, remember the original code leaked in the attachment download of the Magic Forum?

attachment.php?id=684&u=3096&extension=gif&attach=.............includesconfig.php&filename=1.gif

Regarding the problem of filtering .. /, for example, the windows host must not only filter ../ but also filter .., the windows host pair will be parsed as /. Compared with SQL injection, what is in-depth about these details?

4. Regarding backtick (``), backtick is very powerful in PHP. It can execute system commands, just like system functions such as system(). If the user's malicious statement is executed by it, it will be harmful. As for the server, I think in addition to setting up the server very well, you should also filter them honestly.

5. For newline characters, NULL characters, etc., like " ,x0B, , ,

http://www.bkjia.com/PHPjc/629780.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629780.htmlTechArticleThe topic of script security seems to be endless. If you often go to various bugtraqs abroad, , you will find that more than half of them are related to scripts, such as SQL injection, XS...