Are you worried about how to learn to perform PHP code auditing?

This post was last edited by Chou He Chou on 2016-7-13 10:34

I saw this post in other forums. I thought it was very good, so I shared it to discuss and learn with everyone.

Author: jing0102
Original text: Are you worried about how to learn to perform PHP code auditing?

0x01 Introduction to code audit
Code audit is a source code analysis technology that aims to find program errors, security holes and violations of program specifications.
Our code audit objects include but are not limited to auditing the following languages ​​​​under Windows and Linux system environments: java, C, C#, ASP, PHP, JSP, .NET.
Of course, what is more popular today is PHP code audit, because PHP is also one of the mainstream languages ​​​​for WEB security development today.

0x02 How to learn PHPcode audit
Now that we know the meaning of code audit, we must know that to find loopholes, defects, and errors in the source code of PHP, we must learn the language corresponding to the source code (PHP).
①Understand the general syntax of PHP
②Can initially read PHP code
③Understand the relevant PHP dangerous functions (such as: system() exec())
④Have a tool that can locate, backtrack, and search (recommended: TommSearch, SeayPHP source code audit tool)
⑤Read more about other people’s analysis process
⑥Carry out actual mining

0x03 How to conduct PHPcode audit① First conduct a local penetration test locally. Once an error is found, you can use TommSearch to locate related files (if it is a framework, the location needs to be very tedious (framework For positioning, you can refer to the article: http://darkm01lym0on.blog.163.com/blog/static/2567990922016019105947508/), but if it is not a frame, you can directly locate it by looking at the URL file)
②Track related codes
③Make corresponding test notes
④Audit ended
Now I will go to the webmaster home to download the source code and do a test. Download address:http://down.chinaz.com/soft/33915.htm
e.g I just downloaded a PHP guestbook system and took a look at it

You can see that it is a fk1.php file. View the source code of this file:

• $username=$_POST["username"];//The variable username is assigned to the value of the username parameter passed by post. The following multiple values ​​have the same meaning
• $qq=$_POST["qq"];              $title =$_POST["title"];
•                                                                                       using using using  -                                                                     using   using  -                                                                              /Record your IP
•                                                                                                                                                                                         $sql="insert into leavewords (username,qq,email,homepage,face,leave_title,leave_contents,leave_time,ip) values ​​('$username',$qq,'$email','$homepage ','$face','$title','$content','$time','$ip')";//Use insert to insert the values ​​of these messages< /font>
• mysql_query($sql);//Execute statement
• [color=rgb(85, 85, 85) !important]
• Copy code
• 
  

You can see that the submitted message content was executed and inserted into the database without processing the mysql statement.
You can also see through the code that it needs to be reviewed, so you can conclude that this can be reviewed in the background.
I have now inserted the
<script>alert(1)</script>’s
payload at the front desk to submit a message: Submission successful:


Moving to the background:

Go to message management:

A pop-up box popped up instantly, and the code was executed smoothly.
Through this XSS storage vulnerability, we can perform XSS and attack the COOKIE of the background administrator.

-----------------------e.g end-----------------------
The above is a simple audit idea, experts should not criticize, novices can learn more!

0x04 Summary of the road to code audit
To be honest, I have been on the road of code auditing for a year. I have also tried to give up, but I still persisted. Although I am not technically skilled, I hope my learning experience can help everyone.

1. Stop bragging and look at examples
2. Pay more attention to PHP code functions
3. The most important and difficult thing:
persistence I hope everyone can promote each other in the future! Huai Ting!





--------This article is reproduced from:
i Chunqiu Forum