PHP. ini way anti-injection or hung it-vulnerability warning-the black bar safety net

ID MYHACK58:62200922687
Type myhack58
Reporter 佚名
Modified 2009-03-28T00:00:00


Originally this two-day study phpIDS, using the file: when you want to prevent the page attack, in the pages of the head of the include attack prevention file, just like General anti-injected into the file. We can use three cases to do that:

1, in each of the files within the references. Such a file can be, but if a website has hundreds of files while it is inconvenient.

2, in common contains files referenced within it, such as the. This is a good way, is currently on the market more popular practice.

3, in php. ini for reference. Within the configuration file referenced, it will affect all of the site, including all pages, it's like the year popular some free space trader, when you free open an ftp space to upload the site later, the space will appear ads. Don't know whether this method, but the purpose is the same. The advantage of this is: if you are a company or an enterprise intranet, i.e., security, maintenance is also convenient.

The first two methods we are aware, the third one is in php. ini, find this section: The following is quoted fragment: ;Automatically add files before or after any PHP document. ;auto_prepend_file = "phpids.php" ;auto_append_file = "alert.php"

The default is empty, please add the included file.

At the same time find:

The following is quoted fragment:; UNIX: "/path1:/path2" ;include_path = ".:/ php/includes" ; Windows: "\path1;\path2" include_path = ".; F:\PHPnow\htdocs" because of my win environment, so open the windows option, The include path can be freely modified. At the same time, such a function also for our attack also resulted in convenient, such as hanging horse。 Now the“market”there are a lot of hung it to the tips, not much to say. We can use the auto_prepend_file option to bulk-hanging horse, can be the whole server on a website, hang on, the advantages are: does not affect the speed, do not modify the file, the method of the novel. Disadvantages: have to php. ini has write permissions.