Here is the PHP code auditing and vulnerability discovery the idea to do a bit summary, is a personal point of view, there is something wrong place please point out.
PHP vulnerabilities in a large part is from the programmer's own lack of experience, of course, and server configuration related, but that belong to the system security Category, I do not quite understand, today I want to mainly talk about PHP code auditing and vulnerability to tap some of the ideas and understanding.
PHP vulnerability discovered, in fact, is web penetration testing, and client fuzzing testing, web penetration testing can also use a similar technique, web fuzzing, i.e., a dynamic web-based scan.
WVS the use of local scripts to attack the database of these parameters for the cross replacement and filling, construct a new URL, and then use GET or POST to the server to issue the request, and returns the results of the regular judge. In the case of no appears:” You have an error in your SQL syntax”. If there is, then recorded, the description of this script page”possible”presence of vulnerability.
WVS the attack is divided into many modules: the
Each attack test mode corresponds to a class of scripts, which contains the attack statement.
With WVS scan finished, if you can find somesql injectionthe point of the prompt, this time you can use sqlmap for inject to try, to further determine the injection point.
If these two steps are not successful, based on the fuzz of the dynamic scan can not continue, and this time, we should think of a way to perform static code audit, from the source code analysis and mining, vulnerability of the Genesis and use. This block can use the RIPS of such software, RIPS is a specially used for static PHP code auditing tools can help us locate the possible loopholes in the code area.
RIPS the code static vulnerability scanning basic idea of the two:
1. To easy to produce vulnerability functions for tracking(e.g.:mysql_query())
RIPS think, all the injection vulnerabilities eventually have to go through some specific database operation function, mysql_query()or program a custom class function, these functions is to produce a vulnerability of the fuse, as long as these function to control the flow and parameters of the stream to the back scan, you can find most of the code vulnerabilities.
2. To produce injection vulnerabilities in the source that the user transmission over the data stream trace($_GET,$_POST,$_COOKIE)
“The user entered all data are harmful”, the majority of injection vulnerabilities, including secondary injection, the reason is because the user's input data did not do better than the filter, the RIPS for these sensitive data to be tracked, and determines its access to sensitive functions(mysql_query())before there is no effective treatment(addslashes())to determine that the data stream whether there is a vulnerability.