Senior PHP application vulnerability auditing techniques Foreword Traditional code auditing techniques PHP version and application code audit Other factors and application code audit The expansion of our dictionary The variable itself is the key Variable coverage Traverse initialize variables parse_str()variable coverage holes import_request_variables()variable coverage holes PHP5 Globals magic_quotes_gpc and code security What is magic_quotes_gpc Where there is no magic quotes protection Variable encoding and decoding Secondary attack Magic quotes brings new security issues Variable key with magic quotes Code injection PHP may lead to code injection function Variables of the function with the double quotes PHP itself is a function of vulnerabilities and defects PHP function overflow vulnerability PHP function of the other vulnerabilities session_destroy()delete the file vulnerability The random function Special characters Truncated include truncation Data truncation File operations in the special characters How further to find a new dictionary DEMO Something Appendix Foreword PHP is a widely used scripting language that is especially suited for web development. Having cross-platform, easy to learn, powerful features, according to statistics of the world there are more than 3 to 4% of the site has php applications, including Yahoo, sina, the 1 6 3, sohu and other large web portals. And a lot of anonymous web applications system, including the bbs,blog,wiki,cms, etc. are using php development, Discuz and phpwind, and phpbb, and vbb, wordpress, boblog, and so on. With web Security, hot upgrade, the php application code security issues also gradually flourished, more and more security personnel into the field, more and more application code vulnerability is disclosed. For such a situation, many applications of official have established the security sector, or hire security personnel code audit, so there was a lot of the automated Commercial Code audit tool. That is, such a situation has led to a situation: the big companies of the product safety coefficient is greatly improved, those are obvious flaws that basically extinct, those you are aware of the auditing techniques are useless. We face a lot of tools and large cattle have been scanned n times in the code, there are a lot of security personnel a little pessimistic, and some official security personnel is also very assured of your own code, but don't forget“there is no absolute security”, we should go to look for new ways to tap New holes. This article is to introduce some non-traditional art experience and share. Also here particularly note the article inside many vulnerabilities are derived from the network cow and friends to share, here we need to thank them:） Traditional code auditing techniques WEB application vulnerabilities to find is basically built around two elements: variables and functions. That is a vulnerability to use of have to put your submit the malicious code by the variable after n times the variable conversion pass, the final pass to target function execution, but also remember MS phrase classic quotes?“ All inputs are harmful”. This phrase only to emphasize the input variables, many programmers put the“input”is understood as just gpc[$_GET,$_POST,$_COOKIE], but the variables in the transfer process to produce the n number of changes. Lead to a lot of filtering just a“paper Tiger”now! We change the sentence to describe the following code safe:“everything that goes into a function of variables is harmful.” PHP code auditing techniques used by most is currently the main method: static analysis, mainly by looking easily lead to security vulnerabilities of the hazard function, the commonly used such as grep, findstr, etc. search tools, many automated tools are also use regular expressions to search for these function. The following are some of the commonly used function, which is below that of the dictionary temporarily and slightly in. However, the current basic existing dictionary is very difficult to find loopholes, so we need to expand our dictionary, these dictionaries are also this article discusses. Other methods are: by modifying the PHP source code to analyze the variables of the process, or hook risk function to implement application code review, but these also rely on our above-mentioned dictionary. PHP version and application code audit So far, PHP has 3 main versions: php4 and php5 and php6, is used in a proportion roughly as follows: php4 6 8% 2000-2007, No security fixes after 2008/08, the final version is php4. 4. 9 php5 3 2% 2 0 0 4-present, Now at version 5.2.6（PHP 5.3 alpha1 released!） php6 is currently in the testing phase, the changes many have done a lot of modifications, eliminating the many security options such as magic_quotes_gpc this not today to discuss the range Since php is missing the automatic upgrade mechanism, led to the current PHP version and also lead to a lot of vulnerabilities have not been patched. These vulnerability functions is also our WEB application code audit focused on the object, but also our dictionary important source. Other factors and application code audit Many code auditors get to the code will see, they ignore the“security is a whole”, code security many other factors, such as the above we talked about the PHP version of the problem, the more important are the[operating system]()types, mainly two camps of win/*nix, the WEB service end software is primarily an iis/apache two categories type and other factors. This is due to the different system, a different WEB SERVER with different security features, or characteristics, below some parts will be involved. So we're doing a company WEB application code audit, should be aware of their use of the system, WEB server software, PHP version and other information. The expansion of our dictionary **[1] [[2]](<42712_2.htm>) [[3]](<42712_3.htm>) [[4]](<42712_4.htm>) [[5]](<42712_5.htm>) [[6]](<42712_6.htm>) [[7]](<42712_7.htm>) [[8]](<42712_8.htm>) [[9]](<42712_9.htm>) [[1 0]](<42712_10.htm>) [[1 1]](<42712_11.htm>) [next](<42712_2.htm>)**

Query Builder