How to attack through Session file? _PHP Tutorial

How to attack through Session file?

PHP 4 or newer versions provide support for sessions. Its main function is to save state information between pages in the PHP program. For example, when a user logs in to the website, the fact that he logged in and the information about who logged in to the website will be saved in the session. When he browses around the website, all PHP code can obtain this state. information.

In fact, when a session is started (actually set in the configuration file to automatically start on the first request), a random "session id" is generated, which if the remote browser always submits when sending the request If this "session id" is used, the session will always be maintained. This is easily accomplished via cookies, or by submitting a form variable (containing the "session id") on each page. PHP programs can use session to register a special variable. Its value will be stored in the session file after each PHP script ends, and will also be loaded into the variable before each PHP script starts. Here is a simple example:

＜?php

＜?php
session_destroy(); // Kill any data currently in the session
$session_auth = "shaun";
session_register("session_auth"); // Register $session_auth as a session variable
?＞

session_destroy(); // Kill any data currently in the session
$session_auth = "shaun";
session_register("session_auth"); // Register $session_auth as a session variable
?＞

New versions of PHP will automatically set the value of "$session_auth" to "shaun". If they are modified, future scripts will automatically accept the modified values, which is really good for the stateless Web. tools, but we should also be careful.

＜?php
if (!empty($session_auth))
// Grant access to site here
?＞

An obvious problem is to ensure that the variable does come from the session. For example, given the above code, if the subsequent script is as follows:

＜?php if (!empty($session_auth)) // Grant access to site here ?＞

The above code assumes that if "$session_auth" is assigned a value, it is assigned from the session, not from user input. If the attacker assigns the value through form input, he can gain access to the site. Note that the attacker must register the variable in the session before using this attack method. Once the variable is put into the session, it will overwrite any form input.

Session data is generally saved in a file (the location is configurable, usually "/tmp"). The file name is generally in the form of "sess_". This file contains variable name, variable type, variable value and Some other data. In a multi-host system, because the file is saved as the user running the web server (usually nobody), a malicious site owner can create a session file to gain access to other sites, and even inspect the session file. sensitive information in.

The Session mechanism also provides another convenience for attackers to save their own input in files on the remote system. For the above example, the attacker needs to place a file containing PHP code on the remote system. If this cannot be done using file upload, he usually uses session to assign a value to a variable according to his own wishes, and then guesses the session file. The location, and he knows that the file name is "php", so he only needs to guess the directory, and the directory is usually "/tmp".

In addition, the attacker can arbitrarily specify a "session id" (such as "hello"), and then use this "session id" to create a session file (such as "/tmp/sess_hello"), but the "session id" can only be letters and numbers. combination.

​How to attack through data types?

PHP has loose data types, and the types of variables depend on the context in which they are located. For example: "$hello" starts as a string variable with a value of "", but when evaluated, it becomes an integer variable "0", which may sometimes lead to unexpected results. If the value of "$hello" is different between "000" and "0", the result returned by empty() will not be true.

Arrays in PHP are associative arrays, that is to say, the index of the array is of string type. This means that "$hello["000"]" and "$hello[0]" are also different.

The above issues should be carefully considered when developing programs. For example, we should not test whether a variable is "0" in one place and use empty() to verify it in another place.

How to attack through error-prone functions? The following is a more detailed list of error-prone functions:

＜PHP code execution＞
require(): Read the contents of the specified file and interpret it as PHP code
include(): Same as above
eval(): Execute the given string as PHP code
preg_replace(): When used with the "/e" switch, the replacement string will be interpreted as PHP code
＜Command execution＞
exec(): Execute the specified command and return the last line of the execution result
passthru(): Execute the specified command and return all results to the client browser
​``: Execute the specified command and return all results to an array
system(): Same as passthru(), but does not process binary data
popen(): Execute the specified command and connect the input or output to the PHP file descriptor

＜File leak＞
fopen(): Open a file and correspond to a PHP file descriptor
​readfile(): Read the content of the file and then output it to the client browser
file(): Read the entire file content into an array

​How to enhance the security of PHP?

All the attacks we introduced above can be implemented well with the default installation of PHP4, but the configuration of PHP is very flexible. By configuring some PHP options, it is entirely possible for us to resist some of these attacks. Below we classify some configurations according to the difficulty of implementation:

*Low difficulty
​**Medium and low difficulty
***Medium to high difficulty
****High difficulty

If you use all the options provided by PHP, then your PHP will be very safe, even with third-party code, because many of its features are no longer available.

​****Set "register_globals" to "off"
This option will disable PHP from creating global variables for user input, that is, if the user submits the form variable "hello", PHP will not create "$hello", but only create "HTTP_GET/POST_VARS['hello']". This is an extremely important option in PHP. Turning off this option will bring great inconvenience to programming.

***Set "safe_mode" to "on"

​ Turning this option on will add the following restrictions:

1. Limit which commands can be executed
2. Limit which functions can be used
3. File access restrictions based on script ownership and target file ownership
4. Disable file upload function

This is a "great" option for ISPs, and it also greatly improves PHP security.

​** Set "open_basedir"

This option can prohibit file operations outside the specified directory, effectively eliminating attacks on local files or remote files by include(), but you still need to pay attention to attacks on file uploads and session files.

​** Set "display_errors" to "off" and set "log_errors" to "on"

This option disables error messages from being displayed on the web page and instead records them in a log file, which can effectively resist attackers from detecting functions in the target script.

* Set "allow_url_fopen" to "off"

This option disables remote file functionality.

http://www.bkjia.com/PHPjc/629796.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/629796.htmlTechArticleHow to attack through Session file? PHP 4 or newer versions provide support for sessions, whose main function is to save state information between pages in the PHP program. For example, when...