PHP code audit - 2. Introduction to PHP environment of PHP code audit

The content of this article is an introduction to the PHP environment. Friends who are interested can take a look, and can also give some reference to students who need help.

Preface

The results of code execution in different environments will be very different. It may be because of a configuration problem that a very high-risk vulnerability can be exploited; or you may have found it. A vulnerability is caused by your configuration problem, causing you to be unable to construct a successful exploit code for a long time. However, configuration instructions will also be different in different PHP versions. The new version may add or delete some instructions, change the default settings of instructions or fixed settings. Therefore, we need to be very familiar with all aspects of PHP before code auditing. Only the core instructions of the configuration file in the version can efficiently mine high-quality vulnerabilities.

PHP_INI_*Constant

##This setting option can be set in php.ini or http.confPHP__INI__ALLThis configuration option can be set anywherephp.ini onlyThis setting option can only be set in php.ini

PHP has hundreds of configuration file instructions, so I won’t introduce them one by one here. If you are interested in this aspect, you can check the specific content in the official PHP configuration documentation: http://www.php. net/manual/zh/ini.list.php

Common basic settings for PHP

(1) open_basedir settings

open_basedir can limit applications For directories that can be accessed, check whether open_basedir is set. Of course, some are set through the web server, such as: apache's php_admin_value, nginx+fcgi is controlled through conf.

(2) allow_url_fopen setting

If allow_url_fopen=ON, then PHP can read remote files for operation, which is easily exploited by attackers.

(3) allow_url_include setting

If allow_url_include=ON, then PHP can include remote files, which will cause serious vulnerabilities.

(4) safe_mode_exec_dir setting

This option can control the directory of external commands that can be called by php. If there are external commands called in the php program, then the external command is known Directory can control program risks.

(5) magic_quote_gpc setting

This option can escape the special characters submitted in the parameters. It is recommended to set magic_quote_gpc=ON

(6) register_globals setting

Turning on this option will cause PHP to register all externally submitted variables as global variables, and the consequences are quite serious.

(7) safe_mode setting

safe_mode is an important security feature of PHP, it is recommended to turn it on

(8) session_use_trans_sid setting

If session_use_trans_sid is enabled, it will cause PHP to pass the session ID through the URL, which will make it easy for an attacker to hijack the current session, or trick the user into using an existing session that is controlled by the attacker.

(9) display_errors setting

If this option is enabled, PHP will output all error or warning information, and attackers can use this information to obtain the web root path, etc. Sensitive information.

(10) expose_php setting

If the expose_php option is enabled, then every response generated by php interpreting it will include the PHP version installed on the host system. Knowing the version of PHP running on a remote server allows an attacker to enumerate known exfiltration methods against the system, greatly increasing the chance of a successful attack.

(11) magic_quotes_sybase (magic quotation mark automatic filtering)

magic_quotes_sybase directive is used to automatically filter special characters. When set to on, it will overwrite them. The configuration of magic_quotes_gpc=on, that is to say, configuring gpc=on in time will have no effect. What this command has in common with gpc is that the objects processed are the same, that is, they both process POST\GET\Cookie.

(12) disable_functions (disable function)

In a formal production environment, in order to run PHP more safely, you can also use the disable_functions directive to disable some sensitive functions usage of. When you want to use this directive to ban some dangerous functions, remember to add the dl() function to the banned list, because attackers can use the dl() function to load custom PHP extensions to break through the restrictions of the disable_function directive.

Related recommendations:

php code audit (1)-----Debugging function

##Constant	Meaning
PHP__INI__USER	This configuration option can be set in the user's PHP script or Windows registry
##PHP__INI__PERDIR	This configuration option can be set in php.ini ..htaccess or http.conf
PHP__INI__SYSTEM

The above is the detailed content of PHP code audit - 2. Introduction to PHP environment of PHP code audit. For more information, please follow other related articles on the PHP Chinese website!