系统安全:php安全代码审计小结
欢迎进入网络安全论坛,与300万技术人员互动交流 >>进入 函数: system(),passthru(),popen(),exec() 数据库操作函数: exec,system,popen,passthru,proc_open,shell_exec 执行命令管道符 % | 测试如0 | dir c: || 双竖线的作用,前面语句执行错误则执行后面
欢迎进入网络安全论坛,与300万技术人员互动交流 >>进入
函数:
system(),passthru(),popen(),exec()
数据库操作函数:
exec,system,popen,passthru,proc_open,shell_exec
执行命令管道符 % | >
测试如0 | dir c:
|| 双竖线的作用,前面语句执行错误则执行后面语句
如xx"+||+whoami+||+echo
-----------------------------------------------
[3].File-Inclusion
函数:
include(),require(),include_once(),require_once()
远程文件包含漏洞要求
allow_url_fopen() allow_url_include() file_get_contents()
绕过:zlib://和ogg://
5.2.0之后版本
data://text/plain;base64,PD9waHAgcGhwaW5mbygpOz8+ //
@eval(file_get_contents('php://input')); //POST phpinfo();
配合%00截断,新版本自动转义\0
-----------------------------------------------
[4].CSRF
CSRF防范策略
1>验证http-referer字段
安全性低,易被伪造
2>在请求地址中添加token并验证
token可在用户登录后存放在session中,每次请求时将token从session中取出,去请求的token对比以防范CSRF
GET方式:http://url/?=token
但在动态页面加载后产生的html代码,则需要以硬编码的形式手工添加
这种方式安全性弱点在于,如在论坛等交互比较频繁的地方hacker可构造环境盗取token并进而构造csrf攻击
故手工关闭referer
3>在HTTP头中自定义属性并进行验证。通过XMLHttpRequest类。
通常用于Ajax方法对页面局部的异步刷新
但适应性一般,对已有的网站架构局限性较大
-----------------------------------------------
[5].XSS(Cross Site Script)
反射型与存储型
控制$_GET,$_POST,$_COOKIE 各种传入的变量
使用htmlspecialchars()函数进行基础过滤
结合CSRF实现自动化利用
-----------------------------------------------
[6].File_Upload
函数:move_uploaded_file()
变量:$_FILES
php文件上传利用form表单进行文件上传时必须为post使用multipart/form-data才能完整的传递文件数据
php利用$_FILES系统函数的相关参数与函数move_upload_file函数来实例把由$_FILES全局变量生成的临时文件移动到指定目录完成文件的上传
$_FILES['files']['name']客户端文件的原名称
$_FILES['files']['type']文件的MIME类型
$_FILES['files']['size']已上传文件的大小
$_FILES['files']['tmp_name']储存的临时文件名,一般为系统默认
$_FILES['files']['error']该文件上传到相关的错误代码
防范方式:
1>判断MIME TYPE文件类型如$_FILES['files']['type']=="image/jpeg",判断文件大小,如$_FILES['files']['size']100
2>指定上传文件名,如依赖时间生成hash(time).jpg等方式
3>根据文件后缀名判断文件
如file_ext=substr($filename,$strrpos($filename,'.')+1);
注意是否可能有双扩展名,二次上传突破等逻辑问题
4>服务器尝试渲染文件等方式判断是否为图片
5>不依赖于客户端js脚本限制上传文件类型
6>白名单规则
apache服务器常见上传安全问题
1>配合.htaccess利用上传
AllOverride ALL 允许子规则覆盖父规则
.htaccess添加AddType Application/x-httpd-php .jpg
2>文件名解析漏洞
*.php.123
在.htaccess添加AddHandler php5-script .php,文件名中包含php扩展名可以php脚本执行,如x.php.jpg
.php3 .php4扩展名
四、配置篇
1>关注漏洞信息,及时更新版本
2>php.ini httpd.conf .htaccess文件配置
1)safe_mode相关配置
2)register_globals关闭
3)open_basedir配置,防范目录遍历
4)allow_url_fopen关闭
5)disable_functions配置
6)magic_quotes_gpc打开
7)error_reporting=E_ALL &~E_NOTICE
8)display_errors=Off避免攻击者获取更多信息
9)expose_php=Off隐藏版本信息
3>最小化服务器其他账户权限
4>第三方安全加固软件安装
5>调用第三方安全防护文件,配置php.ini
include_path=".:/php/includes"
auto_pretend_file="anti-inj.php"
auto_appent_file=
五、思路篇
刚开始练习审计时,拿到一套源码,马上做的事情就是,丢到工具里,去扫敏感的函数,然后去一个一个的回溯它,找到入口点。但是,这样审计很浪费时间,每次都要在回溯过程中,不断的去寻找源码中定义的一些通用函数。由于不了解整个源码的流程,导致在找这些通用函数的过 程中浪费了很多的时间与精力。
所以,我重新调整了我的审计流程。在拿到源码之后,先从它开始的地方(一般是根目录下的index文件)按照执行的顺序去读代码,一直到它的初始化内容, 和基本功能实现完毕为止。这样,可以明确的了解整套源码的结构,哪一种函数文件放在哪个文件夹下;知道通用函数放在哪个文件中。这对我们在之后阅读“疑似”有问题的代码时,有很好的帮助,例如,在看到一个通用函数时,我们可以快速的切换到通用函数文件,查找这个函数的实现代码。
六、小结
代码审计一如逆向工程,均需要耐心与细心。
此外,关注漏洞发布平台上最新漏洞并跟踪加以分析也是一个很快提升自己能力的方法。
[1] [2]
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1392
52
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
