代码审计主要容易出现漏洞的接口和输入输出位置
1.1 //gloabals variable //key variable $GLOBALS $_SERVER $_GET $_POST $_FILES $_COOKIE $_SESSION $_REQUEST $_ENV regeister_globals=off gpc[$_GET,$_POST,$_COOKIE] 1.2 // vulnerability functions extract() EXTR_OVERWRITE parse_str() import_request_variables() HTTP_RAW_POST_DATA in()/limit()/order by/group by stripslashes() iconv()/mb_convert_encoding() magic_quotes_gpc=on eval() preg_replace() assert() call_user_func() call_user_func_array() create_function() session_destroy() rand() vs mt_rand() unset() . / 1.3 // check input data from user command parameter config file data index environment variable network service regedit key value temp file //tools xssdetect ratproxy http proxy 127.0.0.1:8080 codesonar yasca rips
以上就介绍了PHP语言代码漏洞审计技巧笔记分享,包括了方面的内容,希望对PHP教程有兴趣的朋友有所帮助。
