PHP programming function security
- 2020-05-27 04:29:42
- OfStack
For those of us who want to be web safe, the best thing is to use it to learn, but to grasp the root of all things, what we want is not fish but fishing. In domestic, various php program version 1.0, version 2.0 have 1 kind of come out, but the attention is more famous cms, BBS, blog procedures, very few people on a program to do safety inspection of the unknown, for more and more php programmers and webmaster, in addition to rely on the server set fort, php program itself how much you have to understand the safety of the dot.
Some people say that all you can do with php security is do with injection and cross-site stuff, which is a big mistake. If so, an magic_quotes_gpc or some security Settings in the server will kill us all :(). What I'm going to talk about today is not injection, not cross-site, but the security details that exist in the php program. OK! Cut to the chase.
Note the filtering of some functions
Some functions are frequently used in programs, such as include(),require(),fopen(),fwrite(),readfile(),unlink(),eval() and their variants. These functions are useful, and being useful doesn't mean you have to worry about them, you have to worry about them. :)
1.include(),require(), fopen(),include_once(),require_once(), include(), include_once(),require_once(), include(), include_once(),require_once For example, look at print.php
...
if (empty ($bn)) {// check if the variable $bn is empty
include (" $cfg_dir/site_ ${site}. php "); // include site_${site} in the $cfg_dir path.php
...
Whether the $cfg_dir directory exists or not, you can use the $site variable naturally, because it doesn't check the $site variable at all. You can call the variable $site to a remote file, or you can call it to a local file, you can write php in the file you specified, and then it will contain the file that executes the php statement, just like this
Listing files can even be extended to include 1 administrator file, increasing permissions, typically like the previous phpwind, bo-blog vulnerability 1. In addition to relying on allow_url_fopen in php.ini to off to prohibit remote use of files and open_base_dir to prohibit the use of files other than directories, you have to declare in advance what files you can only include, so there is no more nonsense here.
2.fopen(),file(),readfile(),openfile(), etc. The functions themselves have nothing to do with opening the file, but if you don't filter the variables thoroughly, you can leak the source code. There are many such function text forums.
...
$articlearray = openfile (" $$fid dbpath / / $tid. php "); // open the $tid.php file for the $dbpath/$fid path
$topic_detail = explode (" | ", $articlearray [0]). // read the content of the post with the separator |
...
Familiar, this is read.php,$fid, and $tid without any filtering. $tid was specified as a file to commit, and the source code leak occurred. Just like that.
$tid will be suffixed with php, so write index. This is just an example, but let's see.
If you think about this vulnerability, it's not impossible to write a piece of php backdoor without filtering the user-submitted characters.
4.unlink() function. Some time ago, this function was used to arbitrarily delete files in phpwind.
5.eval(),preg_replace() functions, which are used to execute php code, what happens if the string is not filtered in any way, I often see it used in cms, think about it, the php Trojan of 1 sentence is made according to eval() principle.
6. For system functions like system(), you would say that system functions are banned in php.ini. Just like the beautiful php album I saw last time. You also have to be careful with the popen(),proc_open(),proc_close() functions, even though they don't have direct output after executing the command, but you wonder if this is useful for hackers. Here php provides two functions, escapeshellarg() and escapeshellcmd(), which are used to protect against system function calls, namely filtering.
As an example of harm, let's look at the forum prod.php
07 $doubleApp = isset ($argv [1]). // initializes the variable $doubleApp
...
14 if($doubleApp) //if statement
15 {
16 $appDir = $argv [1]. // initializes $appDir
17 system (" mkdir $$appDir prodDir/"); // use the system function system to create the directory $prodDir/$appDir
It was used to create the $prodDir/$appDir directory, and then it appears that the program only detects the presence of $argv[1] without the necessary filtering for $argv[1], so you can do that
1 / prod php? argv [1] = | ls % 20 - la or/prod php? argv [1] = | cat % 20 / etc/passwd
(the delimiter |, in this case the pipe argument to UNIX, can execute multiple commands.)
By this point, you should know the common types of vulnerabilities.
So 1 must not only rely on the server side of the Settings, the best background procedures also need to pay attention to, 1 generally through the server for a site Settings should be better. But many operations with the database are not so easy to control.
Some people say that all you can do with php security is do with injection and cross-site stuff, which is a big mistake. If so, an magic_quotes_gpc or some security Settings in the server will kill us all :(). What I'm going to talk about today is not injection, not cross-site, but the security details that exist in the php program. OK! Cut to the chase.
Note the filtering of some functions
Some functions are frequently used in programs, such as include(),require(),fopen(),fwrite(),readfile(),unlink(),eval() and their variants. These functions are useful, and being useful doesn't mean you have to worry about them, you have to worry about them. :)
1.include(),require(), fopen(),include_once(),require_once(), include(), include_once(),require_once(), include(), include_once(),require_once For example, look at print.php
...
if (empty ($bn)) {// check if the variable $bn is empty
include (" $cfg_dir/site_ ${site}. php "); // include site_${site} in the $cfg_dir path.php
...
Whether the $cfg_dir directory exists or not, you can use the $site variable naturally, because it doesn't check the $site variable at all. You can call the variable $site to a remote file, or you can call it to a local file, you can write php in the file you specified, and then it will contain the file that executes the php statement, just like this
Listing files can even be extended to include 1 administrator file, increasing permissions, typically like the previous phpwind, bo-blog vulnerability 1. In addition to relying on allow_url_fopen in php.ini to off to prohibit remote use of files and open_base_dir to prohibit the use of files other than directories, you have to declare in advance what files you can only include, so there is no more nonsense here.
2.fopen(),file(),readfile(),openfile(), etc. The functions themselves have nothing to do with opening the file, but if you don't filter the variables thoroughly, you can leak the source code. There are many such function text forums.
...
$articlearray = openfile (" $$fid dbpath / / $tid. php "); // open the $tid.php file for the $dbpath/$fid path
$topic_detail = explode (" | ", $articlearray [0]). // read the content of the post with the separator |
...
Familiar, this is read.php,$fid, and $tid without any filtering. $tid was specified as a file to commit, and the source code leak occurred. Just like that.
$tid will be suffixed with php, so write index. This is just an example, but let's see.
If you think about this vulnerability, it's not impossible to write a piece of php backdoor without filtering the user-submitted characters.
4.unlink() function. Some time ago, this function was used to arbitrarily delete files in phpwind.
5.eval(),preg_replace() functions, which are used to execute php code, what happens if the string is not filtered in any way, I often see it used in cms, think about it, the php Trojan of 1 sentence is made according to eval() principle.
6. For system functions like system(), you would say that system functions are banned in php.ini. Just like the beautiful php album I saw last time. You also have to be careful with the popen(),proc_open(),proc_close() functions, even though they don't have direct output after executing the command, but you wonder if this is useful for hackers. Here php provides two functions, escapeshellarg() and escapeshellcmd(), which are used to protect against system function calls, namely filtering.
As an example of harm, let's look at the forum prod.php
07 $doubleApp = isset ($argv [1]). // initializes the variable $doubleApp
...
14 if($doubleApp) //if statement
15 {
16 $appDir = $argv [1]. // initializes $appDir
17 system (" mkdir $$appDir prodDir/"); // use the system function system to create the directory $prodDir/$appDir
It was used to create the $prodDir/$appDir directory, and then it appears that the program only detects the presence of $argv[1] without the necessary filtering for $argv[1], so you can do that
1 / prod php? argv [1] = | ls % 20 - la or/prod php? argv [1] = | cat % 20 / etc/passwd
(the delimiter |, in this case the pipe argument to UNIX, can execute multiple commands.)
By this point, you should know the common types of vulnerabilities.
So 1 must not only rely on the server side of the Settings, the best background procedures also need to pay attention to, 1 generally through the server for a site Settings should be better. But many operations with the database are not so easy to control.