PHP code audit series (I) basis: methods, ideas and processes

    Technical communication

  Pay attention to WeChat public number  Z20 Security team  , reply   Add group  , Pull you into the group Discuss technology together .

The official account is copied. , The layout may be a bit messy , You can go to the official account .

Tools

Fotify| Code audit static scanning tool , Commercial static code scanning tool , The false positive rate is relatively low .

seay| Source code audit tool

PHPStorm| yes PHP The integrated environment of programming language development .

chrome & burp & HackerBar plug-in unit & xdebug plug-in unit

Xcheck |Xcheck It's a company by Tencent CSIG The static application security testing tool developed by the code security inspection team of the quality department .Xcheck Based on the mature stain analysis technology and the precise dissection of the abstract syntax tree , Through the ingenious and elegant implementation to achieve the purpose of transmission and tracking of stains , More accurate detection of hidden security risks in code . At the same time, it gives Xcheck Two advantages ： fast ！ Low false alarm ！

frame

A framework to determine whether the goal uses 、MCV Design patterns .

Familiar with common frameworks ：ThinkPHP、Laravel、Codeigniter、Yii etc.

MVC

Since it is MVC Framework of the , Then we The real concern is the controller （C）, Because most of the function points are C On , Most of the loopholes we can find are also C On

ThinkPHP

Generally, if the audit is based on the framework cms, I won't look at the framework system directory ( about TP The framework is ThinkPHP Things under the folder ), Third party library vendor I won't go first , Unless it flows to these documents during the audit process , Will probably have a look , and A focus on Application Make articles under the folder .

Laravel

How does the directory change ,MVC The focus of architecture is still Controllers in

No framework

First find out the directory structure of the target .

There are several points to pay attention to in the audit process ：（ In the process of starting the audit later , You should pay attention to these places , Always think about ）

1） Function set file , Usually the name contains function perhaps common Other key words , These files contain some public functions , Provide other files to call , So most files will include other files in the file header . A very useful technique for finding these files is to open index.php Or some functional files , You can usually find it on the head .

2） The configuration file , Usually the naming includes config keyword , Configuration files include web Functional configuration options necessary for program operation and configuration information such as database . From this file, you can understand a small part of the function of the program , In addition, when looking at this file, pay attention to whether the parameter values in the configuration file are enclosed in single quotation marks or double quotation marks , If it is double quotation marks, there may be a problem with code execution .

3） Secure filter files , Security filtering files are critical to code auditing , This is related to whether the points we dig can be directly used , Usually named with filter、safe、check Other key words , This kind of file is mainly used to filter parameters , In fact, most applications will do something about the input of parameters addslashes() Function filtering .

4）index file ,index It's the entry to a program , So usually we just read index The file can roughly understand the architecture of the whole program 、 Running process 、 Files included in , What are the core documents . And different directories index Files also have different implementations , It is suggested that it is best to put the... Of several core directories index Read through the documents .

route

With ThinkPHP For example , There are usually several forms ： Common mode 、PATHINFO Pattern 、REWRITE Pattern 、 Compatibility mode

Common mode ：

http://localhost/?m=home&c=user&a=login&var1=value1&var2=value2

pathinfo Pattern ：

http://serverName/index.php( Or other application entry files )/ modular / controller / operation /[ Parameter name / Parameter values ...]

REWRITE Pattern ：

 stay PATHINFO Remove the entry file on the basis of 
http://serverName/ modular / controller / operation /[ Parameter name / Parameter values ...]

Compatibility mode ：

http://servername/index.php?s=/index/Index/index
 Among variables `s` The name of the can be configured .

Audit

technological process

1、 Let's start with a general overview ： The configuration file 、 Routing, etc. 2、 Targeted functional audit ： Black box ( Find sensitive features )+ White box （ Locate the code for audit ）3、 Sensitive function backtracking

Relatively complete audit process ：

Black box first + White box look sensitive function , Run it again with an automated audit tool and verify , Finally, we trace back according to the vulnerability risk function

Common types of vulnerability audit ( Danger function )

Only the functions are listed here first , It will be expanded in detail later

SQL Inject

1. If a framework is used , You can distinguish the name and version of the framework , Search for vulnerabilities in this version of the framework , If it exists, go again cms Verification in China .

2. If no frame is used , You need to carefully observe the database functions , Generally speaking ,cms Yes, it will select、insert And other functions , such as $db->table(‘test’)->where(“name=admin”) That is select * from test where name=admin This format , And if you find cms It uses Filter + Splicing , Then there is likely to be a problem , And if you use PDO, Follow up involves table,order by Wait for the splicing of fields , Because these fields cannot be used PDO Of .

Audit elements ：

• Whether the parameter is user controllable

• Whether precompiled is used

So first of all , If you don't use frame encapsulation sql sentence , So global search insert、select etc. sql Sentence keywords , Then navigate to the specific statement , Then check whether there are spliced variables , Backtracking is not controllable . If controllable and string splicing exists , There are likely to be loopholes .

What uses the framework is that the search keywords are different , It still depends on whether there is string splicing , It's not controllable .

Even if precompiled , But if the strings are spliced before precompiling , That's still no use for birds , Should or can I inject .

key word ：

insert
create
delete
update
order by
group by
where
from
limit
desc
asc
union
select

Wide byte Injection

SET NAMES 'gbk' => set character_set_connection='gbk',character_set_results='gbk',character_set_client='gbk'

retrieval keyword ：

1、SET NAMES
2、character_set_client = gbk
3、mysql_set_charset('gbk')   // There is no  mysql_real_escape_string function 

GPC

magic_quotes_gpc=on, Will be automatically GET、POST、COOKIE In variables ' 、"、 \、 NULL Put a backslash in front of （\）, But in PHP5 in magic_quotes_gpc It doesn't filter $_SERVER Variable , Lead to many similar client-ip,referer One kind of vulnerability can be exploited .PHP5.4 Cancel this parameter .

secondary urldecode Inject

We submit parameters to web The server ,web The server will automatically decode once .1%2527 Decode it twice =》1'

Search keywords ：

urldecode
rawurldecode

XSS

Audit elements

• Whether there is a global parameter filter , Whether the filtering rules meet the safety requirements , Whether there are two kinds of outputs that need to be filtered and do not need to be filtered , Whether the page is properly controlled .

• Whether to encode when outputting （HTML、JS etc. ）.

• Whether the front end adopts Angularjs、React、vue.js Etc XSS The front-end frame of the protection function is used for data output

Find the output function with parameters , Then, according to the output function, the output content is traced back to the input parameters , Observe whether there are common output functions that have been filtered ：

print、print_r、echo、printf、sprintf、die、var_dump、var_export

CSRF

Black box first ： Open several pages with non static operations , Grab the bag and see if there is token, without token Words , Then directly request this page , No referer Re white box ： When reading the code, check whether there is verification in several core files token and referer Related code

You can try global search

csrf-token
csrf_token
csrftoken
csrf

SSRF

Audit elements :

• Whether there is something that can produce SSRF Loophole function .

• Whether there is an intranet ip Address regular filtering , And whether the regularity is rigorous .

• The only way to request is whether there are restrictions HTTP perhaps HTTPS.

Full text search key functions , Then see if the access port is limited , access protocol , Intranet ip Address, etc .

key word ：

file_get_contents
fsockopen
curl_exec
get_headers
fopen
readfile

The file contains a vulnerability

The file contains shell The quickest way , Therefore, we should generally focus on .

Most appear when the module is loaded 、 Template loading and cache Trace the running process of the program where it is called , Check whether the files contained during module loading are controllable , Another is to search directly

key word ：

include、include_once、require、require_once

Go back and see if there are controllable variables

File read ( download ) Loophole

First, check the files corresponding to the function points in the black box , Then read the file search file read function , Go back and see if there are variables that are directly or indirectly controlled ：

key word ：

file_get_contents()  
highlight_file()   
fopen()  
readfile()  
fread()  
fgetss()  
fgets()  
parse_ini_file()  
show_source()  
file()  
 The file contains functions include etc. 

Upload files

Audit elements

• Whether the file type of the uploaded file is checked

• Whether the file upload path is limited

• Whether the file has been renamed

• Whether the file size is limited

• It's easy to guess whether the file path is returned or not

Some projects , File upload and download will be sub packaged , So you can search globally about upload、file Function of , See if it's encapsulated

function uploadfunction file

If encapsulated , Then look at these encapsulated functions , Are there any loopholes in the audit elements mentioned above .

If it's not encapsulated , It's usually move_uploaded_file This function , Global search this function , Backtrack to see if these vulnerabilities exist .（ White box and black box are better together .）

File deletion

You can find the corresponding function point first , Direct black box test to see if you can delete a file , If you can't delete , Then go to the execution process to trace the transfer process of the submitted file name parameter .

unlink
rmdir

Code execution

Audit elements

• php.ini In the document disable_function Whether there is a disable function .

• Whether there are sensitive functions for code execution .

• Whether the input variable is controllable .

key word ：

eval()、assert()、preg_replace()、create_function()、array_map()、call_user_func()、call_user_func_array()、array_filter、 usort()、 Dynamic functions 

Command execution

Audit elements

• Whether the parameter is user controllable

• Whether the global filter is configured , Whether the filtering rules comply with the safety specifications

• Whether all command execution parameters have passed the filter , Or restricted by the white list

key word ：

exec()、passthru()、system()、 shell_exec()、popen()、 The quotation marks `、proc_open()、pcntl_exec()

Variable coverage

Variable coverage vulnerabilities usually need to be combined with the application of other functional codes to achieve a complete attack , Therefore, mining an available variable coverage vulnerability should not only consider the realization of variable coverage , Also consider whether the following code can make use of this vulnerability . To dig available variable coverage vulnerabilities , Be sure to look at the variables that can be overridden and used before the vulnerability code line .extract()、parse_str() These two functions are easier to mine , Search keywords directly , Then go back import_request_variables() Function is equivalent to opening the global variable registration , At this time, just find out which variables are not initialized and have no assignment before the operation , Then submit this variable as a parameter .PHP4-5.4.0 There is this function .$$ Variable coverage , Classic code ：

Above code , Can be used from G P C To obtain the ' Parameters = value ', To override all previous variables

XXE

Just The key function ： 

SimpleXMLElement 
simplexml_load_string
loadxml

Search directly   to flash back

Logical loopholes

Read through the function point source code . The point of concern is whether the program can be installed repeatedly 、 Whether the password modification department can modify other users' passwords beyond its authority 、 Retrieve whether the password verification code can be brutally cracked and change the passwords of other users 、cookie Is it predictable or cookie Verify whether it can be bypassed, etc .

Danger function ：  php Black magic

in_array : Type conversion will be done automatically before comparison

is_numeric： Any parameters do 16 Hexadecimal encoding is passed in , Will go through it directly (true)

Double is equal to （==）： Weak is equal to , The variable type conversion will be done before judgment

$_REQUEST Get variable , To filter , There may be a problem ：GET Send hazard data in the form of ,POST Normal data transmission mode ,$REQUEST The default acquisition is POST Data passed in by . All if there are similar ,**$GET Incoming parameter , adopt $_REQUEST To filter **, There may be problems

Technical communication

Communication group

Pay attention to the reply of the official account “ Add group ”, add to Z2OBot Small K Automatically pull you to join Z2O Security attack and defense communication group Share more good things .