当前位置:网站首页>Code Audit - PHP
Code Audit - PHP
2022-08-05 08:39:00 【haoaaao】
工具
seay源代码审计系统
phpstudy——搭建环境
前言
//原文:
【小迪安全】Day50代码审计-PHP无框架项目SQL注入挖掘 - 哔哩哔哩点击进入查看全文>https://www.bilibili.com/read/cv14964585
【小迪安全】Day51代码审计-PHP框架MVCClass upload breakpoint debugging - 哔哩哔哩点击进入查看全文https://www.bilibili.com/read/cv15042607?spm_id_from=333.999.0.0【小迪安全】Day52代码审计-PHP项目类RCEAnd the download file contains the delete - 哔哩哔哩点击进入查看全文>https://www.bilibili.com/read/cv15169189?spm_id_from=333.999.0.0
0x00 Principle analysis requirements
1.教学计划:
---审计项目漏洞 Demo->审计思路->完整源码框架->验证并利用漏洞
2.教学内容:
---PHP,JAVA 网站应用,引入框架类开发源码,相关审计工具及插件使用
3.必备知识点:
---环境安装搭建使用,相关工具插件安装使用,掌握前期各种漏洞原理及利用
4.开始前准备:
---审计目标的程序名,版本,当前环境(系统,中间件,脚本语言等信息),各种插件等
5.Dig holes at all:
---可控变量及特定函数,不存在过滤或过滤不严谨存在绕过导致的安全漏洞
6、Designated mining keywords
---可控变量
变量接受get post 接受关键字$_GET
---特定函数
输出print
数据库操作
---特定关键字
select insert update sql执行语句==sql 注入漏洞
---搜索特定关键字尝试寻找特定漏洞
如:echo print xss漏洞
如:$_GET $_POST 安全漏洞
7、定点挖掘功能点:
如:我要挖掘文件上传,The member center operating file upload,Caught analysis of a particular file upload in source code,进行分析.
8、拓展: 视漏洞而定
sql注入 数据库监控-监控到当前页面和数据库的交互过程(sql执行语句)
断点调试 访问页面对应代码进行断点调试(The execution order,调用文件列表等)
0x01 sqlPoint injection vulnerabilities determine(php无框架)
1、分析:
(1)Search keywords such asselect,Through quantitative,Analysis of the existence of variable code;Back in the calling function,The position of the note has the,是否有过滤,If there is a pre-compiled,And feedback information by looking at the code to specific judgment is which kind of comment.
(2)The filtering mechanism.General filtering mechanism in the similarincloud等配置文件中(General is a global,What can see most of the code are cited together in a configuration file)
ps:二次注入(Filter solution to escape)With wide subsections injection(核心:传一个字符将反斜杠吃掉成为汉字)可绕过phpMagic guide mechanism(magic_quotes_gpc),原理如下:
SQLArticle studies of the blinds/宽字节注入_其他数据库_萬仟网
2、研判:
(1)If there is a pre-compiled(防御sqlThe best way to inject,就是使用预编译,绑定变量);
(2)Whether to use safety of the stored procedure(Effect similar to precompile,Difference is stored procedure should be firstsql语句定义在数据库中,But still need to try to avoid using dynamicsql语句,如无法避免,Should strictly filter);
(3)Check data types,Strictly limited data format;
(4)Whether to use secure enough coding function;
If you don't meet the above four kinds of any kind of,Can be judged to existsql注入.
3、防御:
(1)正确使用参数化api进行sql查询(推荐)
(2)If demand is submitted a string,Data types can be check,如:User input integer or floating-point data types to verify,Enter email address is in strict accordance with the mail format and similar white list of input checking way.
(3)使用安全函数
###ps:Do not recommend the blacklist,The blacklist defense way easy to be around,防不胜防.
4、Case analysis way of thinking
(1)74CMS Recruitment system mining-2 Second injection application functions(自带转义)
Analysis of the source code found own filtering mechanism(common.php文件);
Filtering mechanism is magic guide;
Associated with the secondary injection and wide subsections injection around;
After analyzing the principle of the secondary injection selecting sites existinsert、updateAnd controllable variable function point;
Analysis of the secondary injection function point caught;
使用seay代码审计系统——审计插件——mysql监控——输入用户名和密码——Click on the broken、更新(In order to intuitive to see the existence of the secondary injection function point);
On the page may be secondary injection function point(insert+updata+变量可控,After take out the first presentation of numerical,Update and bringing value to the database)Where the click on the button,进行查看;
If you can find satisfy the function of the secondary injection point,进行验证.
(2)苹果 CMS The film and television website system mining-Database monitoring tracking(自带过滤)
根据url的index.php?m=vod-search进行代码审计
对mAfter a series of analysis parameters are positioning to filter filesmodule中的vod.php
追踪到chksql,Locating the filter function againstopattack,Further filter keyword to locate statementgetfilter,And then to global search,Find filter keyword
//总结:The search box to tracksql语句,sqlStatements to track a particular filevod.php,In a particular file tracking to call a functionchksql,chksqlRight-click the function location and tracking to the function module,The function modules are involvedstopattack,Right positioning function again found matching the keyword function module,The keyword is come from?是刚刚stopattackFunction module in the callgetfilter参数,对getfilterRight positioning parameters,The query to filter the keyword statement.
️tips1:Tube he ya,Is to look for to,All kinds of roots
️tips2:Dual coding can be around to filter.
0x02 php框架mvcClass upload breakpoint debugging(文件上传
)
1、mvc框架简介
MVC的全名是Model View Controller,Is a model of using-视图-Controller design and creation ofweb应用程序的模式,Is a design example.
其中:
Model(模型):是应用程序中用于处理应用程序数据逻辑的部分,通常负责与数据库直接进行 curd 的交互.
View(视图):是应用程序处理数据显示的部分,通过将处理好的数据进行渲染.
Controller(控制器):是应用程序中处理用户交互的部分,通常用于处理数据逻辑的分发,并相应的反送给视图和控制器.
2、总体思路
(1)关键词搜索(函数,键字,全局变量等)
文件上传:$_FILES,move_uploaded_files等
File upload keyword:When writing the upload will have comments,如//上传
(2)Applications in caught(Any possible file upload function point),This code is analyzed.
全局数组$_ _FILES
$_ FILES['myFile']['name'] 显示客户端文件的原名称.
$_ FILES['myFile' ]['type']文件的MIIME类型,例如"image/gif" .
$_ FILES['myFile']['size']已 上传文件的大小,单位为字节.
$_ _FILES['myFile' ]['tmp_ _name'] 储存的临时文件名,一 As is the default system.
$_ FILES['myFile']['error'] 该文件上传相关的错误代码.以下为不同代码代表的意思:
0;文件上传成功.
1;超过了文件大小php.ini中即系统设定的大小.
2;超过了文件大小MAX_ _FILE_ _SIZE 选项指定的值.
3;文件只有部分被上传.
4;没有文件被上传.
5;上传文件大小为0.
相关函数
move uploaded file(file, newloc)函数将上传的文件移动到新位置.
strtolower()函数把字符串转换为小写.
trim()函数移除字符串两侧的空白字符或其他预定义字符.
strrchr()函数查找字符串在另一个字符串中最后一次出现的位置,并返回从该位置到字符串结尾的所有字符.
str ireplace() 函数替换字符串中的一些字符(不区分大小写)
getimagesize()函数用于获取图像大小及相关信息,成功返回一个数组,失败则返回FALSE并产生一条E_ WARNING级的错误信息.
exif jimagetype()Read an image of the first byte and Check the signature.
substr()函数返回字符串的一部分.
fopen()函数打开文件或者URL.
fread()函数读取文件(可安全用于二进制文件).
fwrite()函数写入文件(可安全用于二进制文件).
3、File upload code to audit
(1)File can be uploaded
(2)Know the file upload path
(3)Upload file can be accessed
(4)Upload file can be performed
4、Defense scheme and disadvantages
(1)黑白名单
容易被绕过,So basically eliminated by white list to verify.Do not recommend the blacklist,Because most of all is not complete,There is always strange around pose.
(2)文件头验证
进行验证,在1.gif文件中,We write to file headerGIF89a,文件内容随便写,We found the file toGIF文件,Returns the array size.
(3)content-type验证
content-type位于request请求里,Is after we caught was able to modify the contents of the.
(4)上传文件重命名
The user upload file renaming is a safe, high degree of defense way,我们一般采用hash(文件名+时间戳+salt随机数)To file rename.Not sure the invaders in the Trojan horse named it is difficult to connect to attack.
5、Case analysis way of thinking
(1)Beescms Frameless background any file upload
---进入首页——后端
---Search key words in the source code:上传,搜索函数$_FILES(Direct search no,把$去掉,灵活变通)
---Click on one of them to see(Here is a file upload process)
---浏览器访问该文件
---上传一个docDocuments are caught analysis parameters passed
---传递的参数:文件说明:file_info和uppic,Transfer form is calledup
---In the source code to find these two parameters,A file upload code.
(tips:
️ 如果uppic的参数存在,Transfer form nameup;
️ fl_htmlIt will pass a string to usehtmlspecialchars将特殊字符转换为 HTML 实体;
️explode 使用一个字符串分割另一个字符串,这里将$_type_file以|分割,In front of a$_type_file函数,Will allow the file format to|分割);
️$_sys文件是一个数组,Contains the upload file size,和文件类型;
️ is_uploaded_file()函数检查指定的文件是否是通过 HTTP POST 上传的.If the file is through HTTP POST Upload the return TRUE,Can be used to ensure that a malicious user can't cheat script to access the can't access the file;
️ $_FILES['up']['tmp_name']是is_uploaded_file()要检查的文件,upTo upload form name,tmp_nameThe values in the variable is file inWebServer temporary storage location(Upload files temporarily save the file).)
---Determine the size of the file limit(Here is the value of the system Settings);
--- up_file处理上传的文件,And to investigate whether accord with the standard upload;
---根据up_file返回值(The returned dictionary form)确定文件的路径、扩展名、大小、时间;
---Finally in the database inserts;
---定位函数up_file(进行相关的验证);
---传递了三个参数:表单名,文件大小,文件类型;
---Determine the size of the file does not exceed the system setup file size;
---pathinfo() Function returns an array with information about upload file path,如/testweb/test.txt,生成数组:[dirname] => /testweb;[basename] => test.txt;[extension] => txt;[filename] => test;
---View the upload of the file suffix is inside the system stipulated by the suffix;
---判断path=’’的话,就上传到upload/file/路径下(如果pathNot preach and the default is empty,Have the parameter is the parameter value);
---file_exists检查文件或者目录是否存在,不存在就创建目录;
---According to the timestamp generated file name;
---The key here is aroundpathinfo函数,让phpThe format of the file can finally test;
---Try to bypass were not successful,无法上传.
边栏推荐
- Controller-----controller
- pnpm 是凭什么对 npm 和 yarn 降维打击的
- 苹果官网商店新上架Mophie系列Powerstation Pro、GaN充电头等产品
- 接口全周期的生产力利器Apifox
- How Entrepreneurs Attract Venture Capitalists
- [Structure internal power practice] Structure memory alignment (1)
- 软件系统测试和验收测试有什么联系与区别?专业软件测试方案推荐
- 彩绘漂亮MM集
- RedisTemplate: error template not initialized; call afterPropertiesSet() before using it
- MySQL database error The server quit without updating PID file (/var/lib/mysql/localhost.localdomain.pid)
猜你喜欢
DataFrame insert row and column at specified position
DNS 查询原理详解
D2--FPGA SPI interface communication2022-08-03
How to make a puzzle in PS, self-study PS software photoshop2022, PS make a puzzle effect
Why is pnpm hitting npm and yarn dimensionality reduction?
spark集群部署(第三弹)
SQL语句查询字段内重复内容,并按重复次数加序号
SVG big fish eat small fish animation js special effects
Fiddler工具讲解
原型&原型链
随机推荐
Spark cluster deployment (third bullet)
让程序员崩溃的N个瞬间(非程序员误入)
【 a daily topic 】 1403. The increasing order of the sequence, boy
浅谈自动采集程序及入库
EA谈单机游戏:仍是产品组合中极其重要的部分
漂亮MM和普通MM的区别
画法几何及工程制图考试卷A卷
基因数据平台
Adb 授权过程分析
星座理想情人
微信小程序请求封装
16种香饭做法全攻略
Version number naming convention
iptables实现网络限制下ntp自定义端口同步时间
真正爱你的女人是这样的
让硬盘更快,让系统更稳定
P1103 书本整理
k-nearest neighbor fault monitoring based on multi-block information extraction and Mahalanobis distance
网络安全研究发现,P2E项目遭遇黑客攻击只是时间问题
吴恩达深度学习deeplearning.ai——第一门课:神经网络与深度学习——第二节:神经网络基础(下)