Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in PHP 那些在滲透測試的小技巧

Orange
August 21, 2024
0
21

Security in PHP 那些在滲透測試的小技巧

PHPConf Taiwan 2012

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Best Practices - The Upload
p8361
0
16
網頁安全 Web Security 入門
p8361
0
28
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
Designing for humans not robots
tammielis
249
25k
Fashionably flexible responsive web design (full day workshop)
malarkey
404
65k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
Stop Working from a Prison Cell
hatefulcrawdad
267
20k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
107
49k
Git: the NoSQL Database
bkeepers
PRO
425
64k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
46
2.1k
BBQ
matthewcrist
85
9.3k
Making the Leap to Tech Lead
cromwellryan
132
8.9k
Rebuilding a faster, lazier Slack
samanthasiow
79
8.6k
[RailsConf 2023] Rails as a piece of cake
palkan
51
4.9k
Java REST API Framework Comparison - PWX 2021
mraible
PRO
28
7.9k

Transcript

  1. 2012/11/03 @ PHPCONF <[email protected]>

  2. • aka Orange • 2009 • 2011 • 2011 AVTOKYO

    • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • case. • Blog

    – http://blog.orange.tw/
  4. None
  5. None
  6. None

  7. ▪▪

  8. None

  9. <?php $url = $_GET['url']; echo urlencode( $url ); ?>

  10. • Low – Sensitive Information Leakage… • Middle – Insecure

    File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
  11. None

  12. • – – –

  13. • showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc

    – getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
  14. None
  15. None

  16. 1. Router, Controller URL Mapping 2. 3. 4. DB ORM

    PHP orz

  17. 1. – system exec shell_exec popen eval create_function call_user_func preg_replace…

    2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …

  18. • grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –

    (select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……

  19. • grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –

    HTTP_RAW_POST_DATA – php://input – …

  20. try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();

    require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
  21. None
  22. None

  23. <?php $name = $_GET['name']; $name = basename( $name ); if

    ( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>

  24. • down.php?name= – config.php – config"php – config.ph> – config.<

    – c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
  25. None

  26. • file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >

    php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
  27. None

  28. • file_get_contents • file_put_contents • file • readfile • phar_file_get_contents

    • include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
  29. None

  30. • config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*

    (2012/10/26)
  31. None

  32. • Web Browser PHP Output (HTML) – Cross-Site Scripting •

    DB Management PHP Output (SQL) – SQL Injection

  33. SELECT * FROM [table] WHERE username = 'PHPCONF'

  34. SELECT * FROM [table] WHERE username = 'PHPCONF\''

  35. SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''

  36. Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'

    PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE

  37. • addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –

    pdo – mysql_real_escape_st ring
  38. None

  39. • $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url

    = "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";

  40. config.php $dbuser = "root";

  41. config.php $dbuser = "${@phpinfo()}";

  42. $res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}

  43. Think PHP

  44. None

  45. – – – – – –

  46. • PHP Security – http://blog.php-security.org/ • Oddities of PHP file

    access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
  47. None