Shulou(Shulou.com)05/31 Report--

How to learn PHP code audit, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

Cited by the beta version of Emlog 6.0, an article on the PHP language CMS code audit, a detailed record of the complete process of code audit, learn code audit, might as well start from this article, read carefully, I believe we can get something!

It is important to note that the purpose of code audit is to learn and avoid similar errors in SDL, but also to help open source systems fix related problems, not to get zero daylight.

0x00 Emlog 6.0 beta

EMLOG 6.0

Official website address: https://www.emlog.net/

Emlog 6.0beta download address:

Https://www.emlog.net/download

Due to official restrictions on forum members (registration fee) to download, here is an original download address: https://www.lanzous.com/i1l5gad

File check:

File: C:\ Users\ stdy\ Desktop\ emlog_6.0.0.zip size: 607725 bytes modified time: August 6, 2018, 20:53:50 MD5: 7844FE6FEAE7AF68052DC878B8811FAC SHA1: E06A050D2A0AA879DB9F5CFCAA4703B6AC7B8352 CRC32: 4963E489

Blogger's blog is based on this blog system, in fact, many bosses in the circle are using it, but there are no audit articles on this CMS, so the author uses CMS as a closed work for PHP code audit.

0x01 preliminary test

First of all, we have to install it! The home page interface after successful installation:

Installation succeeded

Default backend login address:. / admin/

After successful login:

Background interface

In a gossip, I feel that 6.0 is much better than version 5.3.1.

After installation, we should collect as much information about this CMS as possible, which is of great help to our audit code.

Therefore, the approximate structure of this CMS is obtained by analysis. Emlog is a MVC design pattern, and the approximate structure is shown in the figure:

Emlog structure

So we will mainly analyze the files under the admin and include folders.

Database tables:

DATABASE

In the init.php file of the root directory

Error rating

The error level is specified as 7:

0x02 uses vulnerability scanner

Some friends may say, why do you use "missed sweep"? Isn't it a code audit?

To correct this point of view, omission is actually an automated black box test, in the local environment, we will not affect any business.

The loophole scanned through the leak can facilitate us to quickly locate the location of the loophole, which is an efficient way, which is also the inspiration given to the author by the members of the team who missed several high-risk vulnerabilities of Baidu through the omission of Get.

A heavy-duty scanner, AWVS, is used here, and the report is as follows:

Result

However, when scanning locally, the XAMPP windows10 PHP5.6 environment is used, which leads to a lot of false positives in the vulnerability report, and the leak scan mainly scans several XSS and CSRF vulnerabilities.

So let's first verify these two types of loopholes.

0x03 article editor storage XSS

In the background editor, edit the article. / admin/admin_log.php

Editor XSS

After the successful release, come to the home page

EmlogXSS

After entering the article page

Article page XSS

All pop-up windows, here you may say that there is no way to use, but emlog designed a member / author function, in some templates in emlog can register as a member, members can log in to edit and publish articles, comments and other functions. Emlog officially provides article contribution plug-ins, all of which call the official default Kindeditor editor, which has its own HTML editing mode. Even without this mode, attackers can grab packages and modify them to achieve the purpose of attack.

Why is the front desk not filtered? In order to support HTML code output in the article, there is no escape for the saved output of kindeditor.

Emlog members / contributors

Repair suggestion: check the keywords in the article with reference to other CMS, and filter or escape.

0x04 Uploadify SWF XSS

Emlog uses uploadify.swf to upload files, file path / include/lib/js/uploadify/uploadify.swf

Construct Payload: http://www.test.com//include/lib/js/uploadify/uploadify.swf?uploadifyID=00%22%29%29;}catch%28e%29{alert%281%29;}//%28%22&movieName=%22])}catch(e){if(!window.x){window.x=1;alert([xss_clean])}}//&.swf

Effect, but ignore the browser filter:

SWF XSS

0x05 reflective XSS

The XSS here mainly occurs on cookie, because some pages, such as admin/admin_log,admin/sort.php,admin/link.php pages, need to add the token value of the hidden attribute to the form, which is obtained directly from the user's cookie, resulting in a reflective XSS.

Intercept and capture packets to modify the token value in cookie as follows:

Payload

Effect:

COOKIE XSS

Secondly, it verifies the CSRF loophole. This CSRF, which is the search box of the foreground, is of little value at all.

Then the administrator adds the XSS of the friendship link, which does not exist after verification, and the background function will limit the number of words.

Then we began to carry on the original code audit work, mainly borrowed the Seay code audit tool and Rips, this kind of audit tool mainly relied on the regular matching may lead to dangerous php function as the judgment of possible vulnerabilities, semi-automatic way, to some extent, alleviated the pressure of code audit.

0x06 basic function

First of all, I take a look at the functions related to file operations, and it is found that View::getView is often used.

In the include/lib/view.php file, the source code is as follows:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.