Shulou(Shulou.com)06/03 Report--

This article is about how PHP implements programming function security. The editor thinks it is very practical, so share it with you as a reference and follow the editor to have a look.

Note the filtering of some functions

Some functions are often used in programs, such as include (), require (), fopen (), fwrite (), readfile (), unlink (), eval () and their variants, and so on. These functions are very practical, practical does not mean that you have to worry more, you have to pay more attention to them. :)

1.include (), require () and fopen (), include_once (), require_once () all can call files remotely, for their harm, google search will be very clear to you. If the variables contained in the calls are not filtered, you can include files and execute them at will. For example, look at print.php.

...

If (empty ($bn)) {/ / check whether the variable $bn is empty

Include ("$cfg_dir/site_$ {site} .php"); / / include site_$ {site} .php in the $cfg_dir path

...

Whether there is a $cfg_dir directory or not, you can naturally use the $site variable because it doesn't check the $site variable at all. You can specify the variable $site to be called by a remote file, or it can be a local file. The php statement is written in the file you specify, and then it contains the file that contains the php statement. Like this

Listing file directories can even be expanded to include some administrator files and elevate privileges, typically like previous phpwind,bo-blog vulnerabilities. In addition to relying on allow_url_fopen in php.ini to set off to prohibit remote use of files and open_base_dir to prohibit the use of files other than directories, you have to declare in advance which files can only be included, so there is no more nonsense here.

2.fopen (), file (), readfile (), openfile (), etc., are also places to pay special attention to. The functions themselves are fine, their purpose is to open the file, but if the variables are not filtered thoroughly, the source code will be leaked. There will be a lot of such function text forums.

...

$articlearray=openfile ("$dbpath/$fid/$tid.php"); / / Open the $tid.php file of the path $dbpath/$fid

$topic_detail=explode ("|", $articlearray [0]); / / use a separator | read out the content of the post

...

Look familiar, this is the previous version of ofstar read.php,$fid and $tid without any filtering, $tid is specified as a file submission, and the original code is compromised. Like this.

$tid will be suffixed with php, so write index directly. This is just an example. Let's move on.

3.fwrite () and its variant function can be thought of as a loophole. If the characters submitted by the user are not filtered, it is not impossible to write a php backdoor.

4.unlink () function, some time ago, phpwind to delete any file is to use this function, to determine whether to delete the variable is not filtered, the variable can be specified as any file, of course, you can delete the variable of any file.

5.eval (), preg_replace () function, their function is to execute php code, if the string has not been filtered, what will happen, I often see some cms inside the use, think about it, a sentence of the php Trojan horse is not based on the eval () principle?

6. For system () these system functions, you would say to disable system functions in php.ini, yes, this is also a good way, but like some programs need, that is not used? Just like a beautiful set of php photo albums I saw last time. In addition, you should also pay special attention to the popen (), proc_open (), proc_close () functions. Although they do not output directly after executing the command, do you think it will be useful for hackers? Here php provides two functions, escapeshellarg () and escapeshellcmd (), which are used to combat system function call attacks, that is, filtering.

For harm, for example, let's take a look at a forum called prod.php

07$ doubleApp = isset ($argv [1]); / / initialize the variable $doubleApp

...

14 if ($doubleApp) / / if statement

15 {

16$ appDir = $argv [1]; / / initialize $appDir

17 system ("mkdir $prodDir/$appDir"); / / use the system function system to create the directory $prodDir/$appDir

It was originally used to create the $prodDir/$appDir directory, and then it seems that the program only detects the existence of $argv [1] and lacks the necessary filtering for $argv [1], so you can do this.

/ prod.php?argv [1] = | ls%20-la or / prod.php?argv [1] = | cat%20/etc/passwd

(separator | in this case, it is the pipe parameter of UNIX, and you can execute multiple commands. )

At this point, the common types of vulnerabilities should know something.

So do not just rely on the server-side settings, the best daemon also need to pay attention to, in general, through the server for a site setting should be better. But many database operations are not so easy to control.

Thank you for reading! This is the end of the article on "how to achieve programming function security in PHP". I hope the above content can be of some help to you, so that you can learn more knowledge. if you think the article is good, you can share it for more people to see!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.