Shulou(Shulou.com)05/31 Report--

This article introduces how to use PHP to expand Taint to find out the potential security vulnerabilities of the website, the content is very detailed, interested friends can refer to, hope to be helpful to you.

I. background

The author has been interested in network security since coming into contact with computers, and has been paying more attention to web security after doing PHP development. I accidentally found this extension of Taint in 2016, and found that it was really useful after experience. However, when I inquired about relevant information at that time, I found that there were not many people who followed this extension. Recently, due to the change of the computer, we need to install this extension again, and it is found that fewer people use this extension, so the author records the installation process and test results, which is convenient for subsequent use and allows more developers to understand taint.

Hui Xinchen, author of taint extension, has introduced it on his blog. Reference document: PHP Taint-an extension used to detect XSS/SQL/Shell injection vulnerabilities.

II. Summary of operation

Download and compile source code

Extended configuration and installation

Functional inspection and testing

III. Download and compile the source code

The Taint extension PHP itself does not carry. In linux or mac systems, the author needs to download the source code to compile and install it.

3.1 Source code download

The author's development environment is mac system, so you need to go to PHP's pecl extension website to download the source code, where the address of taint is:

Https://pecl.php.net/package/taint

At the end of the extended URL, you can see a row of download addresses, as shown in the following figure

I need to choose an appropriate version. My development environment uses PHP7.1, so I chose the latest version. The corresponding download address is as follows:

Https://pecl.php.net/get/taint-2.0.4.tgz

Use wget to download the source code. Refer to the command as follows:

Wget https://pecl.php.net/get/taint-2.0.4.tgz

After downloading, the author needs to decompress. The decompression command is as follows:

Tar-zxvf taint-2.0.4.tgz

After decompressing, enter the directory and refer to the command as follows:

Cd taint-2.0.43.2 source code compilation

Now the author needs to compile the source code. Before compiling, you can use phpze to explore the environment of PHP. The reference command is as follows:

Phpize

The returned result is as follows

Configuring for:PHP Api Version: 20160303Zend Module Api No: 20160303Zend Extension Api No: 320160303

Generate Makefile to prepare for further compilation

. / configure

Return the result

Checking how to hardcode library paths into programs... Immediatechecking whether stripping libraries is possible... Yeschecking if libtool supports shared libraries... Yeschecking whether to build shared libraries... Yeschecking whether to build static libraries... Nocreating libtoolappending configuration tag "CXX" to libtoolconfigure: creating. / config.statusconfig.status: creating config.h

Start compilation and install

Make & & make install (cd .libs & & rm-f taint.la & & ln-s.. / taint.la taint.la) / bin/sh / Users/song/taint-2.0.4/libtool-- mode=install cp. / taint.la / Users/song/taint-2.0.4/modulescp. / .libs / taint.so / Users/song/taint-2.0.4/modules/taint.socp. / .libs / taint.lai / Users/song/taint-2.0.4/ Modules/taint.la----Libraries have been installed in: / Users/song/taint-2.0.4/modulesIf you ever happen to want to link against installed librariesin a given directory LIBDIR, you must either use libtool, andspecify the full pathname of the library, or use the `- LLIBDIR'flag during linking and do at least one of the following:-add LIBDIR to the `DYLD_LIBRARY_PATH' environment variable during executionSee any operating system documentation about shared libraries formore information Such as the ld (1) and ld.so (8) manual pages.----Build complete.Don't forget to run 'make test'.Installing shared extensions: / usr/local/Cellar/php71/7.1 .14_25/lib/php/extensions/no-debug-non-zts-20160303/ IV. Configuration and installation

After compiling the extension, the author also needs to put Taint in the specified location and modify the configuration file to make it take effect.

4.1 configure taint

First of all, the author needs to know the number of the configuration file of PHP, and then check the extension path of the configuration file before putting the so file into the corresponding file. The command to view the location of the configuration file is as follows:

Php-ini

The returned result is as follows

Configuration File (php.ini) Path: / usr/local/etc/php/7.1Loaded Configuration File: / usr/local/etc/php/7.1/php.iniScan for additional .ini files in: / usr/local/etc/php/7.1/conf.dAdditional .ini files parsed: / usr/local/etc/php/7.1/conf.d/ext-opcache.ini

The author can see that php.ini is placed in / usr/local/etc/php/7.1/php.ini

After knowing the configuration file, the author needs to find the location of the extended folder, refer to the command as follows

Cat / usr/local/etc/php/7.1/php.ini | grep extension_dir

The result of the command execution is as follows. The author can see that the location of the extended folder is / usr/local/lib/php/pecl/20160303.

Extension_dir = "/ usr/local/lib/php/pecl/20160303"; extension_dir = "ext"; Be sure to appropriately set the extension_dir directive.;sqlite3.extension_dir = 4.2 install extension

Now the author needs to copy the extension file to the extension file location of PHP. The reference command is as follows.

Cp / usr/local/Cellar/php71/7.1.14_25/lib/php/extensions/no-debug-non-zts-20160303/taint.so / usr/local/lib/php/pecl/20160303/

After the copy is completed, the author needs to edit the configuration file to copy the configuration items of taint.

Vim / usr/local/etc/php/7.1/php.ini

Add the configuration item of Tain to the php.ini file. Refer to the configuration as follows:

[taint] Verification of extension=taint.sotaint.enable=1taint.error_level=E_WARNING4.3 installation result

After saving the configuration file and exiting, it means that the author's installation has been completed. Now you need to restart php to make it effective. Refer to the command as follows

Brew services restart php@7.1

After the restart is completed, you can check whether Taint is available in the current extension of PHP by using the command, as shown below:

Php-I | grep taint

If a message appears in the returned result, it has basically been installed successfully.

Tainttaint support = > enabledtaint.enable = > On = > Ontaint.error_level = > 2 = > 2 > 5, functional test and test

After completing the above two steps, the author has completed the installation phase, now the author needs to use taint to test the effect, the test is divided into three parts, first with the taint author's demo code, then with the penetration testing system permeate, and finally with the code developed by the author.

5.1 demo file test

The purpose of testing with the demo file is to verify that the taint installed by the author has really worked, and to confirm that taint is meaningful.

5.1.1 copy demo code

There is a copy of the following demo code on the author's GitHub. The author copies it to the web directory at the following location:

/ Users/song/mycode/safe/permeate

The content of the demo code is as follows, which can be copied by readers during the experiment:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.