How carries on the attack to in the PHP procedure common loophole (next) |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  How  | the hackerfile>> invasionanalysis >> carries on the 
                  attack to in the PHP procedure common loophole (next)  
Printing

            How carries on the attack to in the PHP procedure common loophole 
            (next)
            Www.cshu.net  2002-8-18  fog rain village 

              How carries on the attack to in the PHP procedure common loophole 
              (next) 
              Original: Shaun Clowes <http://www.securereality.com.au/> 
              Translation: Analysist <http://www.nsfocus.com/> 
              [ Storehouse document ] 
              Just like in front of us discusses such, include () and require () 
              mainly is for support the code storehouse, because we generally 
              are the function which frequently uses some put to an independent 
              document in, this independent document is the code storehouse, 
              when needs to use function, we so long as contained this code 
              storehouse to the current document in may. 
              At first, the people develop and issues the PHP procedure time, in 
              order to distinguish the code storehouse and the master routine 
              code, generally is establishes as the code storehouse document 
              "inc" the extension, but they very quickly discovered this is a 
              mistake, because such document is unable by the PHP interpreter 
              correct analysis is the PHP code. If we directly requested when on 
              server this kind of document, we can obtain this document the 
              source code, this is because when PHP took when Apache module use, 
              the PHP interpreter is according to the document extension decided 
              whether analyzes is the PHP code. The extension is the webmaster 
              assigns, generally is "php", "php3" and "php4". If the important 
              disposition data is contained in in the inappropriate extension 
              PHP document, then the long-distance aggressor is very easy to 
              obtain these information. 
              The simplest solution is all assigns a PHP document for each 
              document the extension, like this may very good prevent the 
              revelation source code the question, but has had the new question, 
              through requested this document, the aggressor possibly causes 
              originally to be supposed the code independent movement which 
              moves in the context environment front, this possibly causes the 
              completely attack which discusses. 
              Under is a very obvious example: 
              In main.php: 
              <? Php 
              BDir = "/libdir"; 
              NgDir = " Bdir/languages "; 
              ... 
              Include (" Bdir/loadlanguage.php ": 
              ? > 
              In libdir/loadlanguage.php: 
              <? Php 
              ... 
              Include (" NgDir/$userLang"); 
              ? > 
              When "libdir/loadlanguage.php" quilt "main.php" transfer is quite 
              safe, but because "libdir/loadlanguage" has "php" extension, 
              therefore the long-distance aggressor may directly request this 
              document, and may wilfully assign " NgDir "and" "value. 
              [ Session document ] 
              PHP 4 or the renewal edition has provided to sessions the support, 
              its main function is preserves between the page and the page 
              condition information in the PHP procedure. For example, when a 
              user lands enters the website, who did he land this fact as well 
              as lands enters this website all to preserve in session, when he 
              everywhere glances over when the website, all PHP code all may 
              obtain these condition information. 
              In fact, when a session start (is in fact establishes in 
              disposition document as when first request automatic start), can 
              produce stochastically "session id", if long-distance browser 
              always in transmission request time submits this "session id" the 
              speech, session can continuously maintain. This is very easy 
              through Cookie to realize, also may through submit a table single 
              variable in each page (to contain "session id") to realize. The 
              PHP procedure may use session to register a special variable, its 
              value can end after each PHP script has in the session document 
              before, also can start in each PHP script increase to the variable 
              in. Under is a simple example: 
              <? Php 
              Session_destroy (); // Kill any data currently in the session 
              = "shaun"; 
              Session_register ("session_auth"); // Register as a session 
              variable 
              ? > 
              New edition PHP can automatically "" the value establishes as 
              "shaun", if they are revised, after the later script will be able 
              automatically to accept the revision the value, this to without 
              merit condition Web said indeed will be a kind of very good tool, 
              but we also should be careful. 
              A very obvious question is guarantees the variable indeed to come 
              from session above, for example, assigns the code, if the 
              following script is under such: 
              <? Php 
              If (! Empty ()) 
              // Grant access to site here 
              ? > 
              The above code hypothesis if "" is set position, is from session, 
              but is not inputs from the user sets at the position, if the 
              aggressor sets at position through the table single input, he may 
              obtain visit to the stand the power. Pays attention to the 
              aggressor to have registers in front of this variable in session 
              to use this method of attack, once the variable has been admitted 
              session, can cover any table single input. 
              The Session data generally is the preservation (position is may 
              dispose in the document, generally is "/tmp"), the filename 
              generally is similar "sess_<session id>" the form, this document 
              contains the variable name, the variable type, the variable value 
              and some other data. In multi- main engines system, because the 
              document is by moves the Web server user status (generally is 
              nobody) preserves, therefore malicious stand &#25317; may through found 
              a session document to obtain visit to other stands, even may 
              inspect in the session document the sensitive information. 
              The Session mechanism also has provided for the aggressor own 
              input preservation in in the long-distance system document another 
              convenient place, said regarding example above, the aggressor 
              needs to lay aside in the long-distance system to contain the PHP 
              code the document, if cannot upload using the document achieves, 
              he usually can be a variable bestows on a value using session 
              according to own wish, then guesses the session document position, 
              but he knew the filename is "php<session id>", therefore only must 
              guess the table of contents, but the table of contents generally 
              is "/tmp". 
              Moreover, the aggressor may wilfully assign "session id" (for 
              example "hello"), then "session id" founds a session document with 
              this (for example "/tmp/sess_hello"), but "session id" only can be 
              the letter and the digital combination. 
              [ Data type ] 
              PHP has the quite loose data type, the variable type relies on the 
              context environment which locates at them. For example: "" Starts 
              is the character string variable, the value is "", but when 
              evaluation, turned the reshaping variable "0", this sometimes 
              possibly can cause some unexpected results. If "" the value is 
              "000" or is "0" is different, empty () returns the result cannot 
              for really. 
              In the PHP array is connected the array, in other words, the array 
              index is the character string. This meant "[" 000 "]" and "[ 0 ]" 
              also is different. 
              Development procedure time should carefully above consider the 
              question, for example, we should not test some variable in a place 
              whether is "0", but uses empty in other place () to confirm. 
              [ Is easy function which makes a mistake ] 
              We when analyze in the PHP procedure the loophole, if can attain 
              the source code, then easy to make a mistake the function 
              tabulates is our unusual need. If we can long-distance change 
              these functions parameter, then we on are very possible to 
              discover loophole. Under is the function which quite detailed is 
              easy to make a mistake tabulates: 
              <PHP code execution > 
              Require (): Reads takes assigns the document the content and to 
              take the PHP code explanation 
              Include (): Same 
              Eval (): The character string which assigns takes the PHP code 
              execution 
              Preg_replace (): When the switch uses together with "/e", the 
              replace character string by the explanation will be the PHP code 
              < Order execution > 
              Exec (): The execution assigns the order, returns carries out the 
              result last the line 
              Passthru (): The execution assigns the order, returns to all 
              results to the client browser 
              ``: The execution assigns the order, returns to all results to an 
              array 
              System (): With passthru (), but does not process the binary data 
              Popen (): The execution assigns the order, connects the input or 
              the output the PHP document description symbol 
              < Document revelation > 
              Fopen (): Opens the document, and corresponds a PHP document 
              description symbol 
              Readfile (): Reads takes the document the content, then outputs 
              the client browser 
              File (): Reads the entire document content to an array in 
              The translator pours: Actually this share tabulates is not very 
              entire, for instance "mail ()" and so on the order also possibly 
              executes the order, therefore needs own to supplement. 
              [ How strengthens PHP the security ] 
              I all attacks which introduced in above regarding lack the 
              province installment PHP 4 all to be allowed the very good 
              realization, but I already duplicated very many orders, the PHP 
              disposition have been extremely nimble, through disposed some PHP 
              option, we completely possibly resisted some attacks. Under I have 
              carried on the classification according to the realization 
              difficulty to some dispositions: 
              * Low difficulty 
              In ** low difficulty 
              In *** high difficulty 
              **** high difficulty 
              The above classification is only individual view, but I may 
              guarantee, if you have used all options which PHP provides, then 
              your PHP will be very safe, even if is the third party code also 
              is so, because very multi-purpose already could not use. 
              The **** establishment "register_globals" is "off" 
              This option can forbid PHP is the user input founds the overall 
              situation variable, in other words, if the user submits the table 
              single variable "hello", PHP cannot found "$ hello", but only can 
              found "HTTP_GET/POST_VARS [ 'hello' ]". This is in PHP an 
              extremely important option, closes this option, can bring very big 
              inconvenient to the programming. 
              The *** establishment "safe_mode" is "on" 
              Opens this option, can increase the following limit: 
              Which order 1. limits to be allowed to carry out 
              Which function 2. limits to be allowed to use 
              3. based on script property rights and goal document property 
              rights document visit limit 
              4. prohibitions documents upload the function 
              This regarding ISP said is a great option, simultaneously its also 
              energy level earth improves PHP the security. 
              ** establishment "open_basedir" 
              This option may forbid to assign outside the table of contents the 
              document operation, effectively eliminated the local document or 
              is the long-distance document by include () attack, but still 
              needed to pay attention to the document to upload with the session 
              document attack. 
              The ** establishment "display_errors" is "off", the establishment 
              "log_errors" is "on" 
              This option prohibition wrong information demonstration in 
              homepage, but is records in the journal file, this may the 
              effective resisting aggressor to the goal script in the function 
              survey. 
              * The establishment "allow_url_fopen" is "off" 
              This option may forbid the long-distance document function, 
              recommends vigorously! 
              Good, the article has stopped, if you want to understand some 
              other related information, please refer to original text 
              http://www.securereality.com.au/studyinscarlet.txt. 
              < End > 




              Original author: N/A 
              Origin: Http://www.china4lert.org 
              Altogether has 38 readers to read this article 

              [Tells friend] 
            Previous article:Domestic forum invasion method 

            Next article:How do we break through www.apache.org 

            - this week popular article - related article 
            PHP-Nuke in the mailattach.php document passes on the loophole
            How carries on the attack to in the PHP procedure common loophole 
            (next)
            How carries on the attack to in the PHP procedure common loophole 
            (on)



      CSHU 
