没有合适的资源?快使用搜索试试~ 我知道了~
20条途径挖掘PHP漏洞,请各位看看。大概有用吧
资源推荐
资源详情
资源评论
Abysssec Inc
| 2
0 Way
s
to Fuzzing PHP Source Code
1
In The Name Of God
PHP Fuzzing In Action
20 Ways to Fuzzing PHP Source Code
Version 1.0 – Feb 2009
www.Abysssec.com
Section 1:
20 way to rapid auditing PHP source code
Section 2:
Automatic PHP Auditor source code ( PHP Fuzzer )
Risk Level:
è Low
è Medium
è High
Notice:
This article is only for who attend php as well and really knowing how to program In
PHP.
When we talk about PHP Vulnerability discovery, we forget this Question:
What types of bugs?
When we can answer this Question, we will gain to find vulnerability as well as easting some
water.
Abysssec Inc
| 2
0 Way
s
to Fuzzing PHP Source Code
2
O.K, you must do two works before start analyze Your PHP source:
1- Install PHP Application [cms, Alone source, Portal,]
2- Use an Editor (which you want) with PHP command highlighter [such as Emeditor - Notepad++]
Those methods as I described based on simple Attack and Defence reference.
The goal of this article only introduced attacks and ways to confront with them.
Note 1: some of topics had Wikipedia copyright
Note 2: You must find these variables in PHP source Code:
$_SERVER
$_GET
$_POST
$_COOKIE
$_REQUEST
$_FILES
$_ENV
$_HTTP_COOKIE_VARS
$_HTTP_ENV_VARS
$_HTTP_GET_VARS
$_HTTP_POST_FILES
$_HTTP_POST_VARS
$_HTTP_SERVER_VARS
These variables are Input able variables in PHP.
Note 3: For more information About These variables, Please Visit PHP Official Site:
www.PHP.net
Abysssec Inc
| 2
0 Way
s
to Fuzzing PHP Source Code
3
1- Cross Site Scripting (XSS) / CRLF [Medium]
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web
applications which allow code injection by malicious web users into the web pages viewed
by other users. Examples of such code include HTML code and client-side scripts. An
exploited cross-site scripting vulnerability can be used by attackers to bypass access controls
such as the same origin policy. Vulnerabilities of this kind have been exploited to craft
powerful phishing attacks and browser exploits.
Attack:
Attacker can include HTML Code in his/her Request.
Exp 1:
<?php
$error_message = $_GET['error'];
print $error_message ;
?>
index.php?error=<script>alert(document.cookie)</script>
Exp 2:
<html>
<body>
<input name="show_courses" value="<?php echo $_GET['show_courses']; ?>" >
</body>
</html>
#http://127.0.0.1:81/1.php?show_courses="><script>alert(document.cookie);</script>
Defence :
<?php
$error_message = $_GET['error'];
print htmlspecialchars($error_message );
?>
More info:
http://ha.ckers.org/xss.html
http://en.wikipedia.org/wiki/Cross-site_scripting
http://www.googlebig.com/forum/cross-site-scripting-attack-and-defense-guide-t-178.html
Abysssec Inc
| 2
0 Way
s
to Fuzzing PHP Source Code
4
2- SQL Injection [medium]
SQL injection is a code injection technique that exploits a security vulnerability occurring in
the database layer of an application. The vulnerability is present when user input is either
incorrectly filtered for string literal escape characters embedded in SQL statements or user
input is not strongly typed and thereby unexpectedly executed. It is an instance of a more
general class of vulnerabilities that can occur whenever one programming or scripting
language is embedded inside another.
Attack:
This type of vulnerability is one of most critical flow during auditing PHP source code, for
more information About This type of Attacks you must read below reference. I describe only
type of vulnerability.
This form of SQL injection occurs when user input is not filtered for escape characters and is then
passed into a SQL statement. These results in the potential manipulation of the statements performed
on the database by the end user of the application.
Example 1:
<?php
$id= $_GET['id'];
$query= "SELECT * FROM users WHERE id= ' “ .$id." ;"
...
?>
index.php?id=1+UNION+SELECT+1,@@version,3,4,5+from+users/*
Example 2:
In this example, we have login.php page:
<?
//login.php -- SQL Injection Vulnerable page
//Attack and defence php apps book
//shahriyar - j
$user = $_POST['user'];
$pass = $_POST['pass'];
$link = mysql_connect('localhost', 'root', 'pass') or die('Error: '.mysql_e
rror());
mysql_select_db("sql_inj", $link);
$query = mysql_query("SELECT * FROM sql_inj WHERE user ='".$user."' AND pas
s ='" .$pass. "'",$link);
if (mysql_num_rows($query) == 0) {
echo"<scripttype=\"text/javascript\">window.location.href='index.html';</sc
ript>";
exit;
}
$logged = 1;
?>
Abysssec Inc
| 2
0 Way
s
to Fuzzing PHP Source Code
5
When user (maybe Attacker) send $_POST['user'] , $_POST['pass'] to login.php ,
these variables store directly in SQL Query command .
If Attacker Send:
$user = 1' OR '1' = '1
$pass = 1' OR '1' = '1
Login.php & Authentication Bypassed. Please Attention to code.
Defence:
Here is an example of a custom escaping based sql injection filter:
<?php
$title = $_POST['title']; // user input from site
$description = $_POST['description']; // user input from site
// define the cleaner
$dirtystuff = array("\"", "\\", "/", "*", "'", "=", "-
", "#", ";", "<", ">", "+", "%");
// clean user input (if it finds any of the values above, it will replace it with
whatever is in the quotes - in this example, it replaces the value with nothing)
$title = str_replace($dirtystuff, "", $title); // works!
$description = str_replace($dirtystuff, "", $description); // works!
// input: I\ "like/ green< ** veg'et=a-bles> ;and< pizza**
// output: I like green vegetables and pizza
// input: a';DROP TABLE users; SELECT * FROM data WHERE name LIKE '%
// output: aDROP TABLE users SELECT FROM data WHERE name LIKE
?>
More info :
http://en.wikipedia.org/wiki/Sql_injection
http://drewish.com/files/SQL Injection Overview.ppt
http://www.php.net/manual/en/security.database.sql-injection.php
Real World Attack:
http://www.milw0rm.com/papers/241
http://www.milw0rm.com/papers/202
剩余34页未读,继续阅读
资源评论
frank_20080215
- 粉丝: 166
- 资源: 1850
上传资源 快速赚钱
- 我的内容管理 展开
- 我的资源 快来上传第一个资源
- 我的收益 登录查看自己的收益
- 我的积分 登录查看自己的积分
- 我的C币 登录后查看C币余额
- 我的收藏
- 我的下载
- 下载帮助
安全验证
文档复制为VIP权益,开通VIP直接复制
信息提交成功