PHP代码审计
<h2 style="color: black; text-align: left; margin-bottom: 10px;">前言</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">官方文档:<a style="color: black;"><span style="color: black;">http://</span><span style="color: black;">php.net</span></a></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://pic2.zhimg.com/80/v2-98bfad1083c9753576a03b665ac99ab9_720w.webp" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">php官方文档是非常详情,好用的,在遇到不清楚<span style="color: black;">功效</span>的函数时<span style="color: black;">能够</span>进行<span style="color: black;">查找</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">白盒测试做代码审计最<span style="color: black;">重点</span>的知识是要去<span style="color: black;">认识</span>一个漏洞应该有<span style="color: black;">那些</span>防御方式,<span style="color: black;">由于</span>大部分的漏洞都是<span style="color: black;">由于</span>修复<span style="color: black;">无</span>做的全面,<span style="color: black;">或</span>修复<span style="color: black;">无</span><span style="color: black;">思虑</span>到<span style="color: black;">有些</span><span style="color: black;">状况</span><span style="color: black;">引起</span>漏洞。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">代码审计流程</h2>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">正向<span style="color: black;">查询</span>流程</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">a. 从入口点函数出发(如index.php)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">b. 找到<span style="color: black;">掌控</span>器,理解URL派发规则(URL<span style="color: black;">详细</span>映射到哪个<span style="color: black;">详细</span>的代码里)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">c. 跟踪<span style="color: black;">掌控</span>器调用,以理解代码为<span style="color: black;">目的</span>进行源代码阅读</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">d. <span style="color: black;">最后</span>在阅读代码的过程和尝试中,可能<span style="color: black;">发掘</span>漏洞</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">本质:程序员疏忽或<span style="color: black;">规律</span>问题<span style="color: black;">引起</span>漏洞</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">特点:</p><span style="color: black;">繁杂</span>:<span style="color: black;">必须</span>极其<span style="color: black;">认识</span><span style="color: black;">目的</span>源码的功能与框架跳跃性大:<span style="color: black;">触及</span>M/V/C/Service/Dao等多个层面漏洞的组合:<span style="color: black;">一般</span>是多个漏洞的组合,很可能存在<span style="color: black;">规律</span><span style="color: black;">关联</span>的漏洞<h3 style="color: black; text-align: left; margin-bottom: 10px;">反向<span style="color: black;">查询</span>流程</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">a. <span style="color: black;">经过</span>危险函数,回溯可能存在的漏洞</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 1. <span style="color: black;">查询</span>可控变量</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 2. 传递的过程中触发漏洞</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">特点:</p>与上下文<span style="color: black;">没</span>关危险函数,调用即漏洞<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">代码审计<span style="color: black;">工具</span>功能大多<span style="color: black;">便是</span>这个原理</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">双向<span style="color: black;">查询</span>流程(手动审计<span style="color: black;">重点</span>方式)</h3>略读代码,<span style="color: black;">认识</span>框架(正向流程,如:网站都有<span style="color: black;">那些</span>功能,什么样的架构如mvc:它的m在哪v,c在哪,用了什么模板引擎,<span style="color: black;">是不是</span>用了orm(<span style="color: black;">倘若</span><span style="color: black;">运用</span>了ORM<span style="color: black;">那样</span>sql注入就很少了,<span style="color: black;">倘若</span>没用是手工写的sql语句,<span style="color: black;">能够</span>关注<span style="color: black;">是不是</span>存在sql漏洞)等...)<span style="color: black;">是不是</span>有全局过滤机制<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 1. 有:<span style="color: black;">是不是</span><span style="color: black;">能够</span>绕过?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1).<span style="color: black;">能够</span>:寻找漏洞触发点(反向<span style="color: black;">查询</span>流程,找危险函数)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 2).不<span style="color: black;">能够</span>:寻找<span style="color: black;">无</span>过滤的变量</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 2.<span style="color: black;">无</span>:<span style="color: black;">那样</span>就看它<span style="color: black;">详细</span>是<span style="color: black;">怎样</span>处理的,<span style="color: black;">详细</span>代码<span style="color: black;">详细</span>分析</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 1).有处理:寻找遗漏的处理点(如忘记处理的<span style="color: black;">地区</span><span style="color: black;">或</span>处理不太正确的<span style="color: black;">地区</span>)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 2).完全<span style="color: black;">无</span>处理:<span style="color: black;">能够</span>挖成筛子(很少)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 3. 找到了漏洞点,漏洞利用<span style="color: black;">是不是</span>有坑</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">根源:理解程序执行过程,找寻危险<span style="color: black;">规律</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">特点:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">有效</span>:如挖隧道,双向开工,时间减半(不<span style="color: black;">必须</span>去完全理解网站内部原理和函数<span style="color: black;">功效</span>)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 知识面广:<span style="color: black;">必须</span><span style="color: black;">同期</span><span style="color: black;">把握</span>正向,反向挖掘技巧,并进行结合</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 以及所有正向,反向的优点</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">SQL注入漏洞挖掘技巧</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PHP+mysql链接方式有:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysql(废弃,但老的仍然有)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysqli</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PDO</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">sql注入<span style="color: black;">平常</span>过滤<span style="color: black;">办法</span></h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">intval:把用户输入的数字后面的所有不是数字的都过滤掉</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">addslashes:把 前加\转义掉</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysql_real_escape:和第二个类似,但会<span style="color: black;">思虑</span>用户输入和mysql的编码,避免像宽字节注入问题</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysqli_escape_string / mysqli_real_escape_string / mysqli::escape_string (和mysqli搭配<span style="color: black;">运用</span>,和前面的功能类似)和<span style="color: black;">她们</span>的差别是会主动加引号包裹</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PDO: quote</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">参数化<span style="color: black;">查找</span></p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">平常</span>注入过滤绕过<span style="color: black;">办法</span></h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">intval:不<span style="color: black;">晓得</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">addslashes / mysql_real_escape</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.宽字节注入</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 2.数字型sql语句</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.寻找字符串转换函数(传入编码好的字符绕过过滤,在后面被转换成sql语句)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> urldecode</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">base64_decode</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> iconv</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">json_decode</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">stripshasles</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">simple_xml_loadstring</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">例如:传入id被过滤但后面有一处代码是解码base64,<span style="color: black;">因此</span><span style="color: black;">咱们</span><span style="color: black;">能够</span>传入 的base64编码绕过</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;"><?</span><span style="color: black;">php</span>
<span style="color: black;">$id</span> <span style="color: black;">=</span> <span style="color: black;">addslashes</span><span style="color: black;">(</span><span style="color: black;">$_GET</span><span style="color: black;">[</span><span style="color: black;">id</span><span style="color: black;">]);</span>
<span style="color: black;">....</span>
<span style="color: black;">$id</span> <span style="color: black;">=</span> <span style="color: black;">base64_decode</span><span style="color: black;">(</span><span style="color: black;">$id</span><span style="color: black;">);</span>
<span style="color: black;">....</span>
<span style="color: black;">$sql</span> <span style="color: black;">=</span> <span style="color: black;">"select * from flag where id = </span><span style="color: black;">$id</span><span style="color: black;">"</span><span style="color: black;">;</span>
<span style="color: black;">?></span>
</div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">mysqli::escape_string // PDO::quote</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 1.宽字节注入</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">参数化<span style="color: black;">查找</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.寻找非sql值的位置</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">研发</span>者</h3>
“板凳”(第三个回帖的人)
页:
[1]