php代码审计(适合小白入门)
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">通用代码审计思路:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.<span style="color: black;">按照</span><span style="color: black;">敏锐</span>关键字回溯参数传递过程(逆向<span style="color: black;">跟踪</span>)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">检测</span><span style="color: black;">敏锐</span>函数的参数,进行回溯变量,判断变量<span style="color: black;">是不是</span>可控并且<span style="color: black;">无</span>经过严格的过滤,这是一个逆向<span style="color: black;">跟踪</span>的过程。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.寻找可控参数,正向<span style="color: black;">跟踪</span>变量传递过程(正向<span style="color: black;">跟踪</span>)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 跟踪传递的参数,判断<span style="color: black;">是不是</span>存入到<span style="color: black;">敏锐</span>函数内<span style="color: black;">或</span>传递的过程中<span style="color: black;">拥有</span>代码<span style="color: black;">规律</span>漏洞。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.寻找敏感功能点,通读功能点代码(直接挖掘功能点漏洞)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> <span style="color: black;">按照</span><span style="color: black;">自己</span>经验判断在该应用中的<span style="color: black;">那些</span>功能可能<span style="color: black;">显现</span>漏洞。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4.直接通读全文代码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">敏锐</span>函数回溯审计:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">通读全文代码</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">例子:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">php弱类型</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.比较符号</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">== 先进行类型转化,再进行比较(弱比较)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">=== 先比较类型,若类型<span style="color: black;">区别</span>直接返回不等(强比较)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Tips</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Bool类型的true和任意字符串的弱类型相等</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数字与字符串相比较,会将字符串转化为数字</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">若字符串以数字开头,则取开头数字<span style="color: black;">做为</span>转化结果,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">若无则转化为0,若符合科学记数法的形式,则<span style="color: black;">根据</span>科学记数法来取</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.hash比较缺陷</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>采用</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">== 运算符比较哈希值,会面临上面讲的弱类型比较的问题,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">即任何以’0e’ 开头的字符串都相等!</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">平常</span>的md5</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">运算后以’0e’开头的字符串有:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">QNKCDZO</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">s878926199a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">s155964671a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">s1885207154a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">s1836677006a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">s1184209335a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.md5 sha1函数缺陷</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">当md5()函数与sha1()函数对参数进行加密处理时,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>碰到一个数组,md5()函数会返回null</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">sha1()函数<span style="color: black;">亦</span>是<span style="color: black;">同样</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用这个特性构造两个数组<span style="color: black;">就可</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">a[]=1即<span style="color: black;">暗示</span>传入了一个数组</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">变量覆盖</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.parse_str<span style="color: black;">引起</span>的变量覆盖</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">parse_str( string KaTeX parse error: Expected EOF, got & at position 23: …_string[.array &̲result] )</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">parse_str() 函数用于把<span style="color: black;">查找</span>字符串解析到变量中,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span><span style="color: black;">无</span>result参数,则由该函数设置的变量将覆盖已存在的同名变量,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">倘若</span>设置了第二个变量result</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">变量将会以数组元素的形式存入到这个数组,<span style="color: black;">做为</span>替代。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.X-Forwarded-For绕过指定<span style="color: black;">位置</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">HTTP头添加X-Forwarded-For:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.strops数组绕过NULL与ereg正则%00截断</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">知识点<span style="color: black;">弥补</span>:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PHP strops()函数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">定义和用法:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">strops()函数<span style="color: black;">查询</span>字符串在另一字符串<span style="color: black;">第1</span>次<span style="color: black;">显现</span>的位置</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">注释:strops()函数对<span style="color: black;">体积</span>写<span style="color: black;">敏锐</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 该函数是二进制安全的</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">strpos(string,find,start)</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">数 描述</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">string 必需。规定要搜索的字符串。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">find 必需。规定要<span style="color: black;">查询</span>的字符串。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">start 可选。规定在何处<span style="color: black;">起始</span>搜索。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">返回值: 返回字符串在另一字符串中<span style="color: black;">第1</span>次<span style="color: black;">显现</span>的位置,<span style="color: black;">倘若</span><span style="color: black;">无</span>找到字符串则返回 FALSE。**注释:**字符串位置从 0 <span style="color: black;">起始</span>,不是从 1 <span style="color: black;">起始</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PHP 版本: 4+</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">ereg正则函数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">字符串比对解析</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">int ereg(string pattern, string string, array );</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">本函数以 pattern 的规则来解析比对字符串 string。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">比对结果返回的值放在数组参数 regs 之中,regs 内容<span style="color: black;">便是</span>原字符串 string、regs 为<span style="color: black;">第1</span>个合乎规则的字符串、regs <span style="color: black;">便是</span>第二个合乎规则的字符串,余类推。若省略参数 regs,则只是单纯地比对,找到则返回值为 true。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">办法</span>一:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">既要是纯数字</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">又要有’ #biubiubiu’</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">strpos()找的是字符串,<span style="color: black;">那样</span>传一个数组给它</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">strpos()出错返回null,null!==false,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>符合<span style="color: black;">需求</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>输入nctf[]=</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">那<span style="color: black;">为何</span>ereg()<span style="color: black;">亦</span>能符合呢?</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">由于</span>ereg()</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">在出错时返回的<span style="color: black;">亦</span>是null,null!==false,</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">因此</span>符合<span style="color: black;">需求</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">办法</span>二:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">字符串截断</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">利用ereg()的NULL截断漏洞,绕过正则过滤</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">?nctf=1%00%23biubiubiu</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">模拟演练:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1.</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">?password=1337a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2.</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">?name[]=1&passsword[]=2</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">解析:sha1()函数默认的传入参数类型是字符串,当传入数组时均会返回false,<span style="color: black;">经过</span>判断。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3.</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">?a=240610708或?a=s878926199a</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">————————————————</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">版权声明:本文为CSDN博主「4v1d」的原创<span style="color: black;">文案</span>,遵循CC 4.0 BY-SA版权协议,转载请附上原文出处链接及本声明。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">原文链接:</p>https://blog.csdn.net/weixin_51213906/article/details/120042763
我完全同意你的看法,期待我们能深入探讨这个问题。
页:
[1]