Web渗透 之 PHP 代码审计
<h2 style="color: black; text-align: left; margin-bottom: 10px;">后台代码 - PHP 代码审计</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">经过</span>对应用(软件、网站)源代码的阅读,<span style="color: black;">发掘</span>其中的安全漏洞,本课程以PHP 语言<span style="color: black;">来讲</span>明代码审计的<span style="color: black;">关联</span><span style="color: black;">办法</span>。把开源的靶场DVWA <span style="color: black;">做为</span>审计的对象。</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">0x01 DVWA 的安装</h2>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DVWA 简单<span style="color: black;">来讲</span><span style="color: black;">便是</span>一个网站源代码,用php 语言写的,把DVWA 安装到phpStudy 中。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">DVWA 中,<span style="color: black;">能够</span>直接下载安装并且其中<span style="color: black;">包括</span>了<span style="color: black;">非常多</span><span style="color: black;">平常</span>的Web 安全漏洞,开源漏洞靶场。</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">官网首页</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">http://www.dvwa.co.uk/</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">可下载版本:</p>v1.0.8v1.9v1.10 *Development*<h3 style="color: black; text-align: left; margin-bottom: 10px;">安装</h3>修改数据库配置文件 /config/config.inc.php.dist -> config/config.inc.php<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">$_DVWA</span><span style="color: black;">[</span> <span style="color: black;">db_server</span> <span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">127.0.0.1</span><span style="color: black;">;</span>
<span style="color: black;">$_DVWA</span><span style="color: black;">[</span> <span style="color: black;">db_database</span> <span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">dvwa</span><span style="color: black;">;</span>
<span style="color: black;">$_DVWA</span><span style="color: black;">[</span> <span style="color: black;">db_user</span> <span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">root</span><span style="color: black;">;</span>
<span style="color: black;">$_DVWA</span><span style="color: black;">[</span> <span style="color: black;">db_password</span> <span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">root</span><span style="color: black;">;</span>
<span style="color: black;">$_DVWA</span><span style="color: black;">[</span> <span style="color: black;">default_security_level</span> <span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">low</span><span style="color: black;">;</span>
<span style="color: black;">$_DVWA</span><span style="color: black;">[</span> <span style="color: black;">default_phpids_level</span> <span style="color: black;">]</span> <span style="color: black;">=</span> <span style="color: black;">disabled</span><span style="color: black;">;</span>
</div>开启PHP 远程文件<span style="color: black;">包括</span> php.ini<div style="color: black; text-align: left; margin-bottom: 10px;">allow_url_include = on</div>Setup/Reset DB<h3 style="color: black; text-align: left; margin-bottom: 10px;">登录DVWA</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">admin/password</p>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">切换安全等级</h3>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">Security Level: low</p>
<h2 style="color: black; text-align: left; margin-bottom: 10px;">0x02 命令注入漏洞审计</h2>
<h3 style="color: black; text-align: left; margin-bottom: 10px;">LOW</h3>直接输入命令 直接输入IP <span style="color: black;">位置</span>127.0.0.1,会<span style="color: black;">表示</span>ping 命令的结果查看源代码<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;"><?</span><span style="color: black;">php</span>
<span style="color: black;">if</span><span style="color: black;">(</span> <span style="color: black;">isset</span><span style="color: black;">(</span> <span style="color: black;">$_POST</span><span style="color: black;">[</span> <span style="color: black;">Submit</span> <span style="color: black;">]</span> <span style="color: black;">)</span> <span style="color: black;">)</span> <span style="color: black;">{</span>
<span style="color: black;">// Get input
</span> <span style="color: black;">$target</span> <span style="color: black;">=</span> <span style="color: black;">$_REQUEST</span><span style="color: black;">[</span> <span style="color: black;">ip</span> <span style="color: black;">];</span>
<span style="color: black;"></span>
<span style="color: black;">// Determine OS and execute the ping command.</span> <span style="color: black;">if</span><span style="color: black;">(</span> <span style="color: black;">stristr</span><span style="color: black;">(</span> <span style="color: black;">php_uname</span><span style="color: black;">(</span> <span style="color: black;">s</span> <span style="color: black;">),</span> <span style="color: black;">Windows NT</span> <span style="color: black;">)</span> <span style="color: black;">)</span> <span style="color: black;">{</span>
<span style="color: black;">// Windows
</span> <span style="color: black;">$cmd</span> <span style="color: black;">=</span> <span style="color: black;">shell_exec</span><span style="color: black;">(</span> <span style="color: black;">ping </span> <span style="color: black;">.</span> <span style="color: black;">$target</span> <span style="color: black;">);</span>
<span style="color: black;">}</span>
<span style="color: black;">else</span> <span style="color: black;">{</span>
<span style="color: black;">// *nix
</span> <span style="color: black;">$cmd</span> <span style="color: black;">=</span> <span style="color: black;">shell_exec</span><span style="color: black;">(</span> <span style="color: black;">ping -c 4 </span> <span style="color: black;">.</span> <span style="color: black;">$target</span> <span style="color: black;">);</span>
<span style="color: black;">}</span>
<span style="color: black;"></span>
<span style="color: black;">// Feedback for the end user</span> <span style="color: black;">echo</span> <span style="color: black;">"<pre></span><span style="color: black;">{</span><span style="color: black;">$cmd</span><span style="color: black;">}</span><span style="color: black;"></pre>"</span><span style="color: black;">;</span>
<span style="color: black;">}</span>
<span style="color: black;"></span>
<span style="color: black;">?></span>
</div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">代码分析</p>服务器<span style="color: black;">经过</span>GPC获取了一个IP <span style="color: black;">位置</span>,赋值给了$target 变量命令拼接ping $target由shell_exec() 运行拼接后的命令。当点击提交按钮的时候,服务器执行了1条命令(一个字符串)?!一个字符串中<span style="color: black;">包括</span>多个命令?<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">$target</span> <span style="color: black;">=</span> <span style="color: black;">"127.0.0.1"</span><span style="color: black;">;</span>
<span style="color: black;">// ping 127.0.0.1
</span><span style="color: black;">$target</span> <span style="color: black;">=</span> <span style="color: black;">"127.0.0.1 && whoami"</span><span style="color: black;">;</span>
<span style="color: black;">// ping 127.0.0.1 && whoami
</span><span style="color: black;">$target</span> <span style="color: black;">=</span> <span style="color: black;">"300.0.0.1 || whoami"</span><span style="color: black;">;</span>
<span style="color: black;">// ping 300.0.0.1 || whoami</span>
</div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">漏洞的利用</p>127.0.0.1 && whoami<h3 style="color: black; text-align: left; margin-bottom: 10px;">Medium</h3>命令测试 127.0.0.1 && whoami,<span style="color: black;">不可</span>执行whoami 命令。查看源代码<div style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;"><?</span><span style="color: black;">php</span>
<span style="color: black;"></span>
<span style="color: black;">if</span><span style="color: black;">(</span> <span style="color: black;">isset</span><span style="color: black;">(</span> <span style="color: black;">$_POST</span><span style="color: black;">[</span> <span style="color: black;">Submit</span> <span style="color: black;">]</span> <span style="color: black;">)</span> <span style="color: black;">)</span> <span style="color: black;">{</span>
<span style="color: black;">// Get input
</span> <span style="color: black;">$target</span> <span style="color: black;">=</span> <span style="color: black;">$_REQUEST</span><span style="color: black;">[</span> <span style="color: black;">ip</span> <span style="color: black;">];</span>
<span style="color: black;"></span>
<span style="color: black;">// Set blacklist
</span> <span style="color: black;">$substitutions</span> <span style="color: black;">=</span> <span style="color: black;">array</span><span style="color: black;">(</span>
<span style="color: black;">&&</span> <span style="color: black;">=></span> <span style="color: black;">,</span>
<span style="color: black;">;</span> <span style="color: black;">=></span> <span style="color: black;">,</span>
<span style="color: black;">);</span>
<span style="color: black;"></span>
<span style="color: black;">// Remove any of the charactars in the array (blacklist).
</span> <span style="color: black;">$target</span> <span style="color: black;">=</span> <span style="color: black;">str_replace</span><span style="color: black;">(</span> <span style="color: black;">array_keys</span><span style="color: black;">(</span> <span style="color: black;">$substitutions</span> <span style="color: black;">),</span> <span style="color: black;">$substitutions</span><span style="color: black;">,</span> <span style="color: black;">$target</span> <span style="color: black;">);</span>
<span style="color: black;"></span>
<span style="color: black;">// Determine OS and execute the ping command.
</span> <span style="color: black;">if</span><span style="color: black;">(</span> <span style="color: black;">stristr</span><span style="color: black;">(</span> <span style="color: black;">php_uname</span><span style="color: black;">(</span> <span style="color: black;">s</span> <span style="color: black;">)</span>
</div>
大势所趋,用于讽刺一些制作目的就是为了跟风玩梗,博取眼球的作品。 谷歌外贸网站优化技术。 “BS”(鄙视的缩写) 百度seo优化论坛 http://www.fok120.com/ 你的见解真是独到,让我受益匪浅。
页:
[1]