代码审计思路之PHP代码审计
<h1 style="color: black; text-align: left; margin-bottom: 10px;">00×0 前言</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">近期</span><span style="color: black;">亦</span>是边挖src边审计代码,总结下<span style="color: black;">近期</span>的php代码审计的<span style="color: black;">有些</span>思路,我<span style="color: black;">通常</span><span style="color: black;">根据</span><span style="color: black;">次序</span>往下做,限于能力水平,可能会有不对<span style="color: black;">或</span>欠缺的<span style="color: black;">地区</span>,<span style="color: black;">期盼</span>各位师傅能够<span style="color: black;">指点</span>。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">00×1 前期工作,需要的工具(我<span style="color: black;">运用</span>的)</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">PHPStorm</span></strong><span style="color: black;">|是PHP编程语言<span style="color: black;">研发</span>的集成环境。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">Fotify</span></strong><span style="color: black;">|代码审计静态扫描工具,<span style="color: black;">商场</span>化静态代码扫描工具,误报率相对较低。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">seay</span></strong><span style="color: black;">|源代码审计工具</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">CodeQ</span></strong><span style="color: black;">l | <span style="color: black;">有效</span>的QL非<span style="color: black;">商场</span>的开源代码自动化审计工具。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;">xcheck</span></strong><span style="color: black;">| Xcheck 是一款静态应用安全测试工具,旨在<span style="color: black;">即时</span><span style="color: black;">发掘</span>业务代码中的安全<span style="color: black;">危害</span>,尤其<span style="color: black;">是由于</span>不受信输入所触发的安全漏洞。检测范围覆盖主流 Web 安全漏洞,具备速度快、误报低和准确率高等优点。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">chrome & HackerBar插件</h1>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">00×3 <span style="color: black;">知道</span><span style="color: black;">目的</span></h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在审计之前,<span style="color: black;">咱们</span><span style="color: black;">首要</span>先确定自己此次审计的目地,我觉得会有三种<span style="color: black;">状况</span></span></p><span style="color: black;">为了<span style="color: black;">提高</span>自己的审计经验</span><span style="color: black;">项目中为了审计出能进一步利用的漏洞,<span style="color: black;">通常</span>需要getshell、ssrf这种级别的。</span><span style="color: black;">为了挖点洞,去换钱<span style="color: black;">或</span>换cve&cnvd。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">有什么区别呢?</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">为了<span style="color: black;">提高</span>审计经验,我会去重点关注历史漏洞,并去复现。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">倘若</span>是为了能审出漏洞,去用作渗透中的进一步利用,<span style="color: black;">那样</span>我觉得,<span style="color: black;">能够</span>重点<span style="color: black;">运用</span>xcheck、Fotify等自动化代码审计,<span style="color: black;">而后</span>关注下面的文件上传、<span style="color: black;">包括</span>、sql注入等等有严重<span style="color: black;">害处</span>的漏洞</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">倘若</span>是为了挖0day,搞证书什么的,<span style="color: black;">那样</span>全方位按<span style="color: black;">过程</span>过一遍,是不错的选择。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">【一>所有资源关注我,私信回复“资料”获取<一】</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">1、200份<span style="color: black;">非常多</span><span style="color: black;">已然</span>买不到的绝版电子书</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">2、30G安全大厂内部的视频资料</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">3、100份src文档</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">4、<span style="color: black;">平常</span>安全面试题</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">5、ctf大赛经典题目解析</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">6、全套工具包</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;">7、应急响应笔记</p>8、网络安全学习路线
<h1 style="color: black; text-align: left; margin-bottom: 10px;">00×4 判断<span style="color: black;">是不是</span>是用了框架</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">判断<span style="color: black;">是不是</span><span style="color: black;">运用</span>了框架,是蛮重要的,能<span style="color: black;">帮忙</span><span style="color: black;">咱们</span>快速定位有用的函数集,筛选不需要去看的代码。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">通常</span><span style="color: black;">来讲</span>,我觉得<span style="color: black;">运用</span>了框架的更好审计一点,<span style="color: black;">由于</span><span style="color: black;">运用</span>了框架的,他的函数集文件(<span style="color: black;">各样</span><span style="color: black;">办法</span>function)会比较规整,在某些固定文件夹中,清晰可见,当然需要<span style="color: black;">咱们</span>先对框架有所<span style="color: black;">认识</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">日前</span>比较主流的设计模式是MVC,即多层模型(M)、视图(V)、<span style="color: black;">掌控</span>器(C),<span style="color: black;">这里</span>不多赘述,php的主流框架几乎都<span style="color: black;">运用</span>了MVC设计模式。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">PHP底下的<span style="color: black;">研发</span>框架<span style="color: black;">日前</span>见的比较多的有Laravel,ThinkPHP,yii等。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">4.1. ThinkPHP框架</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">ThinkPHP<span style="color: black;">这儿</span>需要区分TP3和TP5的差别,<span style="color: black;">首要</span><span style="color: black;">咱们</span>先来<span style="color: black;">瞧瞧</span>TP3的目录结构。(<span style="color: black;">此刻</span>基于TP3的系统都很少了。。。<span style="color: black;">认识</span>一下就好</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/adc943192a864f748d851e275ea1ec46~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=dlbgmLfTwtGWS8H5mV8yGlPsGgE%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">其中,Application和Public目录下面都是空的。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Application是存放项目中的重要的<span style="color: black;">有些</span>函数集,Public是公共文件夹,供用户<span style="color: black;">拜访</span>的,重要的函数集千万<span style="color: black;">不可</span>放<span style="color: black;">这里</span>文件夹下。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">Application目录默认是空的,<span style="color: black;">然则</span><span style="color: black;">第1</span>次<span style="color: black;">拜访</span>入口文件会自动生成,参考后面的入口文件部分。其中框架目录ThinkPHP的结构如下:</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/e35081de969645a095001ff2d9a37968~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=wYAwfsGhqxSuFMkwiu6hvNWAHnU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">另一</span>TP5和TP3<span style="color: black;">实质</span>上差距有点大,先<span style="color: black;">瞧瞧</span>TP5下载下来的默认文件结构。其中在public文件下有个route.php文件,它的<span style="color: black;">功效</span>是用于php自带webserver支持,可用于快速测试,<span style="color: black;">起步</span>命令:php -S localhost:8888 router.php。而它的<span style="color: black;">关联</span>网站功能目录<span style="color: black;">亦</span>需要从根目录下的index.php入手。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">以下为TP5的目录结构。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">通常</span><span style="color: black;">倘若</span>是审计基于框架的cms,我不会去看框架系统目录,<span style="color: black;">便是</span>上面的ThinkPHP文件夹下的东西,第三方类库vendor<span style="color: black;">亦</span>不会去先看,除非是在审计过程中流向了这些文件中,才会大概看一看,而重点在Application文件夹下做<span style="color: black;">文案</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">既然是MVC框架的,<span style="color: black;">那样</span><span style="color: black;">咱们</span>真正关心的是其中的<span style="color: black;">掌控</span>器(C),<span style="color: black;">由于</span>功能点大部分都在C上,<span style="color: black;">咱们</span>能找到的大部分漏洞<span style="color: black;">亦</span>都在C上</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">下图为基于TP6的ThinkAdmin项目目录</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/59b88ac04a524a169226714dcf869d6a~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=qy2kP2b29PxkXrTOQRUwmIcjSLM%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">app(<span style="color: black;">亦</span><span style="color: black;">便是</span>application),下面有admin、data、index、wechat几个文件夹,<span style="color: black;">每一个</span>文件夹<span style="color: black;">表率</span>了一个应用,<span style="color: black;">例如</span>admin<span style="color: black;">通常</span><span style="color: black;">来讲</span>都是后台的服务,wechat为<span style="color: black;">微X</span>应用服务,<span style="color: black;">每一个</span>应用下面都有Controller(<span style="color: black;">掌控</span>器)、Module(模型)、View(视图,<span style="color: black;">通常</span>是html文件)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">此刻</span>目录很<span style="color: black;">知道</span>,<span style="color: black;">目的</span>就很<span style="color: black;">知道</span>,拿到<span style="color: black;">这般</span>基于框架的cms,就应该<span style="color: black;">晓得</span>,该重点审计的<span style="color: black;">地区</span>在哪里。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">4.2. Laravel框架</h1>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/c9c8b822002a4fa7805a9aafe85801b2~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=BF2WaTs0R2MU%2B4qi%2F88u%2Fq%2FP8KU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">目录怎么变,MVC架构的重点还是在Controllers里</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">4.3. <span style="color: black;">倘若</span>没用框架</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">没用框架的话,先搞明白目录结构,<span style="color: black;">通常</span><span style="color: black;">来讲</span></span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p26-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/0be3c8fa6d624c0590c5a0e55c3c7bb4~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=Ssn8uXzS7YV%2FiSNEsJEGjFfHJMM%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计过程中需要关注几个点:(在<span style="color: black;">咱们</span>后面<span style="color: black;">起始</span>审计的过程中,自己要<span style="color: black;">重视</span>这些<span style="color: black;">地区</span>,经常想一想)</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1)函数集文件,<span style="color: black;">一般</span>命名<span style="color: black;">包括</span>function<span style="color: black;">或</span>common等关键字,这些文件里面是<span style="color: black;">有些</span>公共的函数,<span style="color: black;">供给</span>其他文件统一调用,<span style="color: black;">因此</span>大<span style="color: black;">都数</span>文件都会在文件头部<span style="color: black;">包括</span>到其他文件。寻找这些文件一个非常好用的技巧<span style="color: black;">便是</span>去打开index.php<span style="color: black;">或</span><span style="color: black;">有些</span>功能性文件,在头部<span style="color: black;">通常</span>都能找到。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2)配置文件,<span style="color: black;">一般</span>命名中<span style="color: black;">包含</span>config关键字,配置文件<span style="color: black;">包含</span>web程序运行必须的功能性配置选项以及数据库等配置信息。从这个文件中<span style="color: black;">能够</span><span style="color: black;">认识</span>程序的小部分功能,<span style="color: black;">另一</span>看这个文件的时候<span style="color: black;">重视</span>观察配置文件中参数值是单引号还是用双引号括起来,<span style="color: black;">倘若</span>是双引号可能就存在代码执行的问题了。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">3)安全过滤文件,安全过滤文件对代码审计至关重要,这关系到<span style="color: black;">咱们</span>挖掘到的<span style="color: black;">能够</span>点能否直接利用,<span style="color: black;">一般</span>命名中带有filter、safe、check等关键字,这类文件<span style="color: black;">重点</span>是对参数进行过滤,大<span style="color: black;">都数</span>的应用其实会在参数的输入做一下addslashes()函数的过滤。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">4)index文件,index是一个程序的入口,<span style="color: black;">因此</span><span style="color: black;">一般</span><span style="color: black;">咱们</span>只要读一读index文件就<span style="color: black;">能够</span>大致<span style="color: black;">认识</span><span style="color: black;">全部</span>程序的架构、运行的流程、<span style="color: black;">包括</span>到的文件,其中核心的文件有<span style="color: black;">那些</span>。而<span style="color: black;">区别</span>目录的index文件<span style="color: black;">亦</span>有<span style="color: black;">区别</span>的实现方式,<span style="color: black;">意见</span>最好将几个核心目录的index文件都通读一遍。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">00×5 <span style="color: black;">认识</span>路由</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">我很<span style="color: black;">爱好</span>Thinkphp这类框架的<span style="color: black;">原由</span>是,<span style="color: black;">她们</span>的路由很好摸清,<span style="color: black;">倘若</span>在哪个<span style="color: black;">办法</span>中找到了漏洞,我就能直接<span style="color: black;">按照</span>路由<span style="color: black;">拜访</span>这个<span style="color: black;">办法</span>,直接利用。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">认识</span>路由<span style="color: black;">亦</span>是为了能快速定位漏洞位置,要<span style="color: black;">否则</span>,你<span style="color: black;">经过</span>审计源码找到的漏洞,却不<span style="color: black;">晓得</span>在浏览器中用什么样的url去<span style="color: black;">拜访</span>,这不是件很尴尬的事儿吗?</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;"><span style="color: black;">例如</span>Thinkphp的路由有三种方式</h1>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">5.1. 普通模式</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">关闭路由,完全<span style="color: black;">运用</span>默认的pathinfo方式URL:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">‘url_route_on’ => false,</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">路由关闭后,不会解析任何路由规则,采用默认的PATH_INFO 模式<span style="color: black;">拜访</span>URL:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">module/controller/action/param/value/…</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">module</span></span><span style="color: black;">便是</span><span style="color: black;">运用</span>的应用。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">controller</span></span>是<span style="color: black;">掌控</span>器,跟文件名一致。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">action</span></span>是<span style="color: black;">办法</span>,某<span style="color: black;">掌控</span>器下的<span style="color: black;">办法</span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">param</span></span>是需要的变量</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">value</span></span>是参数</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">但仍然<span style="color: black;">能够</span><span style="color: black;">经过</span>Action参数绑定、空<span style="color: black;">掌控</span>器和空操作等特性实现URL<span style="color: black;">位置</span>的简化</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">5.2. 混合模式</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">开启路由,并使用路由+默认PATH_INFO方式的混合:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">‘url_route_on’ => true,</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">该方式下面,只需要对需要定义路由规则的<span style="color: black;">拜访</span><span style="color: black;">位置</span>定义路由规则,其它的仍然<span style="color: black;">根据</span>默认的PATH_INFO模式<span style="color: black;">拜访</span>URL。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">5.3. 强制模式</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">开启路由,并设置必须定义路由<span style="color: black;">才可</span><span style="color: black;">拜访</span>:</span></p>‘url_route_on’ => <span style="color: black;">true</span>,
‘url_route_must’=> <span style="color: black;">true</span>,
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这种方式下面必须严格给每一个<span style="color: black;">拜访</span><span style="color: black;">位置</span>定义路由规则,否则将抛出<span style="color: black;">反常</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">首页的路由规则是 </span><span style="color: black;"><span style="color: black;">/</span></span>。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">其实,在<span style="color: black;">实质</span>审计过程中,我<span style="color: black;">通常</span>会先去黑盒<span style="color: black;">拜访</span>一遍功能点,分析后差不多<span style="color: black;">亦</span>能<span style="color: black;">晓得</span>路由<span style="color: black;">怎么样</span><span style="color: black;">形成</span>,<span style="color: black;">倘若</span>有的<span style="color: black;">地区</span>不清楚,<span style="color: black;">能够</span>去源码中找路由文件</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">通常</span>带有route关键词的文件,或文件夹与路由<span style="color: black;">相关</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">分析好路径,之后就<span style="color: black;">能够</span>真正的<span style="color: black;">起始</span>审计。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">00×6 审计</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">在人工审计之前,<span style="color: black;">能够</span><span style="color: black;">运用</span>我之前<span style="color: black;">说到</span>的xcheck、Fotify、codeql等自动化审计工具先审计一遍,<span style="color: black;">按照</span>报告,验证一遍,再往下去<span style="color: black;">按照</span>下面的<span style="color: black;">过程</span>审一遍,一个项目,<span style="color: black;">亦</span>就能审个七七八八了,深层次的利用<span style="color: black;">亦</span>就得看<span style="color: black;">自己</span>的实力与经验了。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">倘若</span><span style="color: black;">运用</span>了框架,<span style="color: black;">能够</span>先<span style="color: black;">瞧瞧</span>此项目还有<span style="color: black;">无</span>框架的漏洞存在,我就<span style="color: black;">再也不</span>赘述了。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.1. 鉴权</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">首要</span><span style="color: black;">针对</span>项目整体的一个权限认证做一个判断,判断<span style="color: black;">是不是</span>存在越权,未授权<span style="color: black;">拜访</span>的<span style="color: black;">状况</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">通常</span><span style="color: black;">来讲</span>,需要权限认证的<span style="color: black;">地区</span>,是后台管理,即admin应用下的。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">因此</span><span style="color: black;">针对</span>admin下的<span style="color: black;">掌控</span>器这些<span style="color: black;">办法</span>,需要判断<span style="color: black;">是不是</span><span style="color: black;">能够</span>未授权<span style="color: black;">拜访</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">日前</span><span style="color: black;">针对</span><span style="color: black;">全部</span>后台管理鉴权的方式,<span style="color: black;">通常</span>是采用写一个基类,<span style="color: black;">例如</span>Base.php<span style="color: black;">或</span>common.php,其中存在鉴权<span style="color: black;">办法</span>,<span style="color: black;">而后</span>在<span style="color: black;">每一个</span><span style="color: black;">掌控</span>器类继承这个类。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">例如</span>xiaohuanxiong漫画cms的后台,<span style="color: black;">便是</span>采用了这种<span style="color: black;">办法</span>。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/69e7808ab0a8435a849d3a4348799c85~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=U%2BBjxV%2Bi7PfOXO4E74HBoDgsizc%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/1ad2887016b64ea2bf44bac7bc9c662a~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=0J5T0O6sW%2BmVXvtkx8BB9fUccbU%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">不外</span>我<span style="color: black;">亦</span>看到了,有的比较好的项目,自己二开框架,做了自己的组件,<span style="color: black;">而后</span>,<span style="color: black;">每一个</span>类都继承了此组件,<span style="color: black;">亦</span>是<span style="color: black;">一样</span>的原理</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">例如</span>ThinkAdmin,继承了自己组件的controller。</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/d3272f5abc164f14893d0bbd53ac3ede~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=cNSBOr%2BN7nILkXsYg2%2F9oEqQUN4%3D" style="width: 50%; margin-bottom: 20px;"></div>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/491a3a3c4dbb471a83724b1212c07cbc~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=11wO3wlETOEVis2q03W%2Ffm6xW2k%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">咱们</span><span style="color: black;">晓得</span>了鉴权的方式,<span style="color: black;">因此</span><span style="color: black;">咱们</span><span style="color: black;">首要</span>看的是,<span style="color: black;">倘若</span>他<span style="color: black;">无</span>这些鉴权方式,<span style="color: black;">或</span>其他鉴权方式<span style="color: black;">亦</span><span style="color: black;">无</span>,<span style="color: black;">那样</span>他就会存在未授权<span style="color: black;">拜访</span>,即不登录<span style="color: black;">亦</span>能<span style="color: black;">拜访</span>后台功能。这是很危险的,一个是管理员<span style="color: black;">才可</span>看到的<span style="color: black;">敏锐</span>信息,未授权就能看到,更危险的是,结合后台的漏洞,直接未授权getshell<span style="color: black;">亦</span>是<span style="color: black;">特别有</span>可能的,<span style="color: black;">因此</span>鉴权<span style="color: black;">咱们</span><span style="color: black;">首要</span>去看,<span style="color: black;">况且</span>容易去看的<span style="color: black;">地区</span>。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2. <span style="color: black;">根据</span>漏洞类型审计</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">我认为<span style="color: black;">针对</span>我<span style="color: black;">来讲</span>,比较好的审计<span style="color: black;">办法</span>是黑盒白盒<span style="color: black;">一块</span>,<span style="color: black;">按照</span>漏洞类型一个一个的去找寻可能存在漏洞的<span style="color: black;">地区</span>,<span style="color: black;">而后</span>再回溯查看<span style="color: black;">是不是</span>用户可控,以此快速定位漏洞。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">因此</span><span style="color: black;">通常</span>我是<span style="color: black;">按照</span>漏洞类型,以及<span style="color: black;">每一个</span>漏洞可能<span style="color: black;">触及</span>的危险函数,去快速定位。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">那<span style="color: black;">通常</span>看的<span style="color: black;">地区</span>有</span><span style="color: black;"><span style="color: black;">SQL注入、XSS、CSRF、SSRF、XML</span></span><span style="color: black;">外边</span>实体注入等等</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.1. sql注入</h1><span style="color: black;"><span style="color: black;">倘若</span><span style="color: black;">运用</span>了框架,<span style="color: black;">能够</span>分辨一下框架名<span style="color: black;">叫作</span>以及版本,去搜索一下该版本的框架<span style="color: black;">是不是</span>存在漏洞,<span style="color: black;">倘若</span>存在再去cms中验证。<span style="color: black;">由于</span>本篇<span style="color: black;">文案</span><span style="color: black;">重点</span>讲我自己在cms审计上的<span style="color: black;">有些</span>经验,<span style="color: black;">因此呢</span>不多深入框架的审计部分。</span><span style="color: black;"><span style="color: black;">倘若</span><span style="color: black;">无</span><span style="color: black;">运用</span>框架,则需要仔细的观察数据库函数,<span style="color: black;">通常</span><span style="color: black;">来讲</span>,cms是将select、insert等函数进行了封装的,<span style="color: black;">例如</span></span><span style="color: black;"><span style="color: black;">$db->table(‘test’)->where(“name=admin”)</span></span>便是<span style="color: black;"><span style="color: black;">select * from test where name=admin</span></span>这种格式,而此时若是<span style="color: black;">发掘</span>cms<span style="color: black;">运用</span>的是过滤+拼接,<span style="color: black;">那样</span><span style="color: black;">特别有</span>可能会<span style="color: black;">显现</span>问题,而<span style="color: black;">倘若</span><span style="color: black;">运用</span>了PDO,则继续跟进<span style="color: black;">触及</span>到table,order by等字段的拼接去,<span style="color: black;">由于</span>这些字段是<span style="color: black;">没法</span><span style="color: black;">运用</span>PDO的。<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素:</span></p><span style="color: black;">参数<span style="color: black;">是不是</span>用户可控</span><span style="color: black;"><span style="color: black;">是不是</span><span style="color: black;">运用</span>了预编译</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">那样</span><span style="color: black;">首要</span>,<span style="color: black;">倘若</span><span style="color: black;">无</span><span style="color: black;">运用</span>框架封装的sql语句,<span style="color: black;">那样</span>全局搜索insert、select等sql语句关键词,<span style="color: black;">而后</span>定位到<span style="color: black;">详细</span>的语句,<span style="color: black;">而后</span>查看里面有<span style="color: black;">无</span>拼接的变量,回溯可不可控。<span style="color: black;">倘若</span>可控并且存在字符串拼接,<span style="color: black;">特别有</span>可能就存在漏洞。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">运用</span>了框架的<span style="color: black;">便是</span>搜索的关键词不<span style="color: black;">同样</span>,还是得看<span style="color: black;">是不是</span>存在字符串拼接,可不可控。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">即使<span style="color: black;">运用</span>了预编译,<span style="color: black;">然则</span><span style="color: black;">倘若</span>在预编译之前字符串拼接了,那照样<span style="color: black;">无</span>鸟用,该注入还是能注入。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">下面<span style="color: black;">供给</span><span style="color: black;">通常</span>我会搜索的关键词(框架的<span style="color: black;">按照</span>你审计项目的框架的手册,<span style="color: black;">自动</span>搜索。)师傅们有想<span style="color: black;">弥补</span>的<span style="color: black;">亦</span><span style="color: black;">能够</span><span style="color: black;">弥补</span>。</span></p><span style="color: black;">insert</span>
<span style="color: black;">create</span>
<span style="color: black;">delete</span>
<span style="color: black;">update</span>
<span style="color: black;">order</span> <span style="color: black;">by</span>
<span style="color: black;">group</span> <span style="color: black;">by</span>
<span style="color: black;">where</span>
<span style="color: black;">from</span>
<span style="color: black;">limit</span>
<span style="color: black;">desc</span>
<span style="color: black;">asc</span>
<span style="color: black;">union</span>
<span style="color: black;">select</span>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.2. xss漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;"><span style="color: black;">是不是</span>存在全局参数过滤器,过滤规则<span style="color: black;">是不是</span>符合安全<span style="color: black;">需求</span>,<span style="color: black;">是不是</span>存在需过滤和不需过滤两种输出,页面<span style="color: black;">是不是</span><span style="color: black;">掌控</span>恰当。</span><span style="color: black;">输出时<span style="color: black;">是不是</span>进行编码(HTML、JS等)。</span><span style="color: black;">前端<span style="color: black;">是不是</span>采用了Angularjs、React、vue.js等<span style="color: black;">拥有</span>XSS防护功能的前端框架进行数据输出。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这个的话,我就不会关键词搜了,我<span style="color: black;">便是</span>会在寻找其他漏洞的过程中,<span style="color: black;">重视</span>有<span style="color: black;">无</span>直接把输入原样输出的<span style="color: black;">地区</span>,<span style="color: black;">亦</span><span style="color: black;">无</span><span style="color: black;">尤其</span>关注这<span style="color: black;">一起</span>。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">倘若</span>想特意挖掘这<span style="color: black;">一起</span>,<span style="color: black;">能够</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查看<span style="color: black;">是不是</span>配置了全局的拦截器、过滤器。<span style="color: black;">检测</span>数据输出函数,例如常用的输出函数有</span><span style="color: black;"><span style="color: black;">print、print_r、echo、printf、sprintf、die、var_dump、var_export</span></span>。</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.3. CSRF漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">与XSS攻击相比,CSRF攻击<span style="color: black;">常常</span>不大流行(<span style="color: black;">因此呢</span>对其进行防范的资源<span style="color: black;">亦</span>相当<span style="color: black;">稀疏</span>)和难以防范,<span style="color: black;">因此</span>被认为比XSS更具危险性。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;"><span style="color: black;">是不是</span>在表单处存在随机token。</span><span style="color: black;"><span style="color: black;">是不是</span>存在<span style="color: black;">敏锐</span>操作的表单。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">CSRF<span style="color: black;">重点</span>利用场景<span style="color: black;">实质</span>上是<span style="color: black;">有些</span>越权的操作,<span style="color: black;">或</span><span style="color: black;">有些</span><span style="color: black;">敏锐</span>功能存在的<span style="color: black;">地区</span>,例如管理后台、会员中心等<span style="color: black;">地区</span>。<span style="color: black;">咱们</span><span style="color: black;">能够</span>尝试搜索表单位置,查看<span style="color: black;">是不是</span>会生成随机token,在查看后端代码中<span style="color: black;">是不是</span>会先验证这部分的token。<span style="color: black;">倘若</span><span style="color: black;">无</span>验证token,再进一步<span style="color: black;">瞧瞧</span><span style="color: black;">是不是</span>有refer的<span style="color: black;">关联</span>验证,<span style="color: black;">倘若</span><span style="color: black;">无</span>,<span style="color: black;">那样</span>就存在CSRF的问题。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">能够</span>尝试全局搜索</span></p>csrf-token
csrf_token
csrftoken
csrf
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">下面是一个更新<span style="color: black;">秘码</span>的操作,假设构造一个链接为</span><span style="color: black;"><span style="color: black;"><span style="color: black;">http://127.0.0.1/index.php?password_new=password&password_conf=password&Change=Change#</span></span></span>的链接,直接发送给受害者点击,<span style="color: black;">那样</span>当前<span style="color: black;">状况</span>下,<span style="color: black;">能够</span>直接修改受害者的<span style="color: black;">秘码</span>,<span style="color: black;">由于</span><span style="color: black;">无</span>进行任何的验证<span style="color: black;">办法</span>。当然<span style="color: black;">通常</span>代码不会这么写,只是拿DVWA的CSRF举个例子。</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/b2ea1f1bbea04acd9d75f29516c639df~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=Y49GROmjW4%2BO8c8X8BkxzkDMGcA%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.4. SSRF漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">ssrf是利用存在缺陷的web应用<span style="color: black;">做为</span>代理攻击远程和本地的服务器。<span style="color: black;">平常</span>的方式如下:</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">1.<span style="color: black;">能够</span>对外网、服务器所在内网、本地进行端口扫描,获取<span style="color: black;">有些</span>服务的banner信息;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">2.攻击运行在内网或本地的应用程序(<span style="color: black;">例如</span>溢出);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">3.对内网web应用进行指纹识别,<span style="color: black;">经过</span><span style="color: black;">拜访</span>默认文件实现;</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">4.攻击内外网的web应用,<span style="color: black;">重点</span>是<span style="color: black;">运用</span>get参数就<span style="color: black;">能够</span>实现的攻击(<span style="color: black;">例如</span>struts2,sqli等);</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">5.利用file协议读取本地文件等。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素:</span></p><span style="color: black;"><span style="color: black;">是不是</span>存在<span style="color: black;">能够</span>产生SSRF漏洞的函数。</span><span style="color: black;"><span style="color: black;">是不是</span>存在内网ip<span style="color: black;">位置</span>正则过滤,且正则<span style="color: black;">是不是</span>严谨。</span><span style="color: black;"><span style="color: black;">是不是</span>存在限制请求的方式只能为HTTP<span style="color: black;">或</span>HTTPS。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">当然PHP底下经常可能会<span style="color: black;">显现</span>SSRF漏洞的<span style="color: black;">重点</span>有几个函数,它们分别是file_get_contents()、fsockopen()、curl_exec()、get_headers()。<span style="color: black;">经过</span>全文关键函数搜索,在看<span style="color: black;">是不是</span>限制了<span style="color: black;">拜访</span>端口,<span style="color: black;">拜访</span>协议,内网ip<span style="color: black;">位置</span>等。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">利用</span><span style="color: black;"><span style="color: black;">file://、http/https:// 、dict://、gopher://</span></span>协议去搞内网。</p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">列一下,我经常搜索的关键词</span></p><span style="color: black;">file_get_contents</span>
fsockopen
curl_exec
get_headers
fopen
readfile
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">重视</span></span></p><span style="color: black;"><span style="color: black;">通常</span><span style="color: black;">状况</span>下PHP不会开启fopen的gopher wrapper</span><span style="color: black;">file_get_contents的gopher协议<span style="color: black;">不可</span>URL编码</span><span style="color: black;">file_get_contents关于Gopher的302<span style="color: black;">转</span>会<span style="color: black;">显现</span>bug,<span style="color: black;">引起</span>利用失败</span><span style="color: black;">curl/libcurl 7.43 上gopher协议存在bug(%00截断) 经测试7.49 可用</span><span style="color: black;">curl_exec() //默认不跟踪<span style="color: black;">转</span>,</span><span style="color: black;">file_get_contents() // file_get_contents支持 php://input协议</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">各样</span>绕过,我就不在这说了。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.5. XML<span style="color: black;">外边</span>实体注入</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;">参数<span style="color: black;">是不是</span>用户可控</span><span style="color: black;"><span style="color: black;">是不是</span>libxml版本为2.9.0以上</span><span style="color: black;"><span style="color: black;">是不是</span>禁用了<span style="color: black;">外边</span>实体</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">这个<span style="color: black;">通常</span>我关注的少,仅仅是搜索</span><span style="color: black;"><span style="color: black;">“DOMDocument”,“SimpleXMLElement”和“simplexml_load_string”</span></span>等关键词,分析下<span style="color: black;">是不是</span>存在参数拼接的XML字符串,或未做限制的批量解析<span style="color: black;">办法</span>。对参数进行回溯,判断其<span style="color: black;">是不是</span>用户可控。</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.6. 文件<span style="color: black;">包括</span>漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;">参数<span style="color: black;">是不是</span>用户可控</span><span style="color: black;"><span style="color: black;">是不是</span>存在</span><span style="color: black;"><span style="color: black;">include,require,include_once, require_once</span></span>等函数。<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">文件<span style="color: black;">包括</span>算是拿shell最快的<span style="color: black;">办法</span>了,<span style="color: black;">因此</span><span style="color: black;">通常</span>要重点关注。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">无非是</span><span style="color: black;"><span style="color: black;">include,require,include_once, require_once</span></span>这四个函数,全局搜索这四个函数,一个一个去看,去回溯,查看变量可不可控。</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.7. 文件上传漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;"><span style="color: black;">是不是</span><span style="color: black;">检测</span>了上传文件的文件类型</span><span style="color: black;"><span style="color: black;">是不是</span>限制了文件上传路径</span><span style="color: black;"><span style="color: black;">是不是</span>对文件进行了重命名</span><span style="color: black;">文件<span style="color: black;">体积</span><span style="color: black;">是不是</span>限制</span><span style="color: black;"><span style="color: black;">是不是</span>返回了文件路径或文件路径很好猜测</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">有的项目,会对文件上传下载进行分装,<span style="color: black;">因此</span><span style="color: black;">能够</span>全局搜索<span style="color: black;">相关</span>upload、file的函数,<span style="color: black;">瞧瞧</span>是不是封装了</span></p><span style="color: black;">function</span> upload
<span style="color: black;">function</span> file
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">倘若</span>封装了,<span style="color: black;">那样</span>就看这些封装好的函数,有<span style="color: black;">无</span>上面<span style="color: black;">说到</span>的审计要素的漏洞。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">倘若</span>没封装,<span style="color: black;">通常</span>是</span><span style="color: black;"><span style="color: black;">move_uploaded_file</span></span>这个函数,全局搜索,这个函数,回溯查看这些漏洞存不存在。(白盒黑盒<span style="color: black;">一块</span>搞比较好。)</p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.8. 变量覆盖</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;"><span style="color: black;">是不是</span>存在<span style="color: black;">导致</span>变量覆盖的函数,例如:</span><span style="color: black;"><span style="color: black;">extract()、parse_str()、import_request_variables</span></span>和$$等。<span style="color: black;"><span style="color: black;">是不是</span>存在<span style="color: black;">能够</span>完整利用的攻击链。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">通常</span>就这几个函数和关键词</span></p><span style="color: black;">extract</span>
parse_str
import_request_variables
mb_parse_str
$$
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">不外</span>还有个特殊的配置,<span style="color: black;">亦</span>可能<span style="color: black;">导致</span>变量覆盖</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">register_globals全局变量覆盖</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">php.ini中有一项为</span><span style="color: black;"><span style="color: black;">register_globals</span></span>,即注册全局变量,当<span style="color: black;"><span style="color: black;">register_globals=On</span></span>时,传递过来的值会被直接的注册为全局变量直接<span style="color: black;">运用</span>,而<span style="color: black;"><span style="color: black;">register_globals=Off</span></span>时,<span style="color: black;">咱们</span>需要到特定的数组里去得到它。</p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/43355c9492824d29938d450d503154d2~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=i45UcmDTNuj1pZJlyvrCCv7%2BAcs%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><strong style="color: blue;"><span style="color: black;"><span style="color: black;">重视</span>:register_globals已自 PHP 5.3.0 起废弃并将自 PHP 5.4.0 起移除。</span></strong></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">当register_globals=On,变量未被初始化且能够用户所<span style="color: black;">掌控</span>时,就会存在变量覆盖漏洞:</span></p><span style="color: black;"><span style="color: black;"><?php</span>
<span style="color: black;">echo</span>“Register_globals: “ . (int)ini_get(“register_globals”) . “<br/>“;<span style="color: black;">if</span> ($a) {
<span style="color: black;">echo</span> “Hacked!”;
}
<span style="color: black;">?></span></span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">经过</span>GET和POST方式输入变量a的值:</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/faca1d8875d5466e931a4a379894ba51~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=6iXA%2F8rVRPA8MHoGLAAeckh7fxo%3D" style="width: 50%; margin-bottom: 20px;"></div>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">当然,<span style="color: black;">亦</span><span style="color: black;">能够</span>从COOKIE中输入:</span></p>
<div style="color: black; text-align: left; margin-bottom: 10px;"><img src="https://p3-sign.toutiaoimg.com/tos-cn-i-qvj2lq49k0/b12bfce5846846ac892eeb082acaf603~noop.image?_iz=58558&from=article.pc_detail&lk3s=953192f4&x-expires=1729838913&x-signature=mwkJe5HsXb5I7syLKYc5Jc3i2X0%3D" style="width: 50%; margin-bottom: 20px;"></div>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.9. 代码执行漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;">php.ini文件中的disable_function<span style="color: black;">是不是</span>有禁用函数。</span><span style="color: black;"><span style="color: black;">是不是</span>存在代码执行的<span style="color: black;">敏锐</span>函数。</span><span style="color: black;"><span style="color: black;">是不是</span>输入变量可控。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">全局搜索下面的关键词,回溯参数可不可控。</span></p><span style="color: black;">eval</span>asser
preg_replace
create_function
array_map
call_user_func
call_user_func_array
array_filter
usort
uasort<span style="color: black;">$a</span>(<span style="color: black;">$b</span>)(动态函数)
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.10. 命令执行漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;">参数<span style="color: black;">是不是</span>用户可控</span><span style="color: black;"><span style="color: black;">是不是</span>配置了全局过滤器,过滤规则<span style="color: black;">是不是</span>符合安全规范</span><span style="color: black;"><span style="color: black;">是不是</span>所有的命令执行参数都经过了过滤器,或受白名单限制</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">全局搜索下面的关键词,回溯参数可不可控。</span></p><span style="color: black;">exec</span>
passthru
proc_open
shell_exec
<span style="color: black;">system</span>
pcntl_exec
popen
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">“(被反引号包裹的变量<span style="color: black;">亦</span><span style="color: black;">能够</span>执行)</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.11. 任意文件下载/下载漏洞审计</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;"><span style="color: black;">是不是</span>存在…/、.、…\等特殊字符过滤。</span><span style="color: black;">参数<span style="color: black;">是不是</span>用户可控</span><span style="color: black;"><span style="color: black;">是不是</span>配置了相对路径<span style="color: black;">或</span>绝对路径。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">查询这些关键词,查看变量<span style="color: black;">是不是</span>可控,<span style="color: black;">是不是</span>有过滤</span></p><span style="color: black;">fgets</span>
fgetss
file_get_contents
readfile
parse_ini_file
highlight_file
file
fopen
readfile
fread
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">**Tip:**前两天遇到个,过滤了config/database.php<span style="color: black;">这般</span>的正则匹配,还过滤了…,目的是防止目录穿越,读取服务器其他目录的文件,可是没过滤一个.</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">这般</span>我<span style="color: black;">运用</span>config/./database.php绕过了正则,照样把<span style="color: black;">敏锐</span>文件读取出来了。。。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.12. 任意文件删除</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">和上面的下载<span style="color: black;">同样</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">搜索的关键词变了</span></p><span style="color: black;">rmdir</span>
<span style="color: black;">unlink</span>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.13. 任意文件写入</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">还是<span style="color: black;">同样</span>,关键词为</span></p><span style="color: black;">copy</span>
file_put_contents
fwrite
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.14. 会话认证漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">会话认证漏洞<span style="color: black;">实质</span>上<span style="color: black;">触及</span>的方面比较广,如cookie、session、sso、oauth等,当然这个漏洞比较<span style="color: black;">平常</span>是在cookie上,服务端直接取用cookie中的数据而<span style="color: black;">无</span>校验,其次是cookie加密数据在可预测的<span style="color: black;">状况</span>下。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">审计要素</span></p><span style="color: black;"><span style="color: black;">是不是</span>cookie中的加密数据可预测。</span><span style="color: black;"><span style="color: black;">是不是</span>cookie中的数据可预测。</span><span style="color: black;">服务端<span style="color: black;">是不是</span>只依赖cookie来判断用户身份。</span>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">全局去寻找cookie生成的<span style="color: black;">规律</span>,判断<span style="color: black;">是不是</span>可预测,判断用户身份<span style="color: black;">是不是</span>只依赖cookie,而不是随机的,<span style="color: black;">例如</span></span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">鉴权是只<span style="color: black;">经过</span>cookie中的userid来判断,<span style="color: black;">倘若</span>我遍历userid,<span style="color: black;">能够</span>达到登录绕过或越权的目地。</span></p>
<h1 style="color: black; text-align: left; margin-bottom: 10px;">6.2.15. 反序列化漏洞</h1>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;"><span style="color: black;">通常</span><span style="color: black;">实质</span>审计的时候,项目中见的比较少,框架中见的比较多。</span></p>
<p style="font-size: 16px; color: black; line-height: 40px; text-align: left; margin-bottom: 15px;"><span style="color: black;">全局搜索serialize。<span style="color: black;">瞧瞧</span>存不存在可控变量。</span></p>
页:
[1]