测试空字节漏洞 [英] Testing null byte vulnerability

问题描述

我正在帮助我的朋友完成他的网站模块.从我看他的模块的第一印象，我发现了一些非常危险的东西，但他说这种方法是安全的.

I am helping my friend to finish his module for a website. From my first impression looking at his modules, I found some very dangerous things, but he says that this method is secure.

部分代码:

session_start();

  if(isset($_POST['foo'])) 
  {
    $_SESSION['foo'] = $_POST['foo'];
  }

  if(isset($_SESSION['foo']))
  {
    $foo['foo']  = $_SESSION['foo'];
  }

  if(is_file("inc/". $foo['foo'] . "/bar.php")) {
    // code
  }
  else {
    // code
  }

注意:文件(inc/test/bar.php)存在；

Note : file (inc/test/bar.php) exists;

我想测试他的代码，我发送了以下请求:

I wanted to test his code, and I sent the following requests :

POST :: foo => test/bar.php%00

POST :: foo => test/bar.php\0

curl_setopt($ch, CURLOPT_POSTFIELDS, 'foo=test/bar.php' .chr(0x00));

但是这些方法都没有奏效.那个密码真的安全吗?以及如何有人发送空字节来绕过它的安全性.我想向我的朋友证明他的代码不安全.

But none of these methods worked. Is that code really secure? and how could someone send a null byte to bypass it's security. I want to demonstrate to my friend that his code is not secure.

推荐答案

我发现 this 解决方案，简而言之，您的代码似乎有些脆弱，而清理方法是这样的:

I've found this solution, in short, it seems your code is somewhat vulnerable, and the sanitizing method is this:

有多种方法可以防止 PHP 中的 Poison Null Byte 注入.这些包括使用反斜杠转义 NULL 字节，但是，最推荐的方法是使用类似于以下的代码完全删除字节:

There are a number of ways to prevent Poison Null Byte injections within PHP. These include escaping the NULL byte with a backslash, however, the most recommended way to do so is to completely remove the byte by using code similar to the following:

$foo['foo']= str_replace(chr(0), '', $foo['foo']);

我也不是空字节攻击方面的专家，但这是有道理的.更多详情此处.

I'm also not an expert in null-byte attacks, but this makes sense. Even more details here.

这篇关于测试空字节漏洞的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！