测试空字节漏洞 [英] Testing null byte vulnerability
问题描述
我正在帮助我的朋友完成他的网站模块.从我看他的模块的第一印象,我发现了一些非常危险的东西,但他说这种方法是安全的.
I am helping my friend to finish his module for a website. From my first impression looking at his modules, I found some very dangerous things, but he says that this method is secure.
部分代码:
session_start();
if(isset($_POST['foo']))
{
$_SESSION['foo'] = $_POST['foo'];
}
if(isset($_SESSION['foo']))
{
$foo['foo'] = $_SESSION['foo'];
}
if(is_file("inc/". $foo['foo'] . "/bar.php")) {
// code
}
else {
// code
}
注意:文件(inc/test/bar.php)存在;
Note : file (inc/test/bar.php) exists;
我想测试他的代码,我发送了以下请求:
I wanted to test his code, and I sent the following requests :
POST :: foo => test/bar.php%00
POST :: foo => test/bar.php\0
curl_setopt($ch, CURLOPT_POSTFIELDS, 'foo=test/bar.php' .chr(0x00));
但是这些方法都没有奏效.那个密码真的安全吗?以及如何有人发送空字节来绕过它的安全性.我想向我的朋友证明他的代码不安全.
But none of these methods worked. Is that code really secure? and how could someone send a null byte to bypass it's security. I want to demonstrate to my friend that his code is not secure.
推荐答案
我发现 this 解决方案,简而言之,您的代码似乎有些脆弱,而清理方法是这样的:
I've found this solution, in short, it seems your code is somewhat vulnerable, and the sanitizing method is this:
有多种方法可以防止 PHP 中的 Poison Null Byte 注入.这些包括使用反斜杠转义 NULL 字节,但是,最推荐的方法是使用类似于以下的代码完全删除字节:
There are a number of ways to prevent Poison Null Byte injections within PHP. These include escaping the NULL byte with a backslash, however, the most recommended way to do so is to completely remove the byte by using code similar to the following:
$foo['foo']= str_replace(chr(0), '', $foo['foo']);
我也不是空字节攻击方面的专家,但这是有道理的.更多详情此处.
I'm also not an expert in null-byte attacks, but this makes sense. Even more details here.
这篇关于测试空字节漏洞的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!