企业🤖AI智能体构建引擎,智能编排和调试,一键部署,支持知识库和私有化部署方案 广告
# 代码审计 <https://cloud.tencent.com/developer/article/1036569> PHP代码审计工具大致上可以分为两类: 1. 静态自动化 2. 动态自动化 ## **静态自动化** 静态自动化其实是指通过对代码进行静态语义分析等步骤,最后输出安全隐患的自动化工具,当然也有工具是通过正则匹配的方式来进行安全风险的发现。这一类常见的一个例子便是[RIPS](http://rips-scanner.sourceforge.net/),目前公开了源码的版本可以在github上找到 ### **1、DVWA** [官网下载](http://www.dvwa.co.uk/)[github下载](https://github.com/ethicalhack3r/DVWA) DVWA必要配置: 修改DVWA\\config\\config.inc.php.dist到同级目录,并重命名为config.inc.php 修改config.inc.php内容如下: ``` <pre class="calibre10">``` $_DVWA<span class="token3">[</span> <span class="token2">'db_server'</span> <span class="token3">]</span> <span class="token1">=</span> <span class="token2">'127.0.0.1'</span><span class="token3">;</span> $_DVWA<span class="token3">[</span> <span class="token2">'db_user'</span> <span class="token3">]</span> <span class="token1">=</span> <span class="token2">'root'</span><span class="token3">;</span> $_DVWA<span class="token3">[</span> <span class="token2">'db_password'</span> <span class="token3">]</span> <span class="token1">=</span> <span class="token2">''</span><span class="token3">;</span> $_DVWA<span class="token3">[</span> <span class="token2">'recaptcha_public_key'</span> <span class="token3">]</span> <span class="token1">=</span> <span class="token2">'6LdK7xITAAzzAAJQTfL7fu6I-0aPl8KHHieAT_yJg'</span><span class="token3">;</span> $_DVWA<span class="token3">[</span> <span class="token2">'recaptcha_private_key'</span> <span class="token3">]</span> <span class="token1">=</span> <span class="token2">'6LdK7xITAzzAAL_uw9YXVUOPoIHPZLfw2K1n5NVQ'</span><span class="token3">;</span> <span class="token">//可修改默认为最低几倍方便入门</span> $_DVWA<span class="token3">[</span> <span class="token2">'default_security_level'</span> <span class="token3">]</span> <span class="token1">=</span> <span class="token2">'low'</span><span class="token3">;</span> ``` ``` 安装之前一般需要修改php.ini的几个默认配置 ``` <pre class="calibre10">``` #允许包含远程文件 allow_url_fopen <span class="token1">=</span> On allow_url_include <span class="token1">=</span> On <span class="token">//如果php<=5.4配置允许进行SQL注入</span> safe_mode <span class="token1">=</span> off magic_quotes_gpc <span class="token1">=</span> off <span class="token">//可选:隐藏PHP警告消息以使其不再那么冗长</span> display_errors <span class="token1">=</span> off ``` ``` sql注入在v5.26+不起作用,如果使用的是PHP v5.2.6或更高版本,则需要执行以下操作才能使SQL注入和其他漏洞起作用 在`.htaccess`中将 ``` <pre class="calibre10">``` <span class="token1"><</span>IfModule mod_php5<span class="token3">.</span>c<span class="token1">></span> php_flag magic_quotes_gpc off #php_flag allow_url_fopen on #php_flag allow_url_include on <span class="token1"><</span><span class="token1">/</span>IfModule<span class="token1">></span> ``` ``` 替换成 ``` <pre class="calibre10">``` <span class="token1"><</span>IfModule mod_php5<span class="token3">.</span>c<span class="token1">></span> magic_quotes_gpc <span class="token1">=</span> Off allow_url_fopen <span class="token1">=</span> On allow_url_include <span class="token1">=</span> On <span class="token1"><</span><span class="token1">/</span>IfModule<span class="token1">></span> ``` ``` 配置好以后访问首页点击create/reset Database按钮进行安装 登录账户: admin 密码: password 将DVWA Security菜单中的安全级别改为low ![](https://img.kancloud.cn/2d/1e/2d1e5dec7e6c79defcada6a175641958_926x200.png) 注入测试 ``` <pre class="calibre10">``` http<span class="token3">:</span><span class="token1">/</span><span class="token1">/</span><span class="token6">127.0</span><span class="token6">.0</span><span class="token6">.1</span><span class="token1">/</span>dvwa<span class="token1">/</span>vulnerabilities<span class="token1">/</span>sqli<span class="token1">/</span><span class="token1">?</span>id<span class="token1">=</span><span class="token1">%</span><span class="token6">27</span><span class="token1">+</span>union<span class="token1">+</span>select<span class="token1">+</span>user<span class="token1">%</span><span class="token6">2</span>Cpassword<span class="token1">+</span>from<span class="token1">+</span>users<span class="token1">%</span><span class="token6">23</span><span class="token1">&</span>Submit<span class="token1">=</span>Submit ``` ``` ``` <pre class="calibre10">``` http<span class="token3">:</span><span class="token1">/</span><span class="token1">/</span><span class="token6">127.0</span><span class="token6">.0</span><span class="token6">.1</span><span class="token1">/</span>dvwa<span class="token1">/</span>vulnerabilities<span class="token1">/</span>sqli<span class="token1">/</span><span class="token1">?</span>id<span class="token1">=</span><span class="token6">1</span><span class="token2">'%20and(select%201%20from(select%20count(*),concat((select%20(select%20concat(0x7e,0x27,unhex(Hex(cast(database()%20as%20char))),0x27,0x7e))%20from%20information_schema.tables%20limit%200,1),floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x)a)%20and%20'</span><span class="token6">1</span><span class="token2">'='</span><span class="token6">1</span><span class="token1">&</span>Submit<span class="token1">=</span>Submit# <span class="token">//sql解析为</span> <span class="token6">1</span><span class="token2">' and(select 1 from(select count(*),concat((select (select concat(0x7e,0x27,unhex(Hex(cast(database() as char))),0x27,0x7e)) from information_schema.tables limit 0,1),floor(rand(0)*2))x from information_schema.tables group by x)a) and '</span><span class="token6">1</span><span class="token2">'='</span><span class="token6">1</span> <span class="token">//0x7e是~的16进制, 0x27是'的16进制</span> <span class="token">//输出: Duplicate entry '~'dvwa'~1' for key ''</span> ``` ``` **命令注入将不起作用?** ``` <pre class="calibre10">``` Apache可能没有足够高的特权来在Web服务器上运行命令。 如果您在Linux下运行DVWA,请确保以root用户身份登录。 在Windows下,以管理员身份登录 ``` ``` - - - - - - ### [**2、ZVulDrill**](https://github.com/710leo/ZVulDrill) 除了RIPS外,还有一些开源了的工具,以及帮助我们进行语义分析的第三方库: ### [**3、phpvulhunter**](https://github.com/OneSourceCat/phpvulhunter) ### [**4、Cobra-W**](https://github.com/LoRexxar/Cobra-W) ### [**5、PHP-Parser**](https://github.com/nikic/PHP-Parser) ### [**6、rips**](https://github.com/ripsscanner/rips) ### [**7、rips-scanner**](https://github.com/robocoder/rips-scanner) ### [**8、progpilot**](https://github.com/designsecurity/progpilot) ## **动态自动化** PHP中的动态自动化一般是通过PHP扩展,在底层完成对敏感函数的HOOK,在敏感函数调用时进行回溯的方法来进行代码审计的,之所以称为动态也有需要依赖于用户操作的原因。这种方式的使用难度相较于静态自动化会高一点,但是准确性能够大大提高,几个常见的工具有: [taint](https://github.com/laruence/taint) [prvd](https://github.com/fate0/prvd) [xmark](https://github.com/fate0/xmark) 其中taint或许不算是标准的代码审计工具,但是借助taint,可以开发出优秀的PHP代码审计工具,第二个推荐的prvd的部分实现与taint也是非常相似的。 上面推荐的工具中,有开箱即用的,也有辅助我们自行开发的,按需自用即可 php的[Taint模块](https://www.php.net/manual/en/book.taint.php)