PHP语言, PHP扩展, Zend引擎相关的研究,技术,新闻分享 – 左手代码 右手诗

14 Feb 12 PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展

之前, 小顿和我提过一个想法, 就是从PHP语言层面去分析,找出一些可能的注入漏洞代码. 当时我一来没时间, 而来也确实不知道从何处下手..

直到上周的时候, 我看到了这个RFC: RFC:Taint.

但是这个RFC的问题在于, 它需要为PHP打Patch, 修改了PHP本身的数据结构, 这对于以后维护, 升级PHP来说, 很不方便, 也会有一些隐患.

虽然这样, 但这个RFC却给了我一个启发, 于是我就完成了这样的一个扩展:Taint Extension

这个扩展使用起来, 很简单(目前只支持5.2.6 ~ 5.3.10):

下载源代码以后, 编译, 安装. 然后在php.ini中要开启这个扩展(建议不要在生产环境开启这个扩展):

启用这个扩展以后, 如果在一些关键函数(或者语句: echo, print, system, exec, 等等), 或者输出的地方*直接*(没有经过转义, 安全过滤处理)使用了来自$_GET, $_POST或者$_COOKIE的数据, 则Taint就会提示你:

 $a = $_GET['a'];

 $file_name = '/tmp' .  $a;
 $output    = "Welcome, {$a} !!!";
 $var       = "output";
 $sql       = "Select *  from " . $a;
 $sql      .= "ooxx";

 echo $output;
//Warning: main(): Attempt to echo a string which might be tainted in xxx.php on line x

 print $$var;
//Warning: main(): Attempt to print a string which might be tainted  in xxx.php on line x

//Warning: include() [function.include]: File path contains data that might be tainted in xxx.php on x

//Warning: mysql_query() [function.mysql-query]: First argument contains data that might be tainted in xxx.php on line x

目前因为还没有支持5.4(5.4的实现方法, 要依赖于我将要和Dmitry讨论的一个新需求), 所以目前还没有发布一个下载包, 大家可以先直接从源代码下载: Taint on Github.

上面的例子显示了简单的用法, 回头我会再完善下文档….



Related Posts:

Tags: , , , ,

73 Responses to “PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展”

Pages: [2] 1 » Show All

  1. phper000001 |

    安装 之后,使用implode(array())会报错Error:2 implode() expects exactly 2 parameters, 1 given

  2. coach factory |

    In a follow-up study, Dr. Zhang loaded the gel with immature stem cells, as well as the chemicals they needed to develop into full-fledged adult brain cells. When rats with severe brain injuries were treated with this mixture for eight weeks, they showed signs of significant recovery.
    coach factory

  3. coach factory |

    Instead of changing your entire diet all in one day, try making small, gradual changes. Remember, this is a lifestyle change, not just some temporary, quick fix diet. This mentality will help prevent you from getting on diets where you’re hating every second of it and feeling totally deprived.
    coach factory

  4. shironghui |

    为什么不支持5.5+的php version

  5. hack someones whatsapp |

    Using proprietary socket injection protocols, you’ll be able to intercept messages instantly from WhatsApp by utilizing a
    predefined authentication token.

  6. work online from home for amazon |

    Hardin’s webblog now for a lot more data on immediately.

    The Federal Trade Commission(2) (FTC) goes a step further, and
    warns awawy the entrepreneur work online from home for amazon any business that offers “no risk,” “quick and easy”
    or “huge income” opportunities. If you dont have high quality content you may not draw enough
    visitors who become real customers.

  7. videoclips |

    Thank you a bunch for sharing this with all people you really recognise
    what you are talking about! Bookmarked. Kindly additionally talk over with my web site =).
    We could have a hyperlink change arrangement between us

  8. you can check here |

    I have read a few good stuff here. Definitely price bookmarking for revisiting.
    I surprise how a lot attempt you put to make the
    sort of wonderful informative site.

  9. free itunes code |

    Instructions for how to import the bonus digital movie
    copy to your i – Tunes library should be included with the
    movie, but generally all you have to do is insert the disc into your computer, then enter a
    redemption code. People are able to successfully produce free Microsoft points codes but in reality most of these codes do not
    work. If you buy goods online, virtually every website you choose
    to carry out a transaction with will ask you whether or not you may have a
    discount voucher code.

  10. dundee property letting agents |

    Ils sont arrivés à Dundee sur la soirée du 20 Janvier 1889, et le lendemain matin ils ont loué une
    chambre au-dessus d’un bar au 43, rue Union.

  11. zdeity |


  12. 雪候鸟 |

    @abcdefg 因为没有意义啊, 只要在测试环境装上, 检查通过就可以了

  13. laruence |

    @chunshiban backtrace是啥?

  14. abcdefg |


  15. PHPTaint-检测xss/sqli/shell注入的php扩展模块 | administrator个人博客 |

    [...] php taint一个用于检测xss/sqli/shell注入的php扩展模块,作者博客 。 [...]

  16. PHPTaint-检测xss/sqli/shell注入的php扩展模块[转] | 技术人生-孙强 |

    [...] taint一个用于检测xss/sqli/shell注入的php扩展模块,作者博客 [...]

  17. chunshiban |

    加入这个扩展后nginx + php-fpm(5.3.25)报,502错误,erro_log显示
    [02-Jul-2013 16:24:54] WARNING: [pool www] child 19499 exited on signal 11 (SIGSEGV – core dumped) after 25.478646 seconds from start
    [02-Jul-2013 16:24:54] NOTICE: [pool www] child 19505 started
    [02-Jul-2013 16:33:33] WARNING: [pool www] child 19505 exited on signal 11 (SIGSEGV – core dumped) after 519.061842 seconds from start
    [02-Jul-2013 16:33:33] NOTICE: [pool www] child 19582 started
    [02-Jul-2013 16:33:34] WARNING: [pool www] child 19582 exited on signal 11 (SIGSEGV – core dumped) after 0.680379 seconds from start
    [02-Jul-2013 16:33:34] NOTICE: [pool www] child 19584 started
    [02-Jul-2013 16:33:37] WARNING: [pool www] child 19584 exited on signal 11 (SIGSEGV – core dumped) after 3.557053 seconds from start
    [02-Jul-2013 16:33:37] NOTICE: [pool www] child 19588 started
    [02-Jul-2013 16:40:48] WARNING: [pool www] child 19588 exited on signal 11 (SIGSEGV – core dumped) after 430.350555 seconds from start
    [02-Jul-2013 16:40:48] NOTICE: [pool www] child 19646 started
    [02-Jul-2013 16:51:06] WARNING: [pool www] child 19646 exited on signal 11 (SIGSEGV – core dumped) after 618.069328 seconds from start
    [02-Jul-2013 16:51:06] NOTICE: [pool www] child 19783 started

  18. 秋风 |


  19. 秋风 |


  20. xss |

    能否指教一下 哪里可以找到php opcode的详解?比如看到ZEND_SEND_VAR这样的opcode不知道代表什么意思?谢谢

  21. 秋风 |


  22. Taint-0.3.0(A XSS codes sniffer) released | 午后小憩 |

    [...] PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展 [...]

  23. PHPTaint-检测xss/sqli/shell注入的php扩展模块 – ヾ小 葛's` |

    [...] php taint一个用于检测xss/sqli/shell注入的php扩展模块,作者博客 。 [...]

Pages: [2] 1 » Show All

Leave a Reply