msgbartop
PHP语言, PHP扩展, Zend引擎相关的研究,技术,新闻分享 – 左手代码 右手诗
msgbarbottom

18 Feb 12 Taint-0.3.0(A XSS codes sniffer) released

最近几天忙里偷闲, 一直在完善taint, 今天我觉得终于算做到了80%的满意了, 根据80:20原则, 我觉得可以做为一个里程碑的版本了 :) .

什么是Taint? An extension used for detecting XSS codes(tainted string), And also can be used to spot sql injection vulnerabilities, shell inject, etc.

经过我实际测试, Taint-0.3.0能检测出实际的一些开源产品的(别问是什么)隐藏的XSS code, SQL注入, Shell注入等漏洞, 并且这些漏洞如果要用静态分析工具去排查, 将会非常困难, 比如对于如下的例子:

<?php
   $name = $_GET["name"];
   $value = strval($_GET["tainted"]);

   echo $$name;

对于请求:


http://****.com/?name=value&tainted=xxx

静态分析工具, 往往无能为力, 而Taint却可以准确无误的爆出这类型问题.

Warning: main() [function.echo]:
     Attempt to echo a string that might be tainted in %s.php on line %d

现在0.3.0已经发布, 我想短时间内, 我不会再添加新功能了. enjoy, PHP Taint.

另外, 多说一句, Taint可以说是, 我完成的扩展中最为复杂的一个, 使用了各种tricky技巧, 大家如果有兴趣做扩展开发, 可以用来作为一个很好的高级教材.

附录:

A. Tainted String

所有来自$_GET, $_POST, $_COOKIE的变量, 都被认为是Tainted String

B. taint检测的函数/语句列表, 当这些函数使用tainted string参数的时候, taint会给出警告:

1. 输出函数/语句系列

echo
print
printf
file_put_contents

2. 文件系统函数

fopen
opendir
basename
dirname
file
pathinfo

3. 数据库系列函数/方法

mysql_query
mysqli_query
sqlite_query
sqlite_single_query
oci_parse
Mysqli::query
SqliteDataBase::query
SqliteDataBase::SingleQuery
PDO::query
PDO::prepare

4. 命令行系列

system
exec
proc_open
passthru
shell_exec

5. 语法结构

eval
include(_once)
require(_once)

C. 消除tainted信息的函数, 调用这些函数以后, tainted string就会变成合法的string:

escapeshellcmd
htmlspecialchars
escapeshellcmd
addcslashes
addslashes
mysqli_escape_string
mysql_real_escape_string
mysql_escape_string
sqlite_escape_string
PDO::quote
Mysqli::escape_string
Mysql::real_escape_string

D. 调用中保持tainted信息的函数/语句, 调用这些函数/语句时, 如果输入是tainted string, 则输出也为tainted string:

= (assign)
. (concat)
"{$var}" (variable substitution)
.= (assign concat)
strval
explode
implode
sprintf
vsprintf
trim(as of 0.4.0)
rtrim(as of 0.4.0)
ltrim(as of 0.4.0)

E. 链接:


分享到:



Related Posts:

Tags: , , ,

68 Responses to “Taint-0.3.0(A XSS codes sniffer) released”

Pages: [2] 1 » Show All

  1. enjoy the soundtrack |

    Hi there, always i used to check blog posts here early in the daylight, as
    i like to find out more and more.

  2. better quality speaker |

    Hi there colleagues, good post and pleasant arguments
    commented here, I am genuinely enjoying by these.

  3. online slot malaysia |

    You really make it seem so easy with your presentation but I find this matter to be really something that I think
    I would never understand. It seems too complex and extremely broad for me.
    I’m looking forward for your next post, I’ll try to get the hang of
    it!

  4. dreamans |

    发现了一个问题,像这样调用时就不会触发报错:

    $var = $_GET['var'];
    $var1 = $var . 'string';
    echo $var1;

    不知道能不能解决。

  5. windows编译php扩展Taint | Security Off |

    [...] Taint是PHP开发组成员Laruence所写的一个漏洞检测插件。在windows上编译的时候可能会提示INIT_PZVAL_COPY未定义。既然没有定义那我们自己给它定义一下就完事了,在php_taint.h定义,代码如下。 #ifndef INIT_PZVAL_COPY #define INIT_PZVAL_COPY(z, v) ZVAL_COPY_VALUE(z, v); Z_SET_REFCOUNT_P(z, 1); Z_UNSET_ISREF_P(z); #endif #ifndef ZVAL_COPY_VALUE #define ZVAL_COPY_VALUE(z, v) (z)->value = (v)->value; Z_TYPE_P(z) = Z_TYPE_P(v); #endif [...]

  6. ira gold appraiser tucson |

    Different Ways To Invest Gold

  7. m88 |

    hi!,I love your writing so much! proportion we keep up a correspondence more about your post
    on AOL? I need an expert on this space to solve my problem.
    May be that is you! Having a look forward to peer you.

  8. videoclips |

    Hello mates, how is everything, and what you want to say concerning this piece of
    writing, in my view its really amazing in support of me.

  9. system |

    Hi there, its fastidious article on the topic of media print, we all be familiar with media is
    a great source of facts.

  10. wheels on the bus |

    Even though some of these songs belong in there place, the vast majority are ill placed or undeserving.

  11. centralmarketdallas.com |

    This makes working from check to check a reality, but it certainly isn’t a good reality.
    Discover what is causing your stress and look for life-enhancing
    solutions for the problem. To use food properly and assimilate the essential nutrients
    present in it, our digestive system needs to break the food that we eat into smaller components.

  12. summoners war |

    Touche. Solid arguments. Keeep սp the amazing effort.

    Μy site: summoners war

  13. american diabetes association website |

    When the cells lack insulin they become starved and since there is no other
    source of energy apart from the fats, they get used up.
    Sweets, junk food, and sodas are not allowed on the DASH diet.
    It is important that you do various physical activities daily so you will not gain much weight.

  14. free itunes code |

    Fortunately there are right now i – Tunes Code Generator clean up
    plug-ins which can search within though your mp3 collection and
    identify which tracks are incorrectly labelled or perhaps have misspelled information. Correct or fill
    with misspelled or incomplete information. The free i – Tunes Code Generator
    card generator they can double as a cards reader.

  15. 书签 | Halo |

    [...] Taint-0.3.0(A XSS codes sniffer) released | 风雪之隅 [...]

  16. piumino woolrich uomo |

    piumino woolrich uomo spaccio outlet woolrich WHNfI Aperto ad
    artisti come Gary Newman e Pop Iggi se, come plevman sottolineato nella sua
    conoscenza di pensionamento, famoso scrittore Rolling Stone Leicester Bangs ha scritto che
    Slash è il tipo di opening act, il lavoro rende due volte la volta più forte e si proclamò la prima artista canadese a utilizzare una drum
    machine su un album. spaccio woolrich bologna sito ufficiale woolrich giacconi uomo oaPbG Come
    posso capire che i fiori quando kouldast senza vesciche vento sui laghi congelati in 30 gradi?

    Vorrei dalla luce della luna piena sul piccolo cast
    suoi grattacieli infanzia coraggioso Torre Foshay,
    l’edificio più alto in entrambe le città gemellate è stato entransed.
    outlet woolrich bologna sito ufficiale quanto costa un woolrich lFUoz Realizzato un’incisione sopra l’area interessata e quindi
    il chirurgo taglia il tessuto saldamente circonda il muscolo.

    woolrich prezzi donna giaccone woolrich donna KvUsM Tuttavia, è
    sempre stato, un patriota accusato da mkkartheyst.Niente ha
    ancora adottato una decisione sul futuro del programma, come
    tutti i pensieri sono con la famiglia e gli amici di Robert in questi
    tempi difficili.. Sito Ufficiale woolrich woolrich collezione autunno inverno 2013
    yYtaU Di conseguenza Tex uccide l’ultimo Wyoming, torna in chiesa
    per evitare un arresto e attivato per infettare
    la sua radio.

  17. sunny5156 |

    PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: INIT_PZVAL_COPY in Unknown on line 0

  18. hack for facebook |

    Greetings from Florida! I’m bored to death at work so I decided to browse your site on my iphone during lunch break. I enjoy the knowledge you provide here and can’t wait to take a look when I get home.
    I’m amazed at how fast your blog loaded on my phone .. I’m not
    even using WIFI, just 3G .. Anyhow, good blog!

Pages: [2] 1 » Show All

Leave a Reply

*