Press "Enter" to skip to content

PHP Taint - 一个用来检测XSS/SQL/Shell注入漏洞的扩展

之前, 小顿和我提过一个想法, 就是从PHP语言层面去分析,找出一些可能的注入漏洞代码. 当时我一来没时间, 而来也确实不知道从何处下手..
直到上周的时候, 我看到了这个RFC: RFC:Taint.
但是这个RFC的问题在于, 它需要为PHP打Patch, 修改了PHP本身的数据结构, 这对于以后维护, 升级PHP来说, 很不方便, 也会有一些隐患.
虽然这样, 但这个RFC却给了我一个启发, 于是我就完成了这样的一个扩展:Taint Extension
这个扩展使用起来, 很简单(目前只支持5.2.6到5.3, 以及PHP7以上):
下载源代码以后, 编译, 安装. 然后在php.ini中要开启这个扩展(建议不要在生产环境开启这个扩展):

extension=taint.so
taint.enable=1

启用这个扩展以后, 如果在一些关键函数(或者语句: echo, print, system, exec, 等等), 或者输出的地方*直接*(没有经过转义, 安全过滤处理)使用了来自$_GET, $_POST或者$_COOKIE的数据, 则Taint就会提示你:

<?php
 $a = $_GET['a'];
 $file_name = '/tmp' .  $a;
 $output    = "Welcome, {$a} !!!";
 $var       = "output";
 $sql       = "Select *  from " . $a;
 $sql      .= "ooxx";
 echo $output;
//Warning: main(): Attempt to echo a string which might be tainted in xxx.php on line x
 print $$var;
//Warning: main(): Attempt to print a string which might be tainted  in xxx.php on line x
 include($file_name);
//Warning: include() [function.include]: File path contains data that might be tainted in xxx.php on x
 mysql_query($sql);
//Warning: mysql_query() [function.mysql-query]: First argument contains data that might be tainted in xxx.php on line x
?>

目前因为还没有支持5.4(5.4的实现方法, 要依赖于我将要和Dmitry讨论的一个新需求), 所以目前还没有发布一个下载包, 大家可以先直接从源代码下载: Taint on Github.
上面的例子显示了简单的用法, 回头我会再完善下文档....
enjoy~

79 Comments

  1. Fireworks
    Fireworks June 20, 2019

    沙发

  2. phper000001
    phper000001 March 1, 2016

    安装https://pecl.php.net/get/taint-1.2.2.tgz 之后,使用implode(array())会报错Error:2 implode() expects exactly 2 parameters, 1 given
    并且返回值是bool(false)

  3. coach factory
    coach factory December 8, 2015

    In a follow-up study, Dr. Zhang loaded the gel with immature stem cells, as well as the chemicals they needed to develop into full-fledged adult brain cells. When rats with severe brain injuries were treated with this mixture for eight weeks, they showed signs of significant recovery.
    coach factory http://coachoutletstores.hobo2015.com/

  4. coach factory
    coach factory December 8, 2015

    Instead of changing your entire diet all in one day, try making small, gradual changes. Remember, this is a lifestyle change, not just some temporary, quick fix diet. This mentality will help prevent you from getting on diets where you’re hating every second of it and feeling totally deprived.
    coach factory http://coachfactory.tote2015.com/

  5. hack someones whatsapp
    hack someones whatsapp May 21, 2015

    Using proprietary socket injection protocols, you’ll be able to intercept messages instantly from WhatsApp by utilizing a
    predefined authentication token.

  6. Hardin’s webblog now for a lot more data on immediately.
    The Federal Trade Commission(2) (FTC) goes a step further, and
    warns awawy the entrepreneur work online from home for amazon any business that offers “no risk,” “quick and easy”
    or “huge income” opportunities. If you dont have high quality content you may not draw enough
    visitors who become real customers.

  7. videoclips
    videoclips March 4, 2015

    Thank you a bunch for sharing this with all people you really recognise
    what you are talking about! Bookmarked. Kindly additionally talk over with my web site =).
    We could have a hyperlink change arrangement between us

  8. you can check here
    you can check here February 13, 2015

    I have read a few good stuff here. Definitely price bookmarking for revisiting.
    I surprise how a lot attempt you put to make the
    sort of wonderful informative site.

  9. free itunes code
    free itunes code February 12, 2015

    Instructions for how to import the bonus digital movie
    copy to your i – Tunes library should be included with the
    movie, but generally all you have to do is insert the disc into your computer, then enter a
    redemption code. People are able to successfully produce free Microsoft points codes but in reality most of these codes do not
    work. If you buy goods online, virtually every website you choose
    to carry out a transaction with will ask you whether or not you may have a
    discount voucher code.

  10. dundee property letting agents
    dundee property letting agents February 11, 2015

    Ils sont arrivés à Dundee sur la soirée du 20 Janvier 1889, et le lendemain matin ils ont loué une
    chambre au-dessus d’un bar au 43, rue Union.

  11. zdeity
    zdeity January 12, 2015

    请教下大牛,能求一份windows版的dll吗?我编译了很久都没成功。

  12. 雪候鸟
    雪候鸟 September 12, 2013

    @abcdefg 因为没有意义啊, 只要在测试环境装上, 检查通过就可以了

  13. abcdefg
    abcdefg September 11, 2013

    建议不要在生产环境开启这个扩展。为什么?

  14. chunshiban
    chunshiban July 2, 2013

    加入这个扩展后nginx + php-fpm(5.3.25)报,502错误,erro_log显示
    [02-Jul-2013 16:24:54] WARNING: [pool www] child 19499 exited on signal 11 (SIGSEGV – core dumped) after 25.478646 seconds from start
    [02-Jul-2013 16:24:54] NOTICE: [pool www] child 19505 started
    [02-Jul-2013 16:33:33] WARNING: [pool www] child 19505 exited on signal 11 (SIGSEGV – core dumped) after 519.061842 seconds from start
    [02-Jul-2013 16:33:33] NOTICE: [pool www] child 19582 started
    [02-Jul-2013 16:33:34] WARNING: [pool www] child 19582 exited on signal 11 (SIGSEGV – core dumped) after 0.680379 seconds from start
    [02-Jul-2013 16:33:34] NOTICE: [pool www] child 19584 started
    [02-Jul-2013 16:33:37] WARNING: [pool www] child 19584 exited on signal 11 (SIGSEGV – core dumped) after 3.557053 seconds from start
    [02-Jul-2013 16:33:37] NOTICE: [pool www] child 19588 started
    [02-Jul-2013 16:40:48] WARNING: [pool www] child 19588 exited on signal 11 (SIGSEGV – core dumped) after 430.350555 seconds from start
    [02-Jul-2013 16:40:48] NOTICE: [pool www] child 19646 started
    [02-Jul-2013 16:51:06] WARNING: [pool www] child 19646 exited on signal 11 (SIGSEGV – core dumped) after 618.069328 seconds from start
    [02-Jul-2013 16:51:06] NOTICE: [pool www] child 19783 started
    core文件在这里http://soft.chunshiban.com/linux/script/core-php-fpm.19588

  15. 秋风
    秋风 June 17, 2013

    鸟哥,源码地址给错了,应该是这个吧?https://github.com/laruence/php-taint

  16. 秋风
    秋风 June 17, 2013

    鸟哥,源码地址给错了,应该是这个吧?https://github.com/laruence/php-taint

  17. xss
    xss May 27, 2013

    博主你好:
    能否指教一下 哪里可以找到php opcode的详解?比如看到ZEND_SEND_VAR这样的opcode不知道代表什么意思?谢谢

  18. scfood
    scfood March 14, 2013

    我也无法下载,怎么弄啊!

  19. hell
    hell August 30, 2012

    不能应用于 win 版本 无奈啊 鸟哥 封装成 win 下扩展呗

  20. […] 这里的关键在于第四步,因为服务器端可能会做一些限制,比如encode或者长度限制,测试的时候需要想办法看看是否能绕过限制。 这种类型的XSS漏洞,用白盒的方法也比较容易发现。我司有一款牛逼工具可以通过追踪输出变量,看在赋值过程中是否有被编码来判断是否存在注入,少有误报(但有漏报:D),PHP有款开源的扩展做的也是类似的事情,点击看PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展。不过只检测$_GET/$_POST/$_COOKIE,同事后来改了下源码支持$_SERVER变量。 […]

  21. phpairspace
    phpairspace May 13, 2012

    那比如说这个来自$_REQUEST的参数已经做过过滤了,能否有方法取消这个warning的输出呢?一直输出warning对页面的js/ajax等效果有影响。

  22. 雪候鸟
    雪候鸟 May 12, 2012

    @phpairspace, taint在发现你在关键函数使用了来自$_REQUEST的参数就会提示你可能会有问题, 它默认提示的是warning~

  23. phpairspace
    phpairspace May 12, 2012

    就是说只要有require 变量的话就都会报warning么?变量做过限制的话也不行么?

  24. 雪候鸟
    雪候鸟 May 12, 2012

    @phpairspace 代码中没看到require啊?

  25. phpairspace
    phpairspace May 12, 2012

    在测试是遇到类似的代码
    $q = $_GET[‘q’];
    $controller = dirname(__FILE__);
    if ($q) {
    $controller .= ‘/controller/’.$q;
    if (realpath($controller) != $controller) {
    exit(‘Access Denied’);
    }
    }
    require $controller;
    当访问q=index.php时会报Warning: require() [function.require]: File path contains data that might be tainted
    请教下鸟哥什么情况下会有注入的风险?

  26. Chiotis
    Chiotis May 10, 2012

    sorry….autoload可能是是我这边用来记录taint错误的set_error_handler的函数在auto定义之前被触发了导致。

  27. Chiotis
    Chiotis May 10, 2012

    发现autoload失败的问题还是存在,在自定义的loader 函数里,include会被误报有安全问题,导致加载不到不到文件。

  28. Chiotis
    Chiotis May 10, 2012

    感谢,初步验证已经好了。后续再试用一阵,如果有问题及时反馈给您。

  29. @Laruence
    @Laruence May 10, 2012

    好的,我今天试下。

  30. chiotis
    chiotis May 8, 2012

    @Laruence 目前遇到的有,1、数组中的变量(原值为’/’)经过一系列传递后,成了一个*RECURSION*; 2、autoload偶尔失效。 误报倒没什么,可以忽略,反正结果只是参考。

  31. Laruence
    Laruence May 8, 2012

    @chioits 你能说说具体是什么bug么, taint目前是beta版本,可能会有些bug

  32. chiotis
    chiotis May 8, 2012

    BUG太多了,各种诡异现象。误报也很多,真实项目中完全没用。

  33. frank
    frank April 18, 2012

    有没有相应的工程说明和代码解释文档啊,大牛

  34. laruence
    laruence March 9, 2012

    @hm 多管齐下, 前台转义只是XSS, taint还关注于sql注入, 命令注入等.

  35. hm
    hm March 9, 2012

    推荐的做法应该是后台吐原文、统一由前台(JS)转义输出吧,鸟哥怎么看呢

  36. toms
    toms February 17, 2012

    好像不能回复呢

  37. venkman
    venkman February 17, 2012

    下个来看看效果, 嘿嘿

  38. rookie
    rookie February 17, 2012

    @雪候鸟
    可能跟我的环境有关系,终于安装好了,我改一下
    vim taint.c /*zend_error_noreturn(E_ERROR, “Cannot use assign-op operators with overloaded objects nor string offsets”);*/
    zend_error(E_ERROR, “Cannot use assign-op operators with overloaded objects nor string offsets”);
    效果相当好,太感谢,你太给力了

  39. airwin
    airwin February 17, 2012

    谁给个win版dll?~~

  40. 雪候鸟
    雪候鸟 February 16, 2012

    @rookie 我在5.3.6下无法复现.

  41. rookie
    rookie February 16, 2012

    taint-0.0.1.tgz
    #phpize
    #./configure –enable-taint
    #make
    #cp modules/taint.so /usr/lib64/php/modules/
    #cat /etc/php.d/taint.ini
    ; Enable taint extension module
    extension=taint.so
    #tail /etc/php.ini
    ;XSS code sniffer
    [taint]
    taint.enable=1

  42. 雪候鸟
    雪候鸟 February 16, 2012

    @rookie 没道理啊, zend_error_noreturn是在zend.h定义的, 被php.h包含, 你是怎么编译的?

  43. rookie
    rookie February 16, 2012

    PHP 5.3.6 (cli)

  44. jekhy
    jekhy February 16, 2012

    @rookie 我手动改了下taint.c,把zend_error_noreturn改为zend_error就可以了,参考:http://stackoverflow.com/questions/2556113/swig-generated-code-fails-to-run-on-php-5-3-2-undefined-symbol-zend-error-noret

  45. rookie
    rookie February 16, 2012

    PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: zend_error_noreturn in Unknown on line 0

  46. Anonymous
    Anonymous February 16, 2012

    PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: zend_error_noreturn in Unknown on line 0

  47. xinbe
    xinbe February 16, 2012

    真是一个不错的套件
    之前都是写regexp来搜寻源码
    把这个纳入到开发、测试环境中应该挺不错的

  48. wclssdn
    wclssdn February 15, 2012

    不错 赞一个~~~

  49. 匿名
    匿名 February 15, 2012

    //Warning: main() [function.echo]
    如果输出没有转义, 这种提示main() 这个可能要找一下,echo貌似是语法结构,不是function

  50. cnwill
    cnwill February 15, 2012

    博主一直是我们的解困导师!

  51. Rhythm
    Rhythm February 14, 2012

    给PHP写插件真是必备技能。

  52. Ckai
    Ckai February 14, 2012

    鸟哥v5

  53. KnightE
    KnightE February 14, 2012

    已在开发环境上安装,体验一下看看

  54. leijuly
    leijuly February 14, 2012

    每天上来看一看, 进阶学习。 博主造福广大基层PHPer啊

  55. pangee
    pangee February 14, 2012

    过滤输入,转义输出……

  56. Kenny
    Kenny February 14, 2012

    为什么无法下载啊?

Leave a Reply

Your email address will not be published. Required fields are marked *