Press "Enter" to skip to content

Taint-0.3.0(A XSS codes sniffer) released

最近几天忙里偷闲, 一直在完善taint, 今天我觉得终于算做到了80%的满意了, 根据80:20原则, 我觉得可以做为一个里程碑的版本了 :).
什么是Taint? An extension used for detecting XSS codes(tainted string), And also can be used to spot sql injection vulnerabilities, shell inject, etc.
经过我实际测试, Taint-0.3.0能检测出实际的一些开源产品的(别问是什么)隐藏的XSS code, SQL注入, Shell注入等漏洞, 并且这些漏洞如果要用静态分析工具去排查, 将会非常困难, 比如对于如下的例子:

<?php
   $name = $_GET["name"];
   $value = strval($_GET["tainted"]);
   echo $$name;

对于请求:

http://****.com/?name=value&tainted=xxx

静态分析工具, 往往无能为力, 而Taint却可以准确无误的爆出这类型问题.

Warning: main() [function.echo]:
     Attempt to echo a string that might be tainted in %s.php on line %d

现在0.3.0已经发布, 我想短时间内, 我不会再添加新功能了. enjoy, PHP Taint.
另外, 多说一句, Taint可以说是, 我完成的扩展中最为复杂的一个, 使用了各种tricky技巧, 大家如果有兴趣做扩展开发, 可以用来作为一个很好的高级教材.
附录:
A. Tainted String
所有来自$_GET, $_POST, $_COOKIE的变量, 都被认为是Tainted String
B. taint检测的函数/语句列表, 当这些函数使用tainted string参数的时候, taint会给出警告:
1. 输出函数/语句系列

echo
print
printf
file_put_contents

2. 文件系统函数

fopen
opendir
basename
dirname
file
pathinfo

3. 数据库系列函数/方法

mysql_query
mysqli_query
sqlite_query
sqlite_single_query
oci_parse
Mysqli::query
SqliteDataBase::query
SqliteDataBase::SingleQuery
PDO::query
PDO::prepare

4. 命令行系列

system
exec
proc_open
passthru
shell_exec

5. 语法结构

eval
include(_once)
require(_once)

C. 消除tainted信息的函数, 调用这些函数以后, tainted string就会变成合法的string:

escapeshellcmd
htmlspecialchars
escapeshellcmd
addcslashes
addslashes
mysqli_escape_string
mysql_real_escape_string
mysql_escape_string
sqlite_escape_string
PDO::quote
Mysqli::escape_string
Mysql::real_escape_string

D. 调用中保持tainted信息的函数/语句, 调用这些函数/语句时, 如果输入是tainted string, 则输出也为tainted string:

= (assign)
. (concat)
"{$var}" (variable substitution)
.= (assign concat)
strval
explode
implode
sprintf
vsprintf
trim(as of 0.4.0)
rtrim(as of 0.4.0)
ltrim(as of 0.4.0)

E. 链接:

71 Comments

  1. aaron
    aaron October 23, 2019

    惠哥,这个支持 php 5.6 吗? 看了好像要php version <=5.4

  2. chen
    chen December 29, 2017

    我在使用taint的时候遇到了这样一个问题,就是我实际调用的函数是mysqli_query()和,但是我使用了escapecmdshell()函数去对变量进行了转义。所以情况是没有警告但是’or’1′=’1这种可以在linux下成功执行,针对这种情况,您有什么好的办法吗

  3. FirstKlara
    FirstKlara November 4, 2017

    I see you don’t monetize your page, don’t waste your traffic,
    you can earn extra bucks every month because you’ve got
    hi quality content. If you want to know how to
    make extra bucks, search for: Boorfe’s tips best adsense alternative

  4. enjoy the soundtrack
    enjoy the soundtrack May 22, 2017

    Hi there, always i used to check blog posts here early in the daylight, as
    i like to find out more and more.

  5. better quality speaker
    better quality speaker April 2, 2017

    Hi there colleagues, good post and pleasant arguments
    commented here, I am genuinely enjoying by these.

  6. online slot malaysia
    online slot malaysia April 23, 2016

    You really make it seem so easy with your presentation but I find this matter to be really something that I think
    I would never understand. It seems too complex and extremely broad for me.
    I’m looking forward for your next post, I’ll try to get the hang of
    it!

  7. dreamans
    dreamans February 22, 2016

    发现了一个问题,像这样调用时就不会触发报错:

    $var = $_GET['var'];
    $var1 = $var . 'string';
    echo $var1;

    不知道能不能解决。

  8. […] Taint是PHP开发组成员Laruence所写的一个漏洞检测插件。在windows上编译的时候可能会提示INIT_PZVAL_COPY未定义。既然没有定义那我们自己给它定义一下就完事了,在php_taint.h定义,代码如下。 #ifndef INIT_PZVAL_COPY #define INIT_PZVAL_COPY(z, v) ZVAL_COPY_VALUE(z, v); Z_SET_REFCOUNT_P(z, 1); Z_UNSET_ISREF_P(z); #endif #ifndef ZVAL_COPY_VALUE #define ZVAL_COPY_VALUE(z, v) (z)->value = (v)->value; Z_TYPE_P(z) = Z_TYPE_P(v); #endif […]

  9. m88
    m88 April 3, 2015

    hi!,I love your writing so much! proportion we keep up a correspondence more about your post
    on AOL? I need an expert on this space to solve my problem.
    May be that is you! Having a look forward to peer you.

  10. videoclips
    videoclips March 4, 2015

    Hello mates, how is everything, and what you want to say concerning this piece of
    writing, in my view its really amazing in support of me.

  11. system
    system March 4, 2015

    Hi there, its fastidious article on the topic of media print, we all be familiar with media is
    a great source of facts.

  12. wheels on the bus
    wheels on the bus February 25, 2015

    Even though some of these songs belong in there place, the vast majority are ill placed or undeserving.

  13. centralmarketdallas.com
    centralmarketdallas.com February 14, 2015

    This makes working from check to check a reality, but it certainly isn’t a good reality.
    Discover what is causing your stress and look for life-enhancing
    solutions for the problem. To use food properly and assimilate the essential nutrients
    present in it, our digestive system needs to break the food that we eat into smaller components.

  14. When the cells lack insulin they become starved and since there is no other
    source of energy apart from the fats, they get used up.
    Sweets, junk food, and sodas are not allowed on the DASH diet.
    It is important that you do various physical activities daily so you will not gain much weight.

  15. free itunes code
    free itunes code February 12, 2015

    Fortunately there are right now i – Tunes Code Generator clean up
    plug-ins which can search within though your mp3 collection and
    identify which tracks are incorrectly labelled or perhaps have misspelled information. Correct or fill
    with misspelled or incomplete information. The free i – Tunes Code Generator
    card generator they can double as a cards reader.

  16. 书签 | Halo
    书签 | Halo November 3, 2014

    […] Taint-0.3.0(A XSS codes sniffer) released | 风雪之隅 […]

  17. piumino woolrich uomo
    piumino woolrich uomo October 15, 2014

    piumino woolrich uomo spaccio outlet woolrich WHNfI Aperto ad
    artisti come Gary Newman e Pop Iggi se, come plevman sottolineato nella sua
    conoscenza di pensionamento, famoso scrittore Rolling Stone Leicester Bangs ha scritto che
    Slash è il tipo di opening act, il lavoro rende due volte la volta più forte e si proclamò la prima artista canadese a utilizzare una drum
    machine su un album. spaccio woolrich bologna sito ufficiale woolrich giacconi uomo oaPbG Come
    posso capire che i fiori quando kouldast senza vesciche vento sui laghi congelati in 30 gradi?
    Vorrei dalla luce della luna piena sul piccolo cast
    suoi grattacieli infanzia coraggioso Torre Foshay,
    l’edificio più alto in entrambe le città gemellate è stato entransed.
    outlet woolrich bologna sito ufficiale quanto costa un woolrich lFUoz Realizzato un’incisione sopra l’area interessata e quindi
    il chirurgo taglia il tessuto saldamente circonda il muscolo.
    woolrich prezzi donna giaccone woolrich donna KvUsM Tuttavia, è
    sempre stato, un patriota accusato da mkkartheyst.Niente ha
    ancora adottato una decisione sul futuro del programma, come
    tutti i pensieri sono con la famiglia e gli amici di Robert in questi
    tempi difficili.. Sito Ufficiale woolrich woolrich collezione autunno inverno 2013
    yYtaU Di conseguenza Tex uccide l’ultimo Wyoming, torna in chiesa
    per evitare un arresto e attivato per infettare
    la sua radio.

  18. sunny5156
    sunny5156 July 25, 2013

    PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: INIT_PZVAL_COPY in Unknown on line 0

  19. hack for facebook
    hack for facebook July 2, 2013

    Greetings from Florida! I’m bored to death at work so I decided to browse your site on my iphone during lunch break. I enjoy the knowledge you provide here and can’t wait to take a look when I get home.
    I’m amazed at how fast your blog loaded on my phone .. I’m not
    even using WIFI, just 3G .. Anyhow, good blog!

  20. mruse
    mruse June 16, 2013

    @laruence,我在安装的时候编译过程没有出错,是php+nginx环境的,编辑完成,重启php-fpm后报以下错误,可能是什么问题呢?google了一下貌似没有跟我的情况类似的,求指点
    版本:
    php5.2.14
    zend v3.3.9

  21. yliang_1987
    yliang_1987 May 10, 2013

    是不是说这个 扩展 就是为了防止 在代码中出现有 打印url参数啊?

  22. grom
    grom April 21, 2013

    $_GET[‘a’]的值被过滤了
    <script>alert(1);</script>

  23. grom
    grom April 21, 2013

    centos 6.3 + php 5.4.12 下测试
    $_GET[‘a’]的值为alert(1);
    然后我调用addslashes,然后echo,正确弹出对话框,另外is_tainted返回 false。

  24. allen
    allen February 7, 2013

    PHP Version 5.4.11-1~precise+1
    Ubuntu 12.04
    编译过程无错误, 加载扩展时报以下错误
    PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20100525+lfs/taint.so’ – /usr/lib/php5/20100525+lfs/taint.so: undefined symbol: MAKE_REAL_ZVAL_PTR in Unknown on line 0
    请问这个怎么解决?

  25. little
    little November 21, 2012

    不同的场合也许会用 htmlentities、urlencode、urlrawencode、http_build_query 这些

  26. 闪电客
    闪电客 August 5, 2012

    不错哦!!加油改进

  27. chenggang
    chenggang June 15, 2012

    这种似乎抓不出来:
    $a = $_GET[‘name’];
    $arr[‘key’] = $a;
    extract($arr);
    echo $key;

  28. WPS2000
    WPS2000 May 21, 2012

    这个相当的不错,试着在公司推行安装了。还没发现它提示出错,当然,这是对我们之前工作的肯定。
    我编译的windows 版本放在这里 http://82.165.131.79/php_taint.dll ,5.3系列,VC9的,有需要的可以尝尝鲜
    另外,博主能否让这个扩展默认就 enable?而不是需要到 配置文件里去通过配置 taint.enable 启用?

  29. virgins
    virgins May 13, 2012

    我觉得这个网站的内容真心好

  30. shirne
    shirne May 9, 2012

    但是,我还是想问问,是什么–!

  31. liut
    liut April 16, 2012

    请问有没有编译好win32 dll,我本人用mac,但组员大部分用windows

  32. skybyte
    skybyte April 11, 2012

    这个不能记录日志到文件啊,我这样设置日志里面没得
    error_reporting = E_ALL & ~E_NOTICE
    error_log=php.log
    display_errors=Off
    改成display_errors=on就直接显示到浏览器了

  33. liut
    liut April 11, 2012

    在lion下编译失败:
    /Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1056:16: warning:
    passing ‘long *’ to parameter of type ‘unsigned long *’ converts between pointers
    to integer types with different sign [-Wpointer-sign]
    …switch (zend_hash_get_current_key(ht, &key, &idx, 0)) {
    ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    /opt/local/include/php/Zend/zend_hash.h:201:52: note: instantiated from:
    zend_hash_get_current_key_ex(ht, str_index, NULL, num_index, duplicate, NULL)
    ^
    /Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1056:52: note: instantiated from:
    …switch (zend_hash_get_current_key(ht, &key, &idx, 0)) {
    ^~~~
    /opt/local/include/php/Zend/zend_hash.h:179:107: note: passing argument to parameter
    ‘num_index’ here
    …uint *str_length, ulong *num_index, zend_bool duplicate, HashPosition *pos);
    ^
    /Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1260:22: error:
    expression is not assignable
    Z_REFCOUNT_PP(op1) = refcount;
    ~~~~~~~~~~~~~~~~~~ ^
    /Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1517:30: warning:
    ‘zend_get_parameters_ex’ is deprecated [-Wdeprecated-declarations]
    if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &arg) == FAILURE) {
    ^
    2 warnings and 1 error generated.
    make: *** [taint.lo] Error 1

  34. test
    test April 7, 2012

    在条件error_reporting = E_ALL ^ E_NOTICE,display_errors = On下,看不到taint warning,这有问题吗?

  35. essay
    essay March 29, 2012

    大虾无敌啊!从chinaz过来看到您的blog;内容比较高深,看不大明白。但该顶,呵呵。

  36. Sunny
    Sunny March 27, 2012

    很多开源系统,对$_GET和$_POST参数的获取,都封装有自己的函数。类似G_GET(),G_POST()这类预转移过的函数。
    这样的数据是否也能监控到XSS呢?

  37. achun
    achun March 19, 2012

    这种问题够复杂,对于严格的产品,taint 会起到很大作用

  38. 雪候鸟
    雪候鸟 March 11, 2012

    @count 恩, 是的, 所以建议是在开发/测试的时候启用这个扩展.

  39. count
    count March 11, 2012

    很不错的东东
    我的理解是这样,这种检测方式是一种线上检测,前提是要知道php文件的所有输入参数url,去触发这个检测逻辑;
    静态语法分析没这个问题,但在某些方面没这种方式准确了

  40. glone
    glone March 7, 2012

    这么热闹

  41. fifsky
    fifsky March 2, 2012

    不知道能不能配置某个虚拟机检测,现在打开这个同一台服务器的老系统全都挂掉了,我只想针对新的项目使用,老的项目不关心这些

  42. 雪候鸟
    雪候鸟 February 29, 2012

    @李枨煊 奇怪了, 我这边没问题, 等我回头再验证下2.14,(目前我是2.17), thanks

  43. 李枨煊
    李枨煊 February 29, 2012

    开了,直接这样写就会报错
    echo $_GET[‘b’];

  44. 雪候鸟
    雪候鸟 February 28, 2012

    @李枨煊 打开错误日志了么?

  45. 李枨煊
    李枨煊 February 28, 2012

    PHP版本: 5.2.14
    taint 版本:0.4.1

  46. 雪候鸟
    雪候鸟 February 28, 2012

    @李枨煊 你用的是那个版本? 我这里没问题, 试试最新的.

  47. 李枨煊
    李枨煊 February 28, 2012

    hi~鸟哥:
    今天在开发机装了一个试了一下,发现有这么一个问题,如果参数这样接收,taint就不会报错,这算是BUG吗?
    $b = isset($_GET[‘b’]) ? $_GET[‘b’] : ”;
    echo $b;

  48. helloki
    helloki February 24, 2012

    能否提供5.3.6 nts的.dll呢 ^^

  49. toms
    toms February 22, 2012

    高深……………………..

  50. laruence
    laruence February 20, 2012

    @hello 恩, 看起来有的版本的PHP没有暴露出这些符号, 我换个方法. 回头0.3.1修复这个问题

  51. hello
    hello February 20, 2012

    有一个测试失败
    [root@localhost taint]# make test
    Build complete.
    Don’t forget to run ‘make test’.
    /usr/local/bin/php: symbol lookup error: /root/Downloads/php-5.3.10/ext/taint/modules/taint.so: undefined symbol: zif_implode
    =====================================================================
    PHP : /usr/local/bin/php
    PHP_SAPI : cli
    PHP_VERSION : 5.3.10
    ZEND_VERSION: 2.3.0
    PHP_OS : Linux – Linux localhost.localdomain 2.6.33.6-147.fc13.i686 #1 SMP Tue Jul 6 22:30:55 UTC 2010 i686
    INI actual : /root/Downloads/php-5.3.10/ext/taint/tmp-php.ini
    More .INIs :
    CWD : /root/Downloads/php-5.3.10/ext/taint
    Extra dirs :
    VALGRIND : Not used
    =====================================================================
    TIME START 2012-02-20 14:19:14
    =====================================================================
    PASS Check for taint presence [tests/001.phpt]
    PASS Check Taint function [tests/002.phpt]
    PASS Check Taint with ternary [tests/003.phpt]
    PASS Check Taint with eval [tests/004.phpt]
    PASS Check Taint with separation [tests/005.phpt]
    PASS Check Taint with send_var/send_ref [tests/006.phpt]
    FAIL Check Taint with functions [tests/007.phpt]
    =====================================================================
    TIME END 2012-02-20 14:19:15

  52. 雪候鸟
    雪候鸟 February 20, 2012

    @enjoy 恩,, trim应该加入到函数链表中…

  53. enjoy
    enjoy February 20, 2012

    $username = $_POST[‘UserName’];
    echo $username;
    提示:Attempt to echo a string that might be tainted
    测试后发现,不管magic_quotes_gpc是On还是Off,加个trim就不报错了。
    $username = trim($_POST[‘UserName’]);
    好像有点不对?

  54. majl
    majl February 20, 2012

    yum安装的,就打了这一个补丁!

  55. 雪候鸟
    雪候鸟 February 19, 2012

    @majl 你的PHP是从哪里下载的, 另外, 是否打了其他的什么patch?

  56. majl
    majl February 19, 2012

    为什么我用5.3.10报错呢..
    Warning: PHP Startup: Unable to load dynamic library /usr/lib/php/modules/taint.so’ – /usr/lib/php/modules/taint.so: undefined symbol: zif_user_sprintf in Unknown on line 0

Leave a Reply to sajromaniuk Cancel reply

Your email address will not be published. Required fields are marked *