Environment configuration for PHP code audit
foreword
PHP code audit literally means to review the source code of PHP, understand the logic of the code, and find security holes in it.
1. PHP environment configuration
1.1 phpstudy and phpstorm download configuration
phpstudy and phpstorm download configuration
1.2 Xdebug configuration
1.3 Basic use of phpstudy
1.4 Basic use of phpstorm
As shown in the figure below, the find and replace operation
1.5 RIPR download and use
- RIPR download
RIPS is an open source automated code audit tool with strong vulnerability mining capabilities. It is written in PHP language and is used to statically audit the security of PHP code.
RIPS download address
After the download is successful, put it directly under the website, and you can use it by direct access. I just downloaded it under the pagoda, and then accessed it directly, as shown below:
- RIPS use
2. Code audit configuration file
2.5 PHP core configuration (php.ini)
1. safe_mode
safe_mode=on means that PHP has turned on the safe mode. Turning on the safe mode means that some dangerous functions of PHP are disabled or restricted, for example:
文件操作函数就被限制使用了,只有对该文件有读写权限的用户才可以操作该函数:具体函数有如下:
- read()
…
如下函数被禁止使用:
- shell_exec()
- exec()
…
2. magic_quote_gpc
magic_quote_gpc=on means that for controllable variables, if there are characters such as '"/, they will be escaped, and when the controllable variables are output, they will be unescaped, that is, addlashes is used for input, and stripslashes() is used for output
3. magic_quote_runtime
For file operations, if there are characters such as '"/ in the file, they will be escaped
4. register_global
If register_globel is enabled, then GET ['name'] is equivalent to _GET['name'] is equivalent toGET[′name' ]is equivalent toname
如上的配置变量再PHP5.4后不在使用
5. disable_functions
Disable some functions, each function is separated by a comma, the function disabled by disable_functions may be bypassed
6. allow_url_include
7. allow_url_open
6 and 7 variables are mainly related to some PHP pseudo-protocols
8. open_based
open_basedir is equal to the file directory that PHP can be operated on
2.5 The core configuration of mysql
1. secure_file_priv
The secure-file-priv parameter is used to limit the specified directory to which LOAD DATA, SELECT ... OUTFILE, and LOAD_FILE() are transferred,
secure-file-priv在mysql.ini文件或/etc/my.cnf中,如果指定文件没有该字段,可以自行添加(configure in phpstudy:mysql.ini file, pagoda: /etc/my.cnf configure)
- The value of secure_file_priv is null, which means that mysqld is not allowed to import|export
- When the value of secure_file_priv is /tmp/, it means that the import/export of mysqld can only occur in the /tmp/ directory
- When the value of secure_file_priv has no specific value, it means that there is no restriction on the import|export of mysqld
As shown above, when secure_file_priv is enabled, the following configurations are required to use the loadfile() and into outefile functions
- loadfile
- The current user has read permission
- Know the absolute path of the website
- into outefile
- The current user has write permission
- Know the absolute path of the website
If you want to know the permissions of the current user, you can use the following command
' order by 2-- 查看字段数
' union all select database(),user()-- 查看当前数据库和用户
注意,如下的root表示如上user()的结果
查看当前用户是否有文件读写的权限:
1' and (select File_priv from mysql.user where user='root' and host='localhost')='Y'--
1' and (select File_priv from mysql.user where user='root' and host='%')='Y'--
The user table under the mysql database has the permission information of the current user. Using the boolean injection above, you can find out whether the current user has read and write permissions.
2. based
This parameter specifies the installation path for installing MySQL. Filling in the full path can solve the problem caused by the relative path.
3. datadir
This parameter specifies the path where the MySQL database file is placed. The database file is what we often call the MySQL data file. (
宝塔面板只能够在这个路径使用into outefile)