- 本文地址: https://www.laruence.com/2012/02/18/2560.html
- 转载请注明出处
最近几天忙里偷闲, 一直在完善taint, 今天我觉得终于算做到了80%的满意了, 根据80:20原则, 我觉得可以做为一个里程碑的版本了 :).
什么是Taint? An extension used for detecting XSS codes(tainted string), And also can be used to spot sql injection vulnerabilities, shell inject, etc.
经过我实际测试, Taint-0.3.0能检测出实际的一些开源产品的(别问是什么)隐藏的XSS code, SQL注入, Shell注入等漏洞, 并且这些漏洞如果要用静态分析工具去排查, 将会非常困难, 比如对于如下的例子:
<?php $name = $_GET["name"]; $value = strval($_GET["tainted"]); echo $$name;
对于请求:
http://****.com/?name=value&tainted=xxx
静态分析工具, 往往无能为力, 而Taint却可以准确无误的爆出这类型问题.
Warning: main() [function.echo]:
Attempt to echo a string that might be tainted in %s.php on line %d
现在0.3.0已经发布, 我想短时间内, 我不会再添加新功能了. enjoy, PHP Taint.
另外, 多说一句, Taint可以说是, 我完成的扩展中最为复杂的一个, 使用了各种tricky技巧, 大家如果有兴趣做扩展开发, 可以用来作为一个很好的高级教材.
附录:
A. Tainted String
所有来自$_GET, $_POST, $_COOKIE的变量, 都被认为是Tainted String
B. taint检测的函数/语句列表, 当这些函数使用tainted string参数的时候, taint会给出警告:
1. 输出函数/语句系列
echo print printf file_put_contents
2. 文件系统函数
fopen opendir basename dirname file pathinfo
3. 数据库系列函数/方法
mysql_query mysqli_query sqlite_query sqlite_single_query oci_parse Mysqli::query SqliteDataBase::query SqliteDataBase::SingleQuery PDO::query PDO::prepare
4. 命令行系列
system exec proc_open passthru shell_exec
5. 语法结构
eval include(_once) require(_once)
C. 消除tainted信息的函数, 调用这些函数以后, tainted string就会变成合法的string:
escapeshellcmd htmlspecialchars escapeshellcmd addcslashes addslashes mysqli_escape_string mysql_real_escape_string mysql_escape_string sqlite_escape_string PDO::quote Mysqli::escape_string Mysql::real_escape_string
D. 调用中保持tainted信息的函数/语句, 调用这些函数/语句时, 如果输入是tainted string, 则输出也为tainted string:
= (assign)
. (concat)
"{$var}" (variable substitution)
.= (assign concat)
strval
explode
implode
sprintf
vsprintf
trim(as of 0.4.0)
rtrim(as of 0.4.0)
ltrim(as of 0.4.0)
E. 链接:
- RFC:Taint (想法主要来自这个RFC)
惠哥,这个支持 php 5.6 吗? 看了好像要php version <=5.4
我在使用taint的时候遇到了这样一个问题,就是我实际调用的函数是mysqli_query()和,但是我使用了escapecmdshell()函数去对变量进行了转义。所以情况是没有警告但是’or’1′=’1这种可以在linux下成功执行,针对这种情况,您有什么好的办法吗
I see you don’t monetize your page, don’t waste your traffic,
you can earn extra bucks every month because you’ve got
hi quality content. If you want to know how to
make extra bucks, search for: Boorfe’s tips best adsense alternative
Hi there, always i used to check blog posts here early in the daylight, as
i like to find out more and more.
Hi there colleagues, good post and pleasant arguments
commented here, I am genuinely enjoying by these.
You really make it seem so easy with your presentation but I find this matter to be really something that I think
I would never understand. It seems too complex and extremely broad for me.
I’m looking forward for your next post, I’ll try to get the hang of
it!
发现了一个问题,像这样调用时就不会触发报错:
$var = $_GET['var'];
$var1 = $var . 'string';
echo $var1;
不知道能不能解决。
[…] Taint是PHP开发组成员Laruence所写的一个漏洞检测插件。在windows上编译的时候可能会提示INIT_PZVAL_COPY未定义。既然没有定义那我们自己给它定义一下就完事了,在php_taint.h定义,代码如下。 #ifndef INIT_PZVAL_COPY #define INIT_PZVAL_COPY(z, v) ZVAL_COPY_VALUE(z, v); Z_SET_REFCOUNT_P(z, 1); Z_UNSET_ISREF_P(z); #endif #ifndef ZVAL_COPY_VALUE #define ZVAL_COPY_VALUE(z, v) (z)->value = (v)->value; Z_TYPE_P(z) = Z_TYPE_P(v); #endif […]
Different Ways To Invest Gold
hi!,I love your writing so much! proportion we keep up a correspondence more about your post
on AOL? I need an expert on this space to solve my problem.
May be that is you! Having a look forward to peer you.
Hello mates, how is everything, and what you want to say concerning this piece of
writing, in my view its really amazing in support of me.
Hi there, its fastidious article on the topic of media print, we all be familiar with media is
a great source of facts.
Even though some of these songs belong in there place, the vast majority are ill placed or undeserving.
This makes working from check to check a reality, but it certainly isn’t a good reality.
Discover what is causing your stress and look for life-enhancing
solutions for the problem. To use food properly and assimilate the essential nutrients
present in it, our digestive system needs to break the food that we eat into smaller components.
Touche. Solid arguments. Keeep սp the amazing effort.
Μy site: summoners war
When the cells lack insulin they become starved and since there is no other
source of energy apart from the fats, they get used up.
Sweets, junk food, and sodas are not allowed on the DASH diet.
It is important that you do various physical activities daily so you will not gain much weight.
Fortunately there are right now i – Tunes Code Generator clean up
plug-ins which can search within though your mp3 collection and
identify which tracks are incorrectly labelled or perhaps have misspelled information. Correct or fill
with misspelled or incomplete information. The free i – Tunes Code Generator
card generator they can double as a cards reader.
[…] Taint-0.3.0(A XSS codes sniffer) released | 风雪之隅 […]
piumino woolrich uomo spaccio outlet woolrich WHNfI Aperto ad
artisti come Gary Newman e Pop Iggi se, come plevman sottolineato nella sua
conoscenza di pensionamento, famoso scrittore Rolling Stone Leicester Bangs ha scritto che
Slash è il tipo di opening act, il lavoro rende due volte la volta più forte e si proclamò la prima artista canadese a utilizzare una drum
machine su un album. spaccio woolrich bologna sito ufficiale woolrich giacconi uomo oaPbG Come
posso capire che i fiori quando kouldast senza vesciche vento sui laghi congelati in 30 gradi?
Vorrei dalla luce della luna piena sul piccolo cast
suoi grattacieli infanzia coraggioso Torre Foshay,
l’edificio più alto in entrambe le città gemellate è stato entransed.
outlet woolrich bologna sito ufficiale quanto costa un woolrich lFUoz Realizzato un’incisione sopra l’area interessata e quindi
il chirurgo taglia il tessuto saldamente circonda il muscolo.
woolrich prezzi donna giaccone woolrich donna KvUsM Tuttavia, è
sempre stato, un patriota accusato da mkkartheyst.Niente ha
ancora adottato una decisione sul futuro del programma, come
tutti i pensieri sono con la famiglia e gli amici di Robert in questi
tempi difficili.. Sito Ufficiale woolrich woolrich collezione autunno inverno 2013
yYtaU Di conseguenza Tex uccide l’ultimo Wyoming, torna in chiesa
per evitare un arresto e attivato per infettare
la sua radio.
PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: INIT_PZVAL_COPY in Unknown on line 0
Greetings from Florida! I’m bored to death at work so I decided to browse your site on my iphone during lunch break. I enjoy the knowledge you provide here and can’t wait to take a look when I get home.
I’m amazed at how fast your blog loaded on my phone .. I’m not
even using WIFI, just 3G .. Anyhow, good blog!
@laruence,我在安装的时候编译过程没有出错,是php+nginx环境的,编辑完成,重启php-fpm后报以下错误,可能是什么问题呢?google了一下貌似没有跟我的情况类似的,求指点
版本:
php5.2.14
zend v3.3.9
是不是说这个 扩展 就是为了防止 在代码中出现有 打印url参数啊?
$_GET[‘a’]的值被过滤了
<script>alert(1);</script>
centos 6.3 + php 5.4.12 下测试
$_GET[‘a’]的值为alert(1);
然后我调用addslashes,然后echo,正确弹出对话框,另外is_tainted返回 false。
git 404
@allen 恩, 我修复了一下, 你可以从github上下载修复后的: https://github.com/laruence/php-taint/commit/f39d9c8e6178cca5d6d2e82513060037aa3a4a62
PHP Version 5.4.11-1~precise+1
Ubuntu 12.04
编译过程无错误, 加载扩展时报以下错误
PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib/php5/20100525+lfs/taint.so’ – /usr/lib/php5/20100525+lfs/taint.so: undefined symbol: MAKE_REAL_ZVAL_PTR in Unknown on line 0
请问这个怎么解决?
不同的场合也许会用 htmlentities、urlencode、urlrawencode、http_build_query 这些
不错谢谢分享.
[…] 本文地址: http://www.laruence.com/2012/02/18/2560.html […]
不错哦!!加油改进
[…] 风雪之隅 » PHP源码分析 Posted in: php / Tagged: codes, released, sniffer, Taint0.3.0A […]
这种似乎抓不出来:
$a = $_GET[‘name’];
$arr[‘key’] = $a;
extract($arr);
echo $key;
这个相当的不错,试着在公司推行安装了。还没发现它提示出错,当然,这是对我们之前工作的肯定。
我编译的windows 版本放在这里 http://82.165.131.79/php_taint.dll ,5.3系列,VC9的,有需要的可以尝尝鲜
另外,博主能否让这个扩展默认就 enable?而不是需要到 配置文件里去通过配置 taint.enable 启用?
我觉得这个网站的内容真心好
但是,我还是想问问,是什么–!
请问有没有编译好win32 dll,我本人用mac,但组员大部分用windows
赞!
这个不能记录日志到文件啊,我这样设置日志里面没得
error_reporting = E_ALL & ~E_NOTICE
error_log=php.log
display_errors=Off
改成display_errors=on就直接显示到浏览器了
@liut 多谢反馈, 已经在svn修复了. http://svn.php.net/viewvc/pecl/taint/trunk/taint.c?r1=325027&r2=325026&pathrev=325027
在lion下编译失败:
/Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1056:16: warning:
passing ‘long *’ to parameter of type ‘unsigned long *’ converts between pointers
to integer types with different sign [-Wpointer-sign]
…switch (zend_hash_get_current_key(ht, &key, &idx, 0)) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
/opt/local/include/php/Zend/zend_hash.h:201:52: note: instantiated from:
zend_hash_get_current_key_ex(ht, str_index, NULL, num_index, duplicate, NULL)
^
/Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1056:52: note: instantiated from:
…switch (zend_hash_get_current_key(ht, &key, &idx, 0)) {
^~~~
/opt/local/include/php/Zend/zend_hash.h:179:107: note: passing argument to parameter
‘num_index’ here
…uint *str_length, ulong *num_index, zend_bool duplicate, HashPosition *pos);
^
/Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1260:22: error:
expression is not assignable
Z_REFCOUNT_PP(op1) = refcount;
~~~~~~~~~~~~~~~~~~ ^
/Users/liutao/.macports/opt/local/var/macports/build/_Users_liutao_DarwinPorts_local-sources_www_php5-taint/php5-taint/work/taint-0.5.1/taint.c:1517:30: warning:
‘zend_get_parameters_ex’ is deprecated [-Wdeprecated-declarations]
if (ZEND_NUM_ARGS() != 1 || zend_get_parameters_ex(1, &arg) == FAILURE) {
^
2 warnings and 1 error generated.
make: *** [taint.lo] Error 1
很给力.!
在条件error_reporting = E_ALL ^ E_NOTICE,display_errors = On下,看不到taint warning,这有问题吗?
大虾无敌啊!从chinaz过来看到您的blog;内容比较高深,看不大明白。但该顶,呵呵。
学习一下,强烈关注!
很多开源系统,对$_GET和$_POST参数的获取,都封装有自己的函数。类似G_GET(),G_POST()这类预转移过的函数。
这样的数据是否也能监控到XSS呢?
[…] 说明和初步的使用请查看http://www.laruence.com/2012/02/18/2560.html […]
这种问题够复杂,对于严格的产品,taint 会起到很大作用
非常好的一个扩展!
@count 恩, 是的, 所以建议是在开发/测试的时候启用这个扩展.
很不错的东东
我的理解是这样,这种检测方式是一种线上检测,前提是要知道php文件的所有输入参数url,去触发这个检测逻辑;
静态语法分析没这个问题,但在某些方面没这种方式准确了
这么热闹
不知道能不能配置某个虚拟机检测,现在打开这个同一台服务器的老系统全都挂掉了,我只想针对新的项目使用,老的项目不关心这些
@李枨煊 奇怪了, 我这边没问题, 等我回头再验证下2.14,(目前我是2.17), thanks
开了,直接这样写就会报错
echo $_GET[‘b’];
@李枨煊 打开错误日志了么?
PHP版本: 5.2.14
taint 版本:0.4.1
@李枨煊 你用的是那个版本? 我这里没问题, 试试最新的.
hi~鸟哥:
今天在开发机装了一个试了一下,发现有这么一个问题,如果参数这样接收,taint就不会报错,这算是BUG吗?
$b = isset($_GET[‘b’]) ? $_GET[‘b’] : ”;
echo $b;
能否提供5.3.6 nts的.dll呢 ^^
高深……………………..
@hello @enjoy @majl 已经在svn修复. 可以在github下载到 https://github.com/laruence/php-ext-taint
@hello 恩, 看起来有的版本的PHP没有暴露出这些符号, 我换个方法. 回头0.3.1修复这个问题
有一个测试失败
[root@localhost taint]# make test
Build complete.
Don’t forget to run ‘make test’.
/usr/local/bin/php: symbol lookup error: /root/Downloads/php-5.3.10/ext/taint/modules/taint.so: undefined symbol: zif_implode
=====================================================================
PHP : /usr/local/bin/php
PHP_SAPI : cli
PHP_VERSION : 5.3.10
ZEND_VERSION: 2.3.0
PHP_OS : Linux – Linux localhost.localdomain 2.6.33.6-147.fc13.i686 #1 SMP Tue Jul 6 22:30:55 UTC 2010 i686
INI actual : /root/Downloads/php-5.3.10/ext/taint/tmp-php.ini
More .INIs :
CWD : /root/Downloads/php-5.3.10/ext/taint
Extra dirs :
VALGRIND : Not used
=====================================================================
TIME START 2012-02-20 14:19:14
=====================================================================
PASS Check for taint presence [tests/001.phpt]
PASS Check Taint function [tests/002.phpt]
PASS Check Taint with ternary [tests/003.phpt]
PASS Check Taint with eval [tests/004.phpt]
PASS Check Taint with separation [tests/005.phpt]
PASS Check Taint with send_var/send_ref [tests/006.phpt]
FAIL Check Taint with functions [tests/007.phpt]
=====================================================================
TIME END 2012-02-20 14:19:15
@enjoy 恩,, trim应该加入到函数链表中…
$username = $_POST[‘UserName’];
echo $username;
提示:Attempt to echo a string that might be tainted
测试后发现,不管magic_quotes_gpc是On还是Off,加个trim就不报错了。
$username = trim($_POST[‘UserName’]);
好像有点不对?
yum安装的,就打了这一个补丁!
@majl 你的PHP是从哪里下载的, 另外, 是否打了其他的什么patch?
为什么我用5.3.10报错呢..
Warning: PHP Startup: Unable to load dynamic library /usr/lib/php/modules/taint.so’ – /usr/lib/php/modules/taint.so: undefined symbol: zif_user_sprintf in Unknown on line 0
这个不错,我去检测一下自己的项目