PHP Taint - 一个用来检测XSS/SQL/Shell注入漏洞的扩展

Published on 14 February 2012 by laruence

本文地址: https://www.laruence.com/2012/02/14/2544.html
转载请注明出处

之前, 小顿和我提过一个想法, 就是从PHP语言层面去分析,找出一些可能的注入漏洞代码. 当时我一来没时间, 而来也确实不知道从何处下手..
直到上周的时候, 我看到了这个RFC: RFC:Taint.
但是这个RFC的问题在于, 它需要为PHP打Patch, 修改了PHP本身的数据结构, 这对于以后维护, 升级PHP来说, 很不方便, 也会有一些隐患.
虽然这样, 但这个RFC却给了我一个启发, 于是我就完成了这样的一个扩展:Taint Extension
这个扩展使用起来, 很简单(目前只支持5.2.6到5.3, 以及PHP7以上):
下载源代码以后, 编译, 安装. 然后在php.ini中要开启这个扩展(建议不要在生产环境开启这个扩展):

extension=taint.so
taint.enable=1

启用这个扩展以后, 如果在一些关键函数(或者语句: echo, print, system, exec, 等等), 或者输出的地方*直接*(没有经过转义, 安全过滤处理)使用了来自$_GET, $_POST或者$_COOKIE的数据, 则Taint就会提示你:

<?php
 $a = $_GET['a'];
 $file_name = '/tmp' .  $a;
 $output    = "Welcome, {$a} !!!";
 $var       = "output";
 $sql       = "Select *  from " . $a;
 $sql      .= "ooxx";
 echo $output;
//Warning: main(): Attempt to echo a string which might be tainted in xxx.php on line x
 print $$var;
//Warning: main(): Attempt to print a string which might be tainted  in xxx.php on line x
 include($file_name);
//Warning: include() [function.include]: File path contains data that might be tainted in xxx.php on x
 mysql_query($sql);
//Warning: mysql_query() [function.mysql-query]: First argument contains data that might be tainted in xxx.php on line x
?>

目前因为还没有支持5.4(5.4的实现方法, 要依赖于我将要和Dmitry讨论的一个新需求), 所以目前还没有发布一个下载包, 大家可以先直接从源代码下载: Taint on Github.
上面的例子显示了简单的用法, 回头我会再完善下文档....
enjoy~

Filed in PHP Extension, PHP应用, PHP源码分析

83 Comments

Prestige park grove July 12, 2023

good
mp3 download May 18, 2023

Discover the ultimate destination for free MP3 song downloads on Mzeeki. Explore a vast collection of high-quality, diverse music genres ranging from the latest hits to timeless classics. With easy navigation and seamless user experience, Mzeeki allows you to effortlessly find and download your favorite tracks in MP3 format. Elevate your music library with Mzeeki and enjoy unlimited access to an ever-growing selection of free MP3 songs.
json formatter February 5, 2021

顶一下有用
XY February 4, 2021

鸟哥您好，我在我的开发环境中安装了taint扩展，但当我在php.ini中设置开启taint.enable=1、重启PHP之后，本地使用了redis扩展的代码包都出现了nginx层502的报错（没有使用redis扩展的包都没有问题）；

我的环境是：MacOs 11.1 / php 7.2.33 / nginx 1.19.4
代码包底层为：symfony 4.4

如果您知道原因或者遇到过这个问题的话，请一定回复我，谢谢～
PHPTaint-检测xss/sqli/shell注入的php扩展模块 – My Blog's February 10, 2020

[…] taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客。原理，检查某些 […]
PHPTaint-检测xss/sqli/shell注入的php扩展模块 – My Blog January 17, 2020

[…] taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客。原理，检查某些 […]
Fireworks June 20, 2019

沙发
利用PHP扩展Taint找出网站的潜在安全漏洞实践 – 1 November 29, 2018

[…] taint扩展作者惠新宸曾经在自己的博客上有相关介绍，参考文档：PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展 […]
利用PHP扩展Taint找出网站的潜在安全漏洞实践 - 马先森博客 October 27, 2018

[…] taint扩展作者惠新宸曾经在自己的博客上有相关介绍，参考文档：PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展 […]
利用PHP扩展Taint找出网站的潜在安全漏洞实践 - ^B.B^log August 21, 2018

[…] taint扩展作者惠新宸曾经在自己的博客上有相关介绍，参考文档：PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展 […]
phper000001 March 1, 2016

安装https://pecl.php.net/get/taint-1.2.2.tgz 之后，使用implode(array())会报错Error:2 implode() expects exactly 2 parameters, 1 given
并且返回值是bool(false)
coach factory December 8, 2015

In a follow-up study, Dr. Zhang loaded the gel with immature stem cells, as well as the chemicals they needed to develop into full-fledged adult brain cells. When rats with severe brain injuries were treated with this mixture for eight weeks, they showed signs of significant recovery.
coach factory http://coachoutletstores.hobo2015.com/
coach factory December 8, 2015

Instead of changing your entire diet all in one day, try making small, gradual changes. Remember, this is a lifestyle change, not just some temporary, quick fix diet. This mentality will help prevent you from getting on diets where you’re hating every second of it and feeling totally deprived.
coach factory http://coachfactory.tote2015.com/
shironghui July 27, 2015

为什么不支持5.5+的php version
hack someones whatsapp May 21, 2015

Using proprietary socket injection protocols, you’ll be able to intercept messages instantly from WhatsApp by utilizing a
predefined authentication token.
work online from home for amazon April 3, 2015

Hardin’s webblog now for a lot more data on immediately.
The Federal Trade Commission(2) (FTC) goes a step further, and
warns awawy the entrepreneur work online from home for amazon any business that offers “no risk,” “quick and easy”
or “huge income” opportunities. If you dont have high quality content you may not draw enough
visitors who become real customers.
videoclips March 4, 2015

Thank you a bunch for sharing this with all people you really recognise
what you are talking about! Bookmarked. Kindly additionally talk over with my web site =).
We could have a hyperlink change arrangement between us
you can check here February 13, 2015

I have read a few good stuff here. Definitely price bookmarking for revisiting.
I surprise how a lot attempt you put to make the
sort of wonderful informative site.
free itunes code February 12, 2015

Instructions for how to import the bonus digital movie
copy to your i – Tunes library should be included with the
movie, but generally all you have to do is insert the disc into your computer, then enter a
redemption code. People are able to successfully produce free Microsoft points codes but in reality most of these codes do not
work. If you buy goods online, virtually every website you choose
to carry out a transaction with will ask you whether or not you may have a
discount voucher code.
dundee property letting agents February 11, 2015

Ils sont arrivés à Dundee sur la soirée du 20 Janvier 1889, et le lendemain matin ils ont loué une
chambre au-dessus d’un bar au 43, rue Union.
zdeity January 12, 2015

请教下大牛，能求一份windows版的dll吗？我编译了很久都没成功。
雪候鸟 September 12, 2013

@abcdefg 因为没有意义啊, 只要在测试环境装上, 检查通过就可以了
laruence September 12, 2013

@chunshiban backtrace是啥?
abcdefg September 11, 2013

建议不要在生产环境开启这个扩展。为什么？
PHPTaint-检测xss/sqli/shell注入的php扩展模块 | administrator个人博客 August 10, 2013

[…] php taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客。 […]
PHPTaint-检测xss/sqli/shell注入的php扩展模块[转] | 技术人生-孙强 July 25, 2013

[…] taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客 […]
chunshiban July 2, 2013

加入这个扩展后nginx + php-fpm(5.3.25)报，502错误,erro_log显示
[02-Jul-2013 16:24:54] WARNING: [pool www] child 19499 exited on signal 11 (SIGSEGV – core dumped) after 25.478646 seconds from start
[02-Jul-2013 16:24:54] NOTICE: [pool www] child 19505 started
[02-Jul-2013 16:33:33] WARNING: [pool www] child 19505 exited on signal 11 (SIGSEGV – core dumped) after 519.061842 seconds from start
[02-Jul-2013 16:33:33] NOTICE: [pool www] child 19582 started
[02-Jul-2013 16:33:34] WARNING: [pool www] child 19582 exited on signal 11 (SIGSEGV – core dumped) after 0.680379 seconds from start
[02-Jul-2013 16:33:34] NOTICE: [pool www] child 19584 started
[02-Jul-2013 16:33:37] WARNING: [pool www] child 19584 exited on signal 11 (SIGSEGV – core dumped) after 3.557053 seconds from start
[02-Jul-2013 16:33:37] NOTICE: [pool www] child 19588 started
[02-Jul-2013 16:40:48] WARNING: [pool www] child 19588 exited on signal 11 (SIGSEGV – core dumped) after 430.350555 seconds from start
[02-Jul-2013 16:40:48] NOTICE: [pool www] child 19646 started
[02-Jul-2013 16:51:06] WARNING: [pool www] child 19646 exited on signal 11 (SIGSEGV – core dumped) after 618.069328 seconds from start
[02-Jul-2013 16:51:06] NOTICE: [pool www] child 19783 started
core文件在这里http://soft.chunshiban.com/linux/script/core-php-fpm.19588
秋风 June 17, 2013

鸟哥,源码地址给错了，应该是这个吧？https://github.com/laruence/php-taint
秋风 June 17, 2013

鸟哥，源码地址给错了，应该是这个吧？https://github.com/laruence/php-taint
xss May 27, 2013

博主你好:
能否指教一下哪里可以找到php opcode的详解?比如看到ZEND_SEND_VAR这样的opcode不知道代表什么意思?谢谢
秋风 May 3, 2013

地址报404?
Taint-0.3.0(A XSS codes sniffer) released | 午后小憩 May 2, 2013

[…] PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展 […]
PHPTaint-检测xss/sqli/shell注入的php扩展模块 – ヾ小葛's` April 16, 2013

[…] php taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客。 […]
PHPTaint-检测xss/sqli/shell注入的php扩展模块 » 了解并拥有 April 13, 2013

[…] php taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客。 […]
PHPTaint-检测xss/sqli/shell注入的php扩展模块- FreebuF.COM April 13, 2013

[…] php taint一个用于检测xss/sqli/shell注入的php扩展模块，作者博客。 […]
scfood March 14, 2013

我也无法下载，怎么弄啊！
hell August 30, 2012

不能应用于 win 版本无奈啊鸟哥封装成 win 下扩展呗
奇言妙事-文学奇谈小小说阅读xlinblog.sinaapp.com » Blog Archive » PHP的Calling Scope August 9, 2012

[…] PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展 […]
PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展树林/咖啡成都专业php网站制作 | 树林/咖啡成都专业php网站制作 July 25, 2012

[…] 风雪之隅 » PHP源码分析 Posted in: php / Tagged: Taint, 一个用来检测XSS/SQL/Shell注入漏洞的扩展 […]
WEB安全（一）XSS基础 - 死拍照的 May 27, 2012

[…] 这里的关键在于第四步，因为服务器端可能会做一些限制，比如encode或者长度限制，测试的时候需要想办法看看是否能绕过限制。这种类型的XSS漏洞，用白盒的方法也比较容易发现。我司有一款牛逼工具可以通过追踪输出变量，看在赋值过程中是否有被编码来判断是否存在注入，少有误报（但有漏报:D），PHP有款开源的扩展做的也是类似的事情，点击看PHP Taint – 一个用来检测XSS/SQL/Shell注入漏洞的扩展。不过只检测$_GET/$_POST/$_COOKIE，同事后来改了下源码支持$_SERVER变量。 […]
phpairspace May 13, 2012

那比如说这个来自$_REQUEST的参数已经做过过滤了，能否有方法取消这个warning的输出呢？一直输出warning对页面的js/ajax等效果有影响。
雪候鸟 May 12, 2012

@phpairspace, taint在发现你在关键函数使用了来自$_REQUEST的参数就会提示你可能会有问题, 它默认提示的是warning~
phpairspace May 12, 2012

就是说只要有require 变量的话就都会报warning么？变量做过限制的话也不行么？
雪候鸟 May 12, 2012

@phpairspace 代码中没看到require啊?
phpairspace May 12, 2012

在测试是遇到类似的代码
$q = $_GET[‘q’];
$controller = dirname(__FILE__);
if ($q) {
$controller .= ‘/controller/’.$q;
if (realpath($controller) != $controller) {
exit(‘Access Denied’);
}
}
require $controller;
当访问q=index.php时会报Warning: require() [function.require]: File path contains data that might be tainted
请教下鸟哥什么情况下会有注入的风险？
雪候鸟 May 10, 2012

@Chiotis :), 多谢反馈~
Chiotis May 10, 2012

sorry….autoload可能是是我这边用来记录taint错误的set_error_handler的函数在auto定义之前被触发了导致。
Chiotis May 10, 2012

发现autoload失败的问题还是存在，在自定义的loader 函数里，include会被误报有安全问题，导致加载不到不到文件。
Chiotis May 10, 2012

感谢，初步验证已经好了。后续再试用一阵，如果有问题及时反馈给您。
@Laruence May 10, 2012

好的，我今天试下。
雪候鸟 May 9, 2012

@chioits, 你可以试用下最新版的, 修复了一个dim连接的时候导致引用计数出错, 从而可能引起你说的情况的bug: http://pecl.php.net/package/taint ,最新版是0.5.3.
thanks
chiotis May 8, 2012

@Laruence 目前遇到的有，1、数组中的变量（原值为’/’）经过一系列传递后，成了一个*RECURSION*； 2、autoload偶尔失效。误报倒没什么，可以忽略，反正结果只是参考。
Laruence May 8, 2012

@chioits 你能说说具体是什么bug么， taint目前是beta版本，可能会有些bug
chiotis May 8, 2012

BUG太多了，各种诡异现象。误报也很多，真实项目中完全没用。
包头网站建设 May 5, 2012

永远支持楼主~~
frank April 18, 2012

有没有相应的工程说明和代码解释文档啊，大牛
flykobe的技术与生活杂谈 » Blog Archive » php taint扩展学习 March 12, 2012

[…] taint是大牛风雪之隅写的一个php扩展，用来检测GET、POST、COOKIE等中可能有的漏洞。其中用了很多php扩展开发必须的知识，简单记录代码逻辑如下。 […]
laruence March 9, 2012

@hm 多管齐下, 前台转义只是XSS, taint还关注于sql注入, 命令注入等.
hm March 9, 2012

推荐的做法应该是后台吐原文、统一由前台（JS）转义输出吧，鸟哥怎么看呢
toms February 17, 2012

好像不能回复呢
venkman February 17, 2012

下个来看看效果, 嘿嘿
rookie February 17, 2012

＠雪候鸟
可能跟我的环境有关系，终于安装好了，我改一下
vim taint.c /*zend_error_noreturn(E_ERROR, “Cannot use assign-op operators with overloaded objects nor string offsets”);*/
zend_error(E_ERROR, “Cannot use assign-op operators with overloaded objects nor string offsets”);
效果相当好，太感谢，你太给力了
免费域名注册 February 17, 2012

漏洞太多，补不过来了
airwin February 17, 2012

谁给个win版dll？~~
php扩展开发(一) - big bug ban February 16, 2012

[…] = =.本来打算做这个xsscheck插件的。发现超级大牛已经做了一个taint。 […]
雪候鸟 February 16, 2012

@rookie 我在5.3.6下无法复现.
rookie February 16, 2012

taint-0.0.1.tgz
#phpize
#./configure –enable-taint
#make
#cp modules/taint.so /usr/lib64/php/modules/
#cat /etc/php.d/taint.ini
; Enable taint extension module
extension=taint.so
#tail /etc/php.ini
;XSS code sniffer
[taint]
taint.enable=1
雪候鸟 February 16, 2012

@rookie 没道理啊, zend_error_noreturn是在zend.h定义的, 被php.h包含, 你是怎么编译的?
rookie February 16, 2012

PHP 5.3.6 (cli)
jekhy February 16, 2012

@rookie 我手动改了下taint.c，把zend_error_noreturn改为zend_error就可以了，参考：http://stackoverflow.com/questions/2556113/swig-generated-code-fails-to-run-on-php-5-3-2-undefined-symbol-zend-error-noret
雪候鸟 February 16, 2012

@rookie PHP version?
rookie February 16, 2012

PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: zend_error_noreturn in Unknown on line 0
Anonymous February 16, 2012

PHP Warning: PHP Startup: Unable to load dynamic library ‘/usr/lib64/php/modules/taint.so’ – /usr/lib64/php/modules/taint.so: undefined symbol: zend_error_noreturn in Unknown on line 0
xinbe February 16, 2012

真是一个不错的套件
之前都是写regexp来搜寻源码
把这个纳入到开发、测试环境中应该挺不错的
wclssdn February 15, 2012

不错赞一个~~~
匿名 February 15, 2012

//Warning: main() [function.echo]
如果输出没有转义，这种提示main() 这个可能要找一下，echo貌似是语法结构，不是function
cnwill February 15, 2012

博主一直是我们的解困导师！
Rhythm February 14, 2012

给PHP写插件真是必备技能。
Ckai February 14, 2012

鸟哥v5
KnightE February 14, 2012

已在开发环境上安装，体验一下看看
leijuly February 14, 2012

每天上来看一看，进阶学习。博主造福广大基层PHPer啊
pangee February 14, 2012

过滤输入，转义输出……
Kenny February 14, 2012

为什么无法下载啊？

Comments are closed.