When your talent

When you can't support your ambition

Then you should calm down and study

Online experiments of code audit learning are all notes organized by CE at the same time of practical operation, which are convenient for reference in the future.

Catalog

Code Execution Vulnerability

Tool introduction

Rips tutorial

summary

Code audit tools can help us to carry out white box testing, greatly improving the efficiency of vulnerability analysis and code mining. After the common code audit tools, choose the PHP source audit tool -- rip for detailed instructions

Tool introduction

In the static security audit of source code, the use of automation tools to assist in human vulnerability mining, a good code audit software, can significantly improve the efficiency of audit work. It is a necessary ability for every code auditor to learn to use automatic code audit tools. According to programming language, auditing principle and running environment, code auditing tools can be classified into several categories. At present, commercial audit software generally supports multiple programming languages, such as VCG (VCG) and fortify SCA. The disadvantage is that the price is relatively expensive. Other commonly used code auditing tools include findbugs, codescan and Seay, but most of them only support Windows environment. For PHP code audit, this article only introduces rip, a free PHP code audit software that supports linux environment

Rips is an open source, automatic code audit tool with strong vulnerability mining ability. It is written in PHP language and used to audit the security of PHP code statically.

VCG (visual code grepper) is a free code security audit tool that supports C / C + +, C + +, VB, PHP, Java and PL / SQL. It is a dictionary based detection tool with simple functions and easy to use.

Fortify sca (static code analyzer) is a commercial source code audit tool developed by fortify software company (acquired by HP). It uses unique data flow analysis technology to analyze code vulnerabilities across layers and languages. At present, it supports all mainstream development languages.

Rips tutorial

Rip is a source code analysis tool written in PHP. It uses static analysis technology and can automatically mine potential security vulnerabilities in PHP source code. Penetration testers can directly and easily review the analysis results without reviewing the entire program code. Due to the limitation of static source code analysis, whether the vulnerability really exists still needs to be confirmed by the code reviewer. Rips can detect XSS, SQL injection, file disclosure, header injection vulnerabilities, etc.

Because the efficiency of rips audit is not very high, if you audit a large CMS source code, it will take a lot of time, so after consideration, you decide to choose the code downloaded in the previous course for audit. After you learn how to use the tools, you can download a set of CMS source code after class to try to analyze it

This is the main interface of rips. Next, I will introduce the meaning of these options to you

• Subdirs: if this option is checked, all subdirectories will be scanned. Otherwise, only one level directory will be scanned. The default is checked.

Subdirs: if this option is checked, all subdirectories will be scanned. Otherwise, only one level directory will be scanned. The default is checked.

• Verbosity level: select the detail level of the scan result, which defaults to 1 (1 is recommended).

Verbosity level: select the detail level of the scan result, which defaults to 1 (1 is recommended).

• Vuln type: select the type of vulnerability to scan. More than ten vulnerability types, such as command injection, code execution and SQL injection, are supported. The default is all scans.

Vuln type: select the type of vulnerability to scan. More than ten vulnerability types, such as command injection, code execution and SQL injection, are supported. The default is full scan.

• Code style: select the display style of the scan results (9 syntax highlights are supported).

Code style: select the display style of the scan results (9 syntax highlights are supported).

• /Regex /: use regular expressions to filter results.

/Regex /: use regular expressions to filter results.

Subdirs: if this option is checked, all subdirectories will be scanned. Otherwise, only one level directory will be scanned. The default is checked.

Verbosity level: select the detail level of the scan result, which defaults to 1 (1 is recommended).

Vuln type: select the type of vulnerability to scan. More than ten vulnerability types, such as command injection, code execution and SQL injection, are supported. The default is all scans.

Code style: select the display style of the scan results (9 syntax highlights are supported).

/Regex /: use regular expressions to filter results.

It's worth noting that rips is officially only supported in Firefox.

Next, enter the scan directory in path / file / var / www / HTML / codeaudit, and click Scan:

path/file /var/www/html/codeaudit path/file /var/www/html/codeaudit

It can be seen that the scanning results are presented in the form of icons, which is very intuitive.

Rips will not only explain the codes with vulnerabilities in the scanned courses, but also give corresponding codes for use, such as:

For example, in the figure above, a command injection vulnerability cmdinject1.php (indeed the experimental code in the previous command injection chapter) is scanned. When you open the details, you can see that the explanation it gives is user input reaches sensitive sink., that is, the user can input sensitive information, causing a command injection vulnerability.

cmdinject1.php Userinput reaches sensitive sink. cmdinject1.php Userinput reaches sensitive sink.

Click the question mark on the left to explain what is command injection vulnerability:

问号 问号

Click the red button on the left to generate exploit code: for example, take this vulnerability as an example, type uname-a in Bash, click create, and save the generated code as testcode.php:

uname -a testcode.php uname -a testcode.php

Execute the command in testcode.php save Directory: PHP testcode.php localhost/codeaudit/cmdinject:

php testcode.php localhost/codeaudit/cmdinject php testcode.php localhost/codeaudit/cmdinject

You can see the server version information returned successfully.

In addition, the help information also provides a solution to the vulnerability:

Limit the code to a very strict character set or build a white list of commands that are allowed to be entered. Don't try to filter malicious commands, attackers can always bypass. Try to avoid using the system command execution function. Example code: modes = array ("R", "W", "a"); if (! in_array（modes=array（“r”，“w”，“a”）;if（！ ina​rray（_ GET [“mode”]，$ modes））exit;

As long as we can master it skillfully, we will be able to significantly improve our work efficiency!

Remember the knowledge points and problems in your mind. If you can't remember or understand something, you can check the blog in front of CE. If you can recall all these knowledge points, you can basically get started. Unfortunately, CE is still trying to learn to live. When it finds a job at the end of September, it will review all the knowledge points again and expand the skills of each knowledge point.

I don't need freedom. I just want to carry her dream

Step by step, what she gives will never be heavy