1. 程式人生 > >8.7 11.28-11.31

8.7 11.28-11.31

ext ech 無法 條件 roc 解決 cert control ace

11.28 限定某個目錄禁止解析php

某個目錄允許上傳圖片,但可能會有用戶利用一些方法,上傳了一些php文件到該目錄;

php中包含一些危險的函數,若開放php上傳權限則有可能被上傳一些惡意的×××文件;

這樣有可能被惡意用戶得到服務器的root權限,十分危險;

網站信息泄露:

網站的電話號碼等信息被泄露

可能原因:

可能是×××者查詢了服務器的數據庫獲取了電話號碼

php程序存在漏洞或sql註入的漏洞

sql註入:用戶會將sql查詢語句通過特殊提交提交到服務器,服務器會將sql語句轉換為正常的查詢,然後獲得數據

sql註入防範:在網站提交入口增加特殊符號過濾即可阻斷sql註入漏洞

分析:

抓包分析->發現可疑

sql查詢->定位時間點->web服務器看時間段內的訪問日誌->發現可疑請求,對方向指定目錄上傳了一個php文件->服務器端對應目錄沒有禁止解析php->對方想辦法上傳了一個php×××文件,再通過瀏覽器訪問該php文件->獲得後門,得到了更高的權限->拿到數據庫相關權限->獲取數據

解決:

設置對應目錄禁止解析php文件,上傳的php×××文件不被解析則×××者無法得到更高的權限

[root@hyc-01-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

# </Directory>

<Directory /data/wwwroot/111.com/nophp>

php_admin_flag engine off nophp目錄下禁止解析php

<FilesMatch .*\.php(.*)> 禁止訪問(.*)\.php.*)的文件

Order allow,deny

Deny from all 沒有allow操作,匹配的項全部deny

</FilesMatch>

</Directory>

測試:

1 禁止訪問(.*\.php(.*)+禁止解析

php

技術分享圖片

[root@hyc-01-01 nophp]# curl -x127.0.0.1:80 "http://111.com/nophp/2.php" -I

HTTP/1.1 403 Forbidden

Date: Wed, 08 Aug 2018 02:08:13 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

Content-Type: text/html; charset=iso-8859-1

2 禁止解析php

[root@hyc-01-01 nophp]# curl -x127.0.0.1:80 "http://111.com/nophp/2.php"

<?php

echo "error php success" 由於php無法被解析,所以直接顯示了源代碼

[root@hyc-01-01 nophp]# !curl

curl -x127.0.0.1:80 "http://111.com/nophp/2.php" -I

HTTP/1.1 200 OK

Date: Wed, 08 Aug 2018 02:11:37 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

Last-Modified: Wed, 08 Aug 2018 01:47:44 GMT

ETag: "1f-572e2b2634cea"

Accept-Ranges: bytes

Content-Length: 31

Cache-Control: max-age=0

Expires: Wed, 08 Aug 2018 02:11:37 GMT

Content-Type: application/x-httpd-php

由於2.php無法被正常解析,所以直接被下載:

技術分享圖片

一般存放靜態文件的目錄下不能存放php,這種目錄下應該禁止解析php

11.29 限制user_agent

user_agent:瀏覽器標識

cc×××:

有時網站會受到cc×××,×××者通過軟件或“肉雞”,當要×××某網站時,將發動所有“肉雞”同時訪問某個站點,以至於站點無法承受這些訪問;

通常cc×××的useer_agent是一致的,即使用的user_agent一樣,並且訪問的頻率較快,通常1秒訪問n次;

解決:

限制user_agent減輕服務器壓力;

對方在訪問時會收到狀態碼403,這樣對方對服務器資源不會造成太大影響,僅僅是對方發送來了一個請求,帶寬消耗也不會太大;

使用模塊mod_rewrite

[root@hyc-01-01 nophp]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]

RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]

定義user_agent的條件:

OR的意思是或者,即user_agent匹配第二行第三行的條件,不加OR則為並且,但無法同時匹配curlbaidu.com

NC忽略大小寫,有時user_agent中會有部分大寫字母(Mozilla/5.0

RewriteRule .* - [F]

FForbiden403)拒絕

</IfModule>

測試:

配置生效前:

[root@hyc-01-01 logs]# curl -x127.0.0.1:80 "http://111.com/123.php"

hello world

生效後:

[root@hyc-01-01 logs]# /usr/local/apache2.4/bin/apachectl -t

Syntax OK

[root@hyc-01-01 logs]# /usr/local/apache2.4/bin/apachectl graceful

[root@hyc-01-01 logs]# curl -x127.0.0.1:80 "http://111.com/123.php" -I

HTTP/1.1 403 Forbidden

Date: Wed, 08 Aug 2018 03:57:35 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

Content-Type: text/html; charset=iso-8859-1

技術分享圖片

日誌信息:

127.0.0.1 - - [08/Aug/2018:11:56:13 +0800] "GET http://111.com/123.php HTTP/1.1" 200 11 "-" "curl/7.29.0"

127.0.0.1 - - [08/Aug/2018:11:57:35 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"

192.168.31.1 - - [08/Aug/2018:12:00:51 +0800] "GET /123.php HTTP/1.1" 200 11 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)"

使用-A參數指定user_agent

[root@hyc-01-01 logs]# curl -A "hyc hyc" -x127.0.0.1:80 "http://111.com/123.php"

hello world 指定user_agent後訪問正常

[root@hyc-01-01 logs]# tail -20 /usr/local/apache2.4/logs/111.com-access_20180808.log

127.0.0.1 - - [08/Aug/2018:12:19:00 +0800] "GET http://111.com/123.php HTTP/1.1" 200 11 "-" "hyc hyc"

[root@hyc-01-01 logs]# curl -e "http://111.com" -A "hyc hyc" -x127.0.0.1:80 "http://111.com/123.php"

hello world[root@hyc-01tail -1 /usr/local/apache2.4/logs/111.com-access_20180808.log

127.0.0.1 - - [08/Aug/2018:12:23:09 +0800] "GET http://111.com/123.php HTTP/1.1" 200 11 "http://111.com" "hyc hyc"

[root@hyc-01-01 logs]#

-e指定referer信息,-A指定user_agent信息,-x省略hosts-I僅查看狀態碼,不顯示具體信息

11.30 PHP相關配置(上)

PHP配置文件位置:

1 通過瀏覽器

查找網站使用php模塊的php.ini配置文件:

在網站對應的目錄下創建phpinfo的頁面;

通過瀏覽器訪問該頁面找到配置文件;

操作:

[root@hyc-01-01 111.com]# touch phpinfo

[root@hyc-01-01 111.com]# vim phpinfo

<?php

phpinfo();

技術分享圖片

2 執行php –i

部分情況下使用php –i查找的路徑並不準確

Apache使用的是php的模塊,而php –i查找的是一個php程序,該php程序與apache使用的php模塊可能無關;

這種辦法找到的路徑通常不準確,有時這種辦法找到的php.iniapache使用的php模塊的php.ini文件不是一個;

由上圖可知php模塊配置文件路徑,但配置文件沒有加載

加載配置文件:

php源碼包復制配置文件到配置文件路徑下:

[root@hyc-01-01 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini

刷新apache配置:

[root@hyc-01-01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful

技術分享圖片

php模塊配置文件加載成功

php相關配置:

[root@hyc-01-01 php-7.1.6]# cd /usr/local/php7/etc/

[root@hyc-01-01 etc]# vim php.ini

限定函數(禁用部分php中的函數):

312 ; It receives a comma-delimited list of function names.

313 ; http://php.net/disable-functions

314 disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,pa

ssthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,she

ll_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,read

link,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,

phpinfo

315

316 ; This directive allows you to disable certain classes for security reasons.

禁用的函數中也包括php.info

[root@hyc-01-01 etc]# /usr/local/apache2.4/bin/apachectl graceful

技術分享圖片

訪問提示phpinfo()已經被禁止

date.timezone(定義時區):

若不定義有時會出現告警信息

935

936 [Date]

937 ; Defines the default timezone used by the date functions

938 ; http://php.net/date.timezone

939 date.timezone =Asia/Shanghai 定義所在時區為上海

940

display_errors(直接將錯誤信息顯示在瀏覽器上):

475 ; Production Value: Off

476 ; http://php.net/display-errors

477 display_errors = Off on表示打開,off則錯誤信息不會輸出到瀏覽器

478

測試:

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/phpinfo.php"

[root@hyc-01-01 etc]# 無報錯信息輸出

技術分享圖片

這樣配置測試後發現網頁上沒有任何錯誤信息,並且curl測試也沒有任何報錯,這不合理,所以需要配置幾個錯誤日誌:

[root@hyc-01-01 etc]# vim /usr/local/php7/etc/php.ini

458 ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT

459 ; http://php.net/error-reporting

460 error_reporting = E_ALL & ~E_NOTICE

用於定義錯誤日誌級別,默認為E_ALL,會記錄所有錯誤日誌信息,最不嚴謹,以上的級別為生產環境中常用的級別;

生產環境中NOTICE出現幾率很高,有時出現NOTICE並不代表出錯;

461

462 ; This directive controls whether or not and where PHP will output errors,

463 ; notices and warnings too. Error output is very useful during development, but

497 ; http://php.net/log-errors

498 log_errors = On 開啟錯誤日誌

499

500 ; Set maximum length of log_errors. In error_log information about the source

582 ; Example:

583 error_log = /tmp/php_errors.log 定義錯誤日誌的保存路徑

584 ; Log errors to syslog (Event Log on Windows).

585 ;error_log = syslog

測試:

[root@hyc-01-01 etc]# curl -x127.0.0.1:80 "http://111.com/phpinfo.php" -I

HTTP/1.1 403 Forbidden user_agentcurl)被禁止,所以被拒絕訪問(403),屬於httpd的報錯信息

Date: Wed, 08 Aug 2018 12:37:04 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

Content-Type: text/html; charset=iso-8859-1

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/phpinfo.php" -I

HTTP/1.1 200 OK

Date: Wed, 08 Aug 2018 12:37:23 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

X-Powered-By: PHP/7.1.6

Cache-Control: max-age=0

Expires: Wed, 08 Aug 2018 12:37:23 GMT

Content-Type: text/html; charset=UTF-8

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/phpinfo.php"

指定了user_agenta,但由於phpinfo()函數在php模塊的配置文件php.ini中被禁止,所以無法得到信息;

並且由於php.ini文件中配置了display_errors = Off,導致沒有報錯信息;

php.ini中定義的error_log = /tmp/php_errors.log路徑查看指定的php模塊的錯誤日誌文件:

[root@hyc-01-01 tmp]# ls -l php_errors.log

-rw-r--r-- 1 daemon daemon 882 8 8 20:37 php_errors.log

[root@hyc-01-01 tmp]# ps aux|grep httpd

root 27204 0.0 1.4 259560 14380 ? Ss 807 0:10 /usr/local/apache2.4/bin/httpd -k start

daemon 42583 0.0 0.8 546388 8992 ? Sl 20:21 0:00 /usr/local/apache2.4/bin/httpd -k start

daemon 42584 0.0 0.8 546388 8992 ? Sl 20:21 0:00 /usr/local/apache2.4/bin/httpd -k start

daemon 42585 0.0 1.4 1017812 14256 ? Sl 20:21 0:00 /usr/local/apache2.4/bin/httpd -k start

root 42695 0.0 0.0 112720 984 pts/0 S+ 20:48 0:00 grep --color=auto httpd

生成錯誤日誌文件的是httpd服務的啟動用戶daemon

可以發現php_errors.log 的屬主為daemon,而daemon實際是httpd的屬主;

當以上配置都完成但始終無法在對應路徑生成錯誤日誌文件時應該去檢查生成文件的目錄的權限信息(daemon是否對該目錄有寫權限);

或者可以在路徑下手動創建php_errors.log,生成後再修改文件屬主為daemon,權限改為777

[root@hyc-01-01 tmp]# cat php_errors.log

[08-Aug-2018 20:31:39 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2

[08-Aug-2018 20:31:52 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2

[08-Aug-2018 20:32:02 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2

[08-Aug-2018 20:36:36 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2

[08-Aug-2018 20:37:23 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2

[08-Aug-2018 20:37:34 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2

/data/wwwroot/111.com下編輯新文件:

[root@hyc-01-01 111.com]# vim 3.php

<?php

echo "hytjopfj"

jaeafdjhphngiqe

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/3.php" -I

HTTP/1.0 500 Internal Server Error 網頁文件存在錯誤導致報錯

Date: Wed, 08 Aug 2018 13:29:51 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

X-Powered-By: PHP/7.1.6

Connection: close

Content-Type: text/html; charset=UTF-8

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/3.php"

[root@hyc-01-01 tmp]# cat php_errors.log

[08-Aug-2018 21:29:51 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'jaeafdjhphngiqe' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/3.php on line 3

[08-Aug-2018 21:30:05 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'jaeafdjhphngiqe' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/3.php on line 3

11.31 PHP相關配置(下)

安全選項open_basedir

一臺服務器運行n個站點,也許部分站點代碼有問題,此時這部分站點被×××黑了,×××黑了該站點後要繼續×××以試圖進入服務器上運行的其他站點,服務器上部分站點被黑後,其他原本沒有被黑的站點也會面臨被黑的風險

在一臺服務器上將a網站的a目錄與b網站的b目錄隔離,×××黑了a目錄後無法繼續黑b網站,無權限進入b目錄;

即使一臺服務器僅跑了一個站點,該站點被黑後仍有必要將該站點的目錄與其他目錄隔離,避免整個服務器系統被×××***;

操作:

[root@hyc-01-01 etc]# vim php.ini

307 ; or per-virtualhost web server configuration file.

308 ; http://php.net/open-basedir

309 open_basedir = /data/wwwroot/1111.com:/tmp 故意將目錄定義出錯

310

測試:

[root@hyc-01-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful

[root@hyc-01-01 111.com]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php"

[root@hyc-01-01 111.com]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php" -I

HTTP/1.0 500 Internal Server Error

Date: Wed, 08 Aug 2018 14:37:28 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

X-Powered-By: PHP/7.1.6

Connection: close

Content-Type: text/html; charset=UTF-8

[root@hyc-01-01 111.com]# tail -5 /tmp/php_errors.log

[08-Aug-2018 22:30:48 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

[08-Aug-2018 22:30:48 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/data/wwwroot/111.com/123.php' (include_path='.:/usr/local/php7/lib/php') in Unknown on line 0

[08-Aug-2018 22:35:16 Asia/Shanghai] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/111.com/123.php) is not within the allowed path(s): (/data/wwwroot/1111.com:/tmp) in Unknown on line 0

[08-Aug-2018 22:35:16 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0

[08-Aug-2018 22:35:16 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/data/wwwroot/111.com/123.php' (include_path='.:/usr/local/php7/lib/php') in Unknown on line 0

以上標紅信息說明123.php不在open_basedir允許的目錄下

php.ini配置文件中open_basedir1111.com目錄改為111.com後再訪問:

[root@hyc-01-01 etc]# /usr/local/apache2.4/bin/apachectl graceful

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php" -I

HTTP/1.1 200 OK 訪問正常

Date: Wed, 08 Aug 2018 14:43:15 GMT

Server: Apache/2.4.34 (Unix) PHP/7.1.6

X-Powered-By: PHP/7.1.6

Cache-Control: max-age=0

Expires: Wed, 08 Aug 2018 14:43:15 GMT

Content-Type: text/html; charset=UTF-8

[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php"

hello world[root@hyc-01-01 etc]#

php模塊配置文件php.ini下設置的open_basedir是針對服務器上所有站點的,無法精確限制

httpd虛擬主機配置文件中配置open_basedir

根據不同的虛擬主機限制不同的open_basedir

[root@hyc-01-01 etc]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf

<VirtualHost *:80>

DocumentRoot "/data/wwwroot/abc.com"

ServerName abc.com

ServerAlias www.abc.com www.123.comi

ErrorLog "logs/abc.com-error_log"

CustomLog "logs/abc.com-access_log" common

php_admin_value open_basedir "/data/wwwroot/abc.com:/tmp/"

# AuthUserFile /data/.htpasswd

# require valid-user

# </Directory>

php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"

<Directory /data/wwwroot/111.com/nophp>

php_admin_flag engine off

# <FilesMatch (.*)\.php(.*)>

php_admin_value:可以定義php.ini配置文件中的參數,如open_basedirerror_logerror_reporting

/data/wwwroot/111.com:/tmp/:open_basedir中允許/tmp是因為站點的臨時文件會寫在/tmp目錄下;用戶向站點上傳一張圖片,該圖片會先被臨時存放在/tmp目錄下,然後再放到對應站點目錄下,如果限制訪問/tmp,那麽該站點將無法上傳圖片


8.7 11.28-11.31