8.7 11.28-11.31
某個目錄允許上傳圖片,但可能會有用戶利用一些方法,上傳了一些php文件到該目錄;
php中包含一些危險的函數,若開放php上傳權限則有可能被上傳一些惡意的×××文件;
這樣有可能被惡意用戶得到服務器的root權限,十分危險;
網站信息泄露:
網站的電話號碼等信息被泄露
可能原因:
可能是×××者查詢了服務器的數據庫獲取了電話號碼
php程序存在漏洞或sql註入的漏洞
sql註入:用戶會將sql查詢語句通過特殊提交提交到服務器,服務器會將sql語句轉換為正常的查詢,然後獲得數據
sql註入防範:在網站提交入口增加特殊符號過濾即可阻斷sql註入漏洞
分析:
抓包分析->發現可疑
解決:
設置對應目錄禁止解析php文件,上傳的php×××文件不被解析則×××者無法得到更高的權限
[root@hyc-01-01 111.com]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
…
# </Directory>
<Directory /data/wwwroot/111.com/nophp>
php_admin_flag engine off nophp目錄下禁止解析php
<FilesMatch (.*)\.php(.*)> 禁止訪問(.*)\.php(.*)的文件
Order allow,deny
Deny from all 沒有allow操作,匹配的項全部deny
</FilesMatch>
</Directory>
…
測試:
1 禁止訪問(.*)\.php(.*)+禁止解析
[root@hyc-01-01 nophp]# curl -x127.0.0.1:80 "http://111.com/nophp/2.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 08 Aug 2018 02:08:13 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
2 禁止解析php
[root@hyc-01-01 nophp]# curl -x127.0.0.1:80 "http://111.com/nophp/2.php"
<?php
echo "error php success" 由於php無法被解析,所以直接顯示了源代碼
[root@hyc-01-01 nophp]# !curl
curl -x127.0.0.1:80 "http://111.com/nophp/2.php" -I
HTTP/1.1 200 OK
Date: Wed, 08 Aug 2018 02:11:37 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
Last-Modified: Wed, 08 Aug 2018 01:47:44 GMT
ETag: "1f-572e2b2634cea"
Accept-Ranges: bytes
Content-Length: 31
Cache-Control: max-age=0
Expires: Wed, 08 Aug 2018 02:11:37 GMT
Content-Type: application/x-httpd-php
由於2.php無法被正常解析,所以直接被下載:
一般存放靜態文件的目錄下不能存放php,這種目錄下應該禁止解析php
11.29 限制user_agent
user_agent:瀏覽器標識
cc×××:
有時網站會受到cc×××,×××者通過軟件或“肉雞”,當要×××某網站時,將發動所有“肉雞”同時訪問某個站點,以至於站點無法承受這些訪問;
通常cc×××的useer_agent是一致的,即使用的user_agent一樣,並且訪問的頻率較快,通常1秒訪問n次;
解決:
限制user_agent減輕服務器壓力;
對方在訪問時會收到狀態碼403,這樣對方對服務器資源不會造成太大影響,僅僅是對方發送來了一個請求,帶寬消耗也不會太大;
使用模塊mod_rewrite:
[root@hyc-01-01 nophp]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
…
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} .*curl.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} .*baidu.com.* [NC]
定義user_agent的條件:
OR的意思是或者,即user_agent匹配第二行或第三行的條件,不加OR則為並且,但無法同時匹配curl和baidu.com;
NC忽略大小寫,有時user_agent中會有部分大寫字母(Mozilla/5.0)
RewriteRule .* - [F]
F即Forbiden(403)拒絕
</IfModule>
…
測試:
配置生效前:
[root@hyc-01-01 logs]# curl -x127.0.0.1:80 "http://111.com/123.php"
hello world
生效後:
[root@hyc-01-01 logs]# /usr/local/apache2.4/bin/apachectl -t
Syntax OK
[root@hyc-01-01 logs]# /usr/local/apache2.4/bin/apachectl graceful
[root@hyc-01-01 logs]# curl -x127.0.0.1:80 "http://111.com/123.php" -I
HTTP/1.1 403 Forbidden
Date: Wed, 08 Aug 2018 03:57:35 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
日誌信息:
127.0.0.1 - - [08/Aug/2018:11:56:13 +0800] "GET http://111.com/123.php HTTP/1.1" 200 11 "-" "curl/7.29.0"
127.0.0.1 - - [08/Aug/2018:11:57:35 +0800] "HEAD http://111.com/123.php HTTP/1.1" 403 - "-" "curl/7.29.0"
192.168.31.1 - - [08/Aug/2018:12:00:51 +0800] "GET /123.php HTTP/1.1" 200 11 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; .NET4.0C; .NET4.0E; InfoPath.3)"
使用-A參數指定user_agent:
[root@hyc-01-01 logs]# curl -A "hyc hyc" -x127.0.0.1:80 "http://111.com/123.php"
hello world 指定user_agent後訪問正常
[root@hyc-01-01 logs]# tail -20 /usr/local/apache2.4/logs/111.com-access_20180808.log
…
127.0.0.1 - - [08/Aug/2018:12:19:00 +0800] "GET http://111.com/123.php HTTP/1.1" 200 11 "-" "hyc hyc"
[root@hyc-01-01 logs]# curl -e "http://111.com" -A "hyc hyc" -x127.0.0.1:80 "http://111.com/123.php"
hello world[root@hyc-01tail -1 /usr/local/apache2.4/logs/111.com-access_20180808.log
127.0.0.1 - - [08/Aug/2018:12:23:09 +0800] "GET http://111.com/123.php HTTP/1.1" 200 11 "http://111.com" "hyc hyc"
[root@hyc-01-01 logs]#
-e指定referer信息,-A指定user_agent信息,-x省略hosts,-I僅查看狀態碼,不顯示具體信息
11.30 PHP相關配置(上)
PHP配置文件位置:
1 通過瀏覽器
查找網站使用php模塊的php.ini配置文件:
在網站對應的目錄下創建phpinfo的頁面;
通過瀏覽器訪問該頁面找到配置文件;
操作:
[root@hyc-01-01 111.com]# touch phpinfo
[root@hyc-01-01 111.com]# vim phpinfo
<?php
phpinfo();
2 執行php –i
部分情況下使用php –i查找的路徑並不準確
Apache使用的是php的模塊,而php –i查找的是一個php程序,該php程序與apache使用的php模塊可能無關;
這種辦法找到的路徑通常不準確,有時這種辦法找到的php.ini和apache使用的php模塊的php.ini文件不是一個;
由上圖可知php模塊配置文件路徑,但配置文件沒有加載
加載配置文件:
從php源碼包復制配置文件到配置文件路徑下:
[root@hyc-01-01 php-7.1.6]# cp php.ini-development /usr/local/php7/etc/php.ini
刷新apache配置:
[root@hyc-01-01 php-7.1.6]# /usr/local/apache2.4/bin/apachectl graceful
php模塊配置文件加載成功
php相關配置:
[root@hyc-01-01 php-7.1.6]# cd /usr/local/php7/etc/
[root@hyc-01-01 etc]# vim php.ini
限定函數(禁用部分php中的函數):
…
312 ; It receives a comma-delimited list of function names.
313 ; http://php.net/disable-functions
314 disable_functions = eval,assert,popen,passthru,escapeshellarg,escapeshellcmd,pa
ssthru,exec,system,chroot,scandir,chgrp,chown,escapeshellcmd,escapeshellarg,she
ll_exec,proc_get_status,ini_alter,ini_restore,dl,pfsockopen,openlog,syslog,read
link,symlink,leak,popepassthru,stream_socket_server,popen,proc_open,proc_close,
phpinfo
315
316 ; This directive allows you to disable certain classes for security reasons.
…
禁用的函數中也包括php.info
[root@hyc-01-01 etc]# /usr/local/apache2.4/bin/apachectl graceful
訪問提示phpinfo()已經被禁止
date.timezone(定義時區):
若不定義有時會出現告警信息
…
935
936 [Date]
937 ; Defines the default timezone used by the date functions
938 ; http://php.net/date.timezone
939 date.timezone =Asia/Shanghai 定義所在時區為上海
940
…
display_errors(直接將錯誤信息顯示在瀏覽器上):
…
475 ; Production Value: Off
476 ; http://php.net/display-errors
477 display_errors = Off on表示打開,off則錯誤信息不會輸出到瀏覽器
478
…
測試:
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/phpinfo.php"
[root@hyc-01-01 etc]# 無報錯信息輸出
這樣配置測試後發現網頁上沒有任何錯誤信息,並且curl測試也沒有任何報錯,這不合理,所以需要配置幾個錯誤日誌:
[root@hyc-01-01 etc]# vim /usr/local/php7/etc/php.ini
458 ; Production Value: E_ALL & ~E_DEPRECATED & ~E_STRICT
459 ; http://php.net/error-reporting
460 error_reporting = E_ALL & ~E_NOTICE
用於定義錯誤日誌級別,默認為E_ALL,會記錄所有錯誤日誌信息,最不嚴謹,以上的級別為生產環境中常用的級別;
生產環境中NOTICE出現幾率很高,有時出現NOTICE並不代表出錯;
461
462 ; This directive controls whether or not and where PHP will output errors,
463 ; notices and warnings too. Error output is very useful during development, but
…
497 ; http://php.net/log-errors
498 log_errors = On 開啟錯誤日誌
499
500 ; Set maximum length of log_errors. In error_log information about the source
…
582 ; Example:
583 error_log = /tmp/php_errors.log 定義錯誤日誌的保存路徑
584 ; Log errors to syslog (Event Log on Windows).
585 ;error_log = syslog
…
測試:
[root@hyc-01-01 etc]# curl -x127.0.0.1:80 "http://111.com/phpinfo.php" -I
HTTP/1.1 403 Forbidden user_agent(curl)被禁止,所以被拒絕訪問(403),屬於httpd的報錯信息
Date: Wed, 08 Aug 2018 12:37:04 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
Content-Type: text/html; charset=iso-8859-1
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/phpinfo.php" -I
HTTP/1.1 200 OK
Date: Wed, 08 Aug 2018 12:37:23 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Cache-Control: max-age=0
Expires: Wed, 08 Aug 2018 12:37:23 GMT
Content-Type: text/html; charset=UTF-8
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/phpinfo.php"
指定了user_agent為a,但由於phpinfo()函數在php模塊的配置文件php.ini中被禁止,所以無法得到信息;
並且由於php.ini文件中配置了display_errors = Off,導致沒有報錯信息;
去php.ini中定義的error_log = /tmp/php_errors.log路徑查看指定的php模塊的錯誤日誌文件:
[root@hyc-01-01 tmp]# ls -l php_errors.log
-rw-r--r-- 1 daemon daemon 882 8月 8 20:37 php_errors.log
[root@hyc-01-01 tmp]# ps aux|grep httpd
root 27204 0.0 1.4 259560 14380 ? Ss 8月07 0:10 /usr/local/apache2.4/bin/httpd -k start
daemon 42583 0.0 0.8 546388 8992 ? Sl 20:21 0:00 /usr/local/apache2.4/bin/httpd -k start
daemon 42584 0.0 0.8 546388 8992 ? Sl 20:21 0:00 /usr/local/apache2.4/bin/httpd -k start
daemon 42585 0.0 1.4 1017812 14256 ? Sl 20:21 0:00 /usr/local/apache2.4/bin/httpd -k start
root 42695 0.0 0.0 112720 984 pts/0 S+ 20:48 0:00 grep --color=auto httpd
生成錯誤日誌文件的是httpd服務的啟動用戶daemon;
可以發現php_errors.log 的屬主為daemon,而daemon實際是httpd的屬主;
當以上配置都完成但始終無法在對應路徑生成錯誤日誌文件時應該去檢查生成文件的目錄的權限信息(daemon是否對該目錄有寫權限);
或者可以在路徑下手動創建php_errors.log,生成後再修改文件屬主為daemon,權限改為777;
[root@hyc-01-01 tmp]# cat php_errors.log
[08-Aug-2018 20:31:39 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2
[08-Aug-2018 20:31:52 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2
[08-Aug-2018 20:32:02 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2
[08-Aug-2018 20:36:36 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2
[08-Aug-2018 20:37:23 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2
[08-Aug-2018 20:37:34 Asia/Shanghai] PHP Warning: phpinfo() has been disabled for security reasons in /data/wwwroot/111.com/phpinfo.php on line 2
在/data/wwwroot/111.com下編輯新文件:
[root@hyc-01-01 111.com]# vim 3.php
<?php
echo "hytjopfj"
jaeafdjhphngiqe
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/3.php" -I
HTTP/1.0 500 Internal Server Error 網頁文件存在錯誤導致報錯
Date: Wed, 08 Aug 2018 13:29:51 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/3.php"
[root@hyc-01-01 tmp]# cat php_errors.log
…
[08-Aug-2018 21:29:51 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'jaeafdjhphngiqe' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/3.php on line 3
[08-Aug-2018 21:30:05 Asia/Shanghai] PHP Parse error: syntax error, unexpected 'jaeafdjhphngiqe' (T_STRING), expecting ',' or ';' in /data/wwwroot/111.com/3.php on line 3
11.31 PHP相關配置(下)
安全選項open_basedir
一臺服務器運行n個站點,也許部分站點代碼有問題,此時這部分站點被×××黑了,×××黑了該站點後要繼續×××以試圖進入服務器上運行的其他站點,服務器上部分站點被黑後,其他原本沒有被黑的站點也會面臨被黑的風險
在一臺服務器上將a網站的a目錄與b網站的b目錄隔離,×××黑了a目錄後無法繼續黑b網站,無權限進入b目錄;
即使一臺服務器僅跑了一個站點,該站點被黑後仍有必要將該站點的目錄與其他目錄隔離,避免整個服務器系統被×××***;
操作:
[root@hyc-01-01 etc]# vim php.ini
…
307 ; or per-virtualhost web server configuration file.
308 ; http://php.net/open-basedir
309 open_basedir = /data/wwwroot/1111.com:/tmp 故意將目錄定義出錯
310
…
測試:
[root@hyc-01-01 111.com]# /usr/local/apache2.4/bin/apachectl graceful
[root@hyc-01-01 111.com]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php"
[root@hyc-01-01 111.com]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php" -I
HTTP/1.0 500 Internal Server Error
Date: Wed, 08 Aug 2018 14:37:28 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Connection: close
Content-Type: text/html; charset=UTF-8
[root@hyc-01-01 111.com]# tail -5 /tmp/php_errors.log
[08-Aug-2018 22:30:48 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[08-Aug-2018 22:30:48 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/data/wwwroot/111.com/123.php' (include_path='.:/usr/local/php7/lib/php') in Unknown on line 0
[08-Aug-2018 22:35:16 Asia/Shanghai] PHP Warning: Unknown: open_basedir restriction in effect. File(/data/wwwroot/111.com/123.php) is not within the allowed path(s): (/data/wwwroot/1111.com:/tmp) in Unknown on line 0
[08-Aug-2018 22:35:16 Asia/Shanghai] PHP Warning: Unknown: failed to open stream: Operation not permitted in Unknown on line 0
[08-Aug-2018 22:35:16 Asia/Shanghai] PHP Fatal error: Unknown: Failed opening required '/data/wwwroot/111.com/123.php' (include_path='.:/usr/local/php7/lib/php') in Unknown on line 0
以上標紅信息說明123.php不在open_basedir允許的目錄下
將php.ini配置文件中open_basedir的1111.com目錄改為111.com後再訪問:
[root@hyc-01-01 etc]# /usr/local/apache2.4/bin/apachectl graceful
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php" -I
HTTP/1.1 200 OK 訪問正常
Date: Wed, 08 Aug 2018 14:43:15 GMT
Server: Apache/2.4.34 (Unix) PHP/7.1.6
X-Powered-By: PHP/7.1.6
Cache-Control: max-age=0
Expires: Wed, 08 Aug 2018 14:43:15 GMT
Content-Type: text/html; charset=UTF-8
[root@hyc-01-01 etc]# curl -A "a" -x127.0.0.1:80 "http://111.com/123.php"
hello world[root@hyc-01-01 etc]#
在php模塊配置文件php.ini下設置的open_basedir是針對服務器上所有站點的,無法精確限制
在httpd虛擬主機配置文件中配置open_basedir:
根據不同的虛擬主機限制不同的open_basedir
[root@hyc-01-01 etc]# vim /usr/local/apache2.4/conf/extra/httpd-vhosts.conf
…
<VirtualHost *:80>
DocumentRoot "/data/wwwroot/abc.com"
ServerName abc.com
ServerAlias www.abc.com www.123.comi
ErrorLog "logs/abc.com-error_log"
CustomLog "logs/abc.com-access_log" common
php_admin_value open_basedir "/data/wwwroot/abc.com:/tmp/"
…
# AuthUserFile /data/.htpasswd
# require valid-user
# </Directory>
php_admin_value open_basedir "/data/wwwroot/111.com:/tmp/"
<Directory /data/wwwroot/111.com/nophp>
php_admin_flag engine off
# <FilesMatch (.*)\.php(.*)>
…
php_admin_value:可以定義php.ini配置文件中的參數,如open_basedir、error_log、error_reporting等
/data/wwwroot/111.com:/tmp/:在open_basedir中允許/tmp是因為站點的臨時文件會寫在/tmp目錄下;用戶向站點上傳一張圖片,該圖片會先被臨時存放在/tmp目錄下,然後再放到對應站點目錄下,如果限制訪問/tmp,那麽該站點將無法上傳圖片
8.7 11.28-11.31