php.ini 启用disable_functions提高安全
Q. I run a small Apache based webserver for my personal use and it is shared with friends and family. However, most script kiddie try to exploit php application such as wordpress using exec() , passthru() , shell_exec() , system() etc functions. How do I disable these functions to improve my php script security?
A. PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini For example, you cannot set this in httpd.conf.
Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
查找disable_functions然后用下面的替换
复制代码 代码如下:
disable_functions =phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Save and close the file. Restart httpd:
复制代码 代码如下:
# service httpd restart
Note that the disable_functions directive can not be used outside of the php.ini file which means that you cannot disable functions on a per-virtualhost or per-directory basis in your httpd.conf file. If we add this to our php.ini file:
注意下面的突破方法:建议打开安全模式
PHP是一款功能强大应用广泛的脚本语言,很大一部分网站都是使用PHP架构的。因为其提供了强大的文件操作功能和与系统交互的功能,所以大部分的服务器都对PHP做了严格的限制,包括使用open_basedir限制可以操作的目录以及使用disable_functions限制程序使用一些可以直接执行系统命令的函数如system,exec,passthru,shell_exec,proc_open等等。但是如果服务器没有对dl()函数做限制,一样可以利用dl()函数饶过这些限制。
dl()函数允许在php脚本里动态加载php模块,默认是加载extension_dir目录里的扩展,该选项是PHP_INI_SYSTEM范围可修改的,只能在php.ini或者apache主配置文件里修改。当然,你也可以通过enable_dl选项来关闭动态加载功能,而这个选项默认为On的,事实上也很少人注意到这个。dl()函数在设计时存在安全漏洞,可以用../这种目录遍历的方式指定加载任何一个目录里的so等扩展文件,extension_dir限制可以被随意饶过。所以我们可以上传自己的so文件,并且用dl函数加载这个so文件然后利用so文件里的函数执行其他操作,包括系统命令。
PHP_FUNCTION(dl)
{
pval **file;
#ifdef ZTS
if ((strncmp(sapi_module.name, "cgi", 3)!=0) &&
(strcmp(sapi_module.name, "cli")!=0) &&
(strncmp(sapi_module.name, "embed", 5)!=0)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Not supported in multithreaded Web servers - use extension statements in your php.ini");
A. PHP has a lot of functions which can be used to crack your server if not used properly. You can set list of functions in php.ini using disable_functions directive. This directive allows you to disable certain functions for security reasons. It takes on a comma-delimited list of function names. disable_functions is not affected by Safe Mode. This directive must be set in php.ini For example, you cannot set this in httpd.conf.
Open php.ini file:
# vi /etc/php.ini
Find disable_functions and set new list as follows:
查找disable_functions然后用下面的替换
复制代码 代码如下:
disable_functions =phpinfo,exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
Save and close the file. Restart httpd:
复制代码 代码如下:
# service httpd restart
Note that the disable_functions directive can not be used outside of the php.ini file which means that you cannot disable functions on a per-virtualhost or per-directory basis in your httpd.conf file. If we add this to our php.ini file:
注意下面的突破方法:建议打开安全模式
PHP是一款功能强大应用广泛的脚本语言,很大一部分网站都是使用PHP架构的。因为其提供了强大的文件操作功能和与系统交互的功能,所以大部分的服务器都对PHP做了严格的限制,包括使用open_basedir限制可以操作的目录以及使用disable_functions限制程序使用一些可以直接执行系统命令的函数如system,exec,passthru,shell_exec,proc_open等等。但是如果服务器没有对dl()函数做限制,一样可以利用dl()函数饶过这些限制。
dl()函数允许在php脚本里动态加载php模块,默认是加载extension_dir目录里的扩展,该选项是PHP_INI_SYSTEM范围可修改的,只能在php.ini或者apache主配置文件里修改。当然,你也可以通过enable_dl选项来关闭动态加载功能,而这个选项默认为On的,事实上也很少人注意到这个。dl()函数在设计时存在安全漏洞,可以用../这种目录遍历的方式指定加载任何一个目录里的so等扩展文件,extension_dir限制可以被随意饶过。所以我们可以上传自己的so文件,并且用dl函数加载这个so文件然后利用so文件里的函数执行其他操作,包括系统命令。
PHP_FUNCTION(dl)
{
pval **file;
#ifdef ZTS
if ((strncmp(sapi_module.name, "cgi", 3)!=0) &&
(strcmp(sapi_module.name, "cli")!=0) &&
(strncmp(sapi_module.name, "embed", 5)!=0)) {
php_error_docref(NULL TSRMLS_CC, E_WARNING, "Not supported in multithreaded Web servers - use extension statements in your php.ini");
顶(0)
踩(0)
- 最新评论