Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write...
Transcript of Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write...
![Page 1: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/1.jpg)
Simulation of Built-in PHP Features for Precise Static Code Analysis
Johannes Dahse and Thorsten HolzRuhr-University Bochum
NDSS ’14, 23-26 February 2014, San Diego, CA, USA
![Page 2: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/2.jpg)
2
php is everywhere.
CVE entries (2013)
http://www.coelho.net/php_cve.html
Server-side programming languages
http://php.net/usage.php
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 3: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/3.jpg)
3
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 4: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/4.jpg)
4
Target: Taint-style Vulnerabilities
<?php $id = $_GET['id']; $sql = “SELECT data FROM users WHERE id = '$id' “; mysql_query($sql);?>
<?php $name = $_GET['name']; $html = “<h1>Hello $name</h1>“; print($html);?>
● SQL injection
● Cross-Site Scripting
source
sensitive sink
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 5: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/5.jpg)
5
source
1. Introduction2. Implementation3. Evaluation4. Conclusion
PHP Built-in Features
● 228+ Extensions
● 5700+ built-in functions Sinks, sanitization, data flow
● 10+ superglobal variables $GLOBALS, $_FILES, $_SERVER ...
● Settings magic_quotes_gpc, register_globals
![Page 6: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/6.jpg)
6
Our Approach
● Static Code Analysis for PHP applications● Precise simulation of built-in features is the key
to detect taint-style vulnerabilities to accept your paper on your own
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 7: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/7.jpg)
7
Source: http://rewalls.com
2. Implementation
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 8: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/8.jpg)
8
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
http://rub.de/index.php/payload
![Page 9: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/9.jpg)
9
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
![Page 10: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/10.jpg)
10
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVERS1
PHP_SELF
Path ../Traversal http://rub.de/index.php/../../../../
![Page 11: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/11.jpg)
11
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
● Format string● Regular expressions
2. data flow
S1
Path ../Traversal
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 12: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/12.jpg)
12
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
3. encoding● Encoding stack● Interaction with sanitization
● Format string● Regular expressions
2. data flow
S1
Path ../Traversal
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 13: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/13.jpg)
13
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
3. encoding● Encoding stack● Interaction with sanitization
● Format string● Regular expressions
2. data flow
S1
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 14: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/14.jpg)
14
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
S1
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 15: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/15.jpg)
15
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
S1
XSS <>Element
XSS DQ" Attribute
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 16: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/16.jpg)
16
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
S1
XSS DQ" Attribute
XSS <>Element
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 17: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/17.jpg)
17
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
6. markup context
<a href='http://rub.de/S1' >back</a>
→ XSS Single-Quoted ' Attribute
S1
XSS DQ" Attribute
XSS <>Element
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 18: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/18.jpg)
18
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
6. markup context
<a href='http://rub.de/S1' >back</a>
→ ' onclick='alert(document.cookie)
S1
XSS DQ" Attribute
XSS <>Element
<?php $uri = trim($_SERVER['PHP_SELF']); $uri = urldecode($uri); $url = 'http://rub.de/' . htmlentities($uri); $html = “<a href='$url' >back</a>“; print($html);?>
PHP_SELF
![Page 19: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/19.jpg)
19
Precise Simulation
1. Introduction2. Implementation3. Evaluation4. Conclusion
● 952 built-in functions ● 20 vulnerability types● 45 markup contexts
1. taintable sources● $_FILES[]['name']● $_FILES[]['tmp_name']● $_SERVER['PHP_SELF']● $_SERVER['REMOTE_ADDR']
$_SERVER
4. sanitization
3. encoding● Encoding stack● Interaction with sanitization
● Sanitization tags● Context-sensitive
● Format string● Regular expressions
2. data flow
5. sinks● Parameter● Vulnerability type
6. markup context
<a href='http://rub.de/S1' >back</a>
→ ' onclick='alert(document.cookie)
S1
XSS DQ" Attribute
XSS <>Element
PHP_SELF
![Page 20: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/20.jpg)
20
Source: http://rewalls.com
3. Evaluation
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 21: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/21.jpg)
21
Software● HotCRP 2.60
● MyBB 1.6.10
● OsCommerce 2.3.3
● phpBB2 2.0.23
● phpBB3 3.0.11
1. Introduction2. Implementation3. Evaluation4. Conclusion
phpBB3
phpBB2
osCommerce
MyBB
HotCRP
0 50000 100000 150000 200000
LOC
![Page 22: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/22.jpg)
22
Vulnerability Detection● 73 True Positives (72%)
● 29 False Positives (28%) 19 FP in OsCommerce Root cause: Path-sensitivity
● 10 False Negatives (24%) 42 CVE entries 8 FN in MyBB Root cause: OOP
1. Introduction2. Implementation3. Evaluation4. Conclusion
48
11
8
321
Cross-Site ScriptingSQL InjectionFile WritePath TraversalVariable TamperingCRLF Injection
![Page 23: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/23.jpg)
23
Software in Related Work● Criteria
Available Follow-up version exists Patch-only
● Our results 31 new vulnerabilities detected 0 false positives Precise simulation pays off
1. Introduction2. Implementation3. Evaluation4. Conclusion
MyBloggie 2.1.4
NewsPro 1.1.5
phpBB3
phpBB2
osCommerce
MyBB
HotCRP
0 50000 100000 150000 200000
LOC
![Page 24: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/24.jpg)
24
Vulnerability Example● Blind SQL Injection in HotCRP 2.60
● Fixed in version 2.61
● HotCRP stores credentials in plaintext
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 25: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/25.jpg)
25
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 26: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/26.jpg)
26
Source: http://rewalls.com
4. Conclusion
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 27: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/27.jpg)
27
Conclusion● New approach to PHP static code analysis
20 vulnerability types, 45 markup contexts 900+ built-in features simulated
● 73 new vulnerabilities, 28% false positives Current vulnerabilities base on complex PHP features Modeling these features precisely is crucial, missed by previous work
● Future work Path-sensitivity OOP
1. Introduction2. Implementation3. Evaluation4. Conclusion
![Page 29: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/29.jpg)
29
Thank you! Enjoy the conference.
![Page 30: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/30.jpg)
30
Backup Slides
![Page 31: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/31.jpg)
31
Built-in Function Coverage
● Every 13th line of code calls a built-in function ● Static point of view
● 970 unique calls ● 70% covered
● 37 651 total calls● 89% covered
● Remaining calls are less relevant● Do not influence our analysis results
1. Introduction2. Implementation3. Evaluation4. Conclusion
89%
11% Covered
Ignored
![Page 32: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/32.jpg)
32
Target: Taint-style Vulnerabilities
<?php $id = mysql_real_escape_string($_GET['id']); $sql = “SELECT data FROM users WHERE id = $id “; mysql_query($sql);?>
<?php $name = htmlentities($_GET['name']); $html = “<h1>Hello $name</h1>“; print($html);?>
● SQL injection
● Cross-Site Scripting
source
sensitive sink
1. Introduction2. Implementation3. Evaluation4. Conclusion
sanitization
![Page 33: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/33.jpg)
33
Path-sensitive sanitization
![Page 34: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/34.jpg)
34
Supported vulnerability types
1) Code Execution2) Command Execution3) Connect Injection4) Cross-Site Scripting5) Denial of Service6) Env. Manipulation7) File Inclusion8) File Upload9) File Write10)HTTP Resp. Splitting
11) LDAP Injection12) Open Redirect13) Path Traversal14) Reflection Injection15) Session Fixation16) SQL Injection17) Unserialize18) Variable Tampering19) XML/XXE Injection20) XPath Injection
![Page 35: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/35.jpg)
35
Evaluation results
![Page 36: Simulation of Built-in PHP Features · 9/4/2017 · 7)File Inclusion 8)File Upload 9)File Write 10)HTTP Resp. Splitting 11) LDAP Injection 12) Open Redirect 13) Path Traversal 14)](https://reader034.fdocuments.in/reader034/viewer/2022050608/5faf91c84fbaff263d75ad71/html5/thumbnails/36.jpg)
36
SQL Injection in phpBB2
admin_styles.php?style=rips&install_to=_GET&0[style_name]=rips&0[template_name)VALUES('sqli','sqli')-- -]=1