Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
readme
  • Loading branch information
zsxsoft committed Sep 12, 2017
1 parent 05f2a9d commit 674a9b2
Show file tree
Hide file tree
Showing 2 changed files with 54 additions and 3 deletions.
Empty file modified ci/compile.sh 100755 → 100644
Empty file.
57 changes: 54 additions & 3 deletions readme.md
Expand Up @@ -33,16 +33,67 @@ If you're using PHP 7.1 + Non Thread Safe + x64, run ``ci\appveyor.bat`` with Ad
fval.disable_eval = 1
fval.disable_functions = 1
fval.enable = 1
fval.error_level => 512
fval.error_level = 512
```

## Known issues
1. The file wrote by extensions, like ``imagejpeg`` in ``gd``, will not being recorded. That means the hacker can eval PHP code hide in somewhere like image EXIF.
## Questions

### Which of the functions used to write files will be recorded?

```php
fopen($fileName, "[awxc]");
file_put_contents($fileName);
copy(..., $dest);
move_uploaded_files(..., $dest);
```

### Which of the functions will be recorded soon?

```php
resource bzopen ( mixed $file , string $mode );
resource gzopen ( string $filename , string $mode [, int $use_include_path = 0 ] );
// do not record phar constructor
// phar.readonly is enabled by default for security reasons.
public bool Phar::copy ( string $oldfile , string $newfile );
public bool Phar::extractTo ( string $pathto [, string|array $files [, bool $overwrite = false ]] );
public bool RarEntry::extract ( string $dir [, string $filepath = "" [, string $password = NULL [, bool $extended_data = false ]]] )
bool ZipArchive::extractTo ( string $destination [, mixed $entries ] )
// Hide in cert
bool openssl_csr_export_to_file ( mixed $csr , string $outfilename [, bool $notext = true ] );
bool openssl_pkcs12_export_to_file ( mixed $x509 , string $filename , mixed $priv_key , string $pass [, array $args ] );
bool openssl_pkey_export_to_file ( mixed $key , string $outfilename [, string $passphrase [, array $configargs ]] );
bool openssl_x509_export_to_file ( mixed $x509 , string $outfilename [, bool $notext = TRUE ] );

resource dio_open ( string $filename , int $flags [, int $mode = 0 ] );

// Hide in EXIF
bool imagegd2 ( resource $image [, string $filename [, int $chunk_size [, int $type = IMG_GD2_RAW ]]] );
bool imagegd ( resource $image [, string $filename ] );
bool imagegif ( resource $image [, string $filename ] );
bool imagejpeg ( resource $image [, string $filename [, int $quality ]] );
bool imagepng ( resource $image [, string $filename ] );
bool imagewbmp ( resource $image [, string $filename [, int $foreground ]] );
bool imagewebp ( resource $image , mixed $to [, int $quality = 80 ] );
bool imagexbm ( resource $image , string $filename [, int $foreground ] );
public Gmagick Gmagick::setfilename ( string $filename );
public Gmagick Gmagick::setimagefilename ( string $filename );
Gmagick::write
public Gmagick Gmagick::writeimage ( string $filename [, bool $all_frames = false ] );

// Hide in SQLite

// TODO...
```

### Any known issues?
1. Not all the file will be recorded, for example, ``sqlite3_query('INSERT INTO')``. That means the hacker can eval PHP code hide in somewhere like image EXIF.

## TODO
1. [ ] Use hook or ``ptrace`` to record all file writing.
1. [ ] ``.phpt`` tests.
1. [ ] Dynamic calls detection.
1. [ ] PHP 5.6 Support
1. [ ] Support more PHP Functions.

## License

Expand Down

0 comments on commit 674a9b2

Please sign in to comment.