什么是Taint ? An extension used for detecting XSS codes(tainted string), And also can be used to spot sql injection vulnerabilities, shell inject, etc.
经过我实际测试, 能检测出实际的一些开源产品的(别问是什么)隐藏的 XSS code, SQL 注入, Shell 注入等漏洞, 并且这些漏洞如果要用静态分析工具去排查, 将会非常困难, 比如对于如下的例子:
<?php
$name = $_GET["name"];
$value = strval($_GET["tainted"]);
echo $$name;
对于请求:
http://****.com/?name=value&tainted=xxx
静态分析工具, 往往无能为力, 而 Taint 却可以准确无误的爆出这类型问题.
Warning: main() [function.echo]:
Attempt to echo a string that might be tainted in %s.php on line %d
附录:
A. Tainted String
所有来自$_GET, $_POST, $_COOKIE
的变量, 都被认为是 Tainted String
B. taint 检测的函数/语句列表, 当这些函数使用 tainted string 参数的时候, taint 会给出警告:
echo
print
printf
file_put_contents
fopen
opendir
basename
dirname
file
pathinfo
mysql_query
mysqli_query
sqlite_query
sqlite_single_query
oci_parse
Mysqli::query
SqliteDataBase::query
SqliteDataBase::SingleQuery
PDO::query
PDO::prepare
system
exec
proc_open
passthru
shell_exec
eval
include(_once)
require(_once)
C. 消除 tainted 信息的函数, 调用这些函数以后, tainted string 就会变成合法的string:
escapeshellcmd
htmlspecialchars
escapeshellcmd
addcslashes
addslashes
mysqli_escape_string
mysql_real_escape_string
mysql_escape_string
sqlite_escape_string
PDO::quote
Mysqli::escape_string
Mysql::real_escape_string
D. 调用中保持 tainted 信息的函数/语句, 调用这些函数/语句时, 如果输入是 tainted strin g, 则输出也为 tainted string:
= (assign)
. (concat)
"{$var}" (variable substitution)
.= (assign concat)
strval
explode
implode
sprintf
vsprintf
trim(as of 0.4.0)
rtrim(as of 0.4.0)
ltrim(as of 0.4.0)
源码地址:
https://pecl.php.net/package/taint
https://github.com/laruence/taint/tree/taint-2.0.4