PHP Weak types need to be aware of security issues summary

Weakly typed languages are also known as weak type definition languages. Contrary to strongly typed definitions. Like vb,php and so on is a weak type of language, this article to you in detail about the weak type of PHP security issues, there is a need for reference, the following to see together.

Objective

I believe everyone knows that PHP is the best language in the world, and the problems of PHP itself can be counted as one aspect of web security. The features in PHP are weak types, and the built-in functions are loosely handled for incoming parameters.

This article is mainly to record my attack platform above the PHP function encountered in the problem, as well as the weak type of PHP problems. For everyone in the study or use of PHP has a certain reference value, the following to see together.

Introduction to PHP Weak types

The reason why I think PHP is very powerful is that PHP provides a lot of unique developers to use, one of which is the PHP weak type mechanism.

In PHP, you can do a bit of work.

$param = 1; $param = Array (); $param = "Stringg";

Weakly typed languages have no restrictions on the data types of variables, and you can assign variables to any other type of variable at any time, and the variable can also be converted to any other type of data.

Type conversion Issues

Type conversion is an unavoidable problem. For example, if you need to convert a GET or post argument to an int type, or a two variable mismatch, PHP will automatically convert the variable. But PHP is a weak type of language, causing a lot of unexpected problems when it comes to type conversions.

Comparison operators

Type conversions

In $a==$b the comparison

$a =null; $b =flase; True$a= "; $b =null; True

There are many examples of such comparisons, all of which are equal.

There is also the problem of type conversion when using comparison operators, as follows:

0== ' 0 '//true0 = = ' ABCDEFG '//true0 = = ' ABCDEFG '//false1 = = ' 1abcdef '//true

There is a problem with variable conversions when different types of variables are compared, and there may be problems after the conversion.

Hash comparison

In addition to this approach, there are problems with hash comparisons. As follows:

"0e132456789" = = "0e7124511451155"//true "0e123456abc" = "0e1dddada"//false "0e1abc" = = "0"  //true

When a comparison operation is encountered, the string is 0e\d+ parsed into a scientific notation if it encounters such a string. So the 2-digit value in the above example is 0 and thus equal. If this pattern is not satisfied 0e\d+ , it will not be equal. This topic in the attack and defense platform in the MD5 collision will have to test.

16 Binary conversions

There is also a problem with the comparison operation of a hexadecimal remainder string.

Examples are as follows:

"0x1e240" = = "123456"//true "0x1e240" ==123456//true "0x1e240" = = "1e240"//false

When one of the strings is at the beginning of 0x, PHP parses the string into decimal and then compares it, 0x1240 parsing to decimal is 123456, so the comparison with the int type and the string type 123456 is equal. The name of the offensive platform is really difficult to examine this feature.

Type conversions

The most common conversion is the conversion of int to string,string to int.

int to string:

$var = 5; Mode 1: $item = (string) $var; Mode 2: $item = Strval ($var);

string to int: intval() function.

For this function, you can look at 2 examples first.

Var_dump (Intval (' 2 '))//2var_dump (intval (' 3ABCD '))//3var_dump (Intval (' ABCD '))//0

intval()When you convert, you will convert from the beginning of the string to know that you have encountered a non-numeric character. Even if there is a string that cannot be converted, it intval() returns 0 instead of an error.

intval()Of this feature in the attack and defense platform in the MySQL This problem has been tested.

At the same time, programmers should not use the following code when programming:

if (intval ($a) >1000) {mysql_query ("select * from News where id=". $a)}

The value of $ A at this time is probably 1002 union ....

The loose nature of the parameters of the built-in functions

The loose nature of built-in functions is to say that when a function is called, it is given a parameter type that is unacceptable to the function pass function. It's a bit of a mouthful to explain, or just a practical example to illustrate the problem, and here are some of the functions that are highlighted below.

MD5 ()

$array 1[] = Array ("foo" + "Bar", "bar" = "foo"), $array 2 = Array ("foo", "Bar", "Hello", "World"); Var_dump (MD5 ($ar Ray1) ==var_dump ($array 2)); True

The description of the MD5 () function in the PHP manual is string md5 ( string $str [, bool $raw_output = false ] ) that md5() the requirement in is a string type parameter. However, when you pass an array md5() without an error, knowledge will not be able to correctly find the MD5 value of the array, which will cause the MD5 values of any 2 arrays to be equal. This md5() feature in the attack and defense platform in the bypass again also have to test.

strcmp ()

strcmp()The description of the function in the official PHP manual is int strcmp ( string $str1 , string $str2 ) that a strcmp() parameter of 2 string types needs to be passed. If STR1 is less than str2, returns 1, equals returns 0, otherwise returns 1. The strcmp function compares the essence of a string by converting two variables to ASCII, then subtracting, and then determining the return value based on the result of the operation.

What if strcmp() the arguments given in the pass are numbers?

$array =[1,2,3];var_dump (strcmp ($array, ' 123 ')); NULL, in a sense, NULL is the equivalent of false.

strcmp This feature in the attack platform in the pass check has been tested.

Switch ()

If switch is the case of a numeric type, switch converts the arguments in it to the int type. As follows:

$i = "2ABC"; switch ($i) {case 0:case 1:case 2:echo "I was less than 3 and not negative"; Break;case 3:echo "I was 3";}

This time the program output is i is less than 3 but not negative because the switch() function converts $i to type, and the conversion result is 2.

In_array ()

In the PHP manual, the in_array() explanation of the function is bool in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] ) that if the strict parameter is not provided, then In_array will use a loose comparison to determine if it is $needle in $haystack . When the value of Strince is true, the in_array() Needls type is compared and the type in haystack is the same.

$array =[0,1,2, ' 3 '];var_dump (In_array (' abc ', $array)); Truevar_dump (In_array (' 1BC ', $array)); True

You can see that the above situation returns true because ' abc ' translates to 0, ' 1BC ' to 1.

array_search()and in_array() the same problem.