Summary of GPC bypass in PHP

PS: there are many situations in PHP that bypass GPC. This article only summarizes some of the more common ones, and it is very simple to write [because of my limited level]. You are welcome to actively make a brick :) 1. data transfer through the database (text) through the database: [Note the data stored in the database and selected] user input ==> gpc \ addslashes () ==========> database ==========> it is easy for programmers to execute SQL statements \ include \ write cache files insert \ update select. ignored, generally, the gpc or addslashes function is used to process the data directly entered by the user. In this way, the '"and so on in the data will be escaped, so that the SQL statement can be correctly executed, effectively prevents injection attacks. But what about the data stored in the database? After executing the SQL statement, the raw data before being processed by gpc is stored in the database. When the program then selects the contaminated data, if SQL statement is executed again for the data from the select statement, sqlinj is triggered. If the data is directly written to the cache file, shell may be used directly: user input ==> gpc \ addslashes () ==> write a text file ==> include ==> write a text file again \ execute an SQL statement, which is roughly the same as transferring data through the database, if the file write operation is improperly handled, attackers may take the shell directly. Let's take a look at a code snippet of php168: function login_logs ($ username, $ password) {global $ timestamp, $ onlineip; $ logdb [] = "$ username \ t $ password \ t $ timestamp \ t $ onlineip"; @ include (PHP168_P ATH. "cache/adminlogin_logs.php"); $ writefile = "<? Php \ r \ n "; $ jj = 0; foreach ($ logdb AS $ key => $ value) {$ jj ++; $ writefile. = "\ $ logdb [] = \" $ value \ "; \ r \ n"; if ($ jj> 200) {break ;}} write_file (PHP168_PATH. "cache/adminlogin_logs.php", $ writefile);} When you log on to the backend of php168, if the user name or password entered is incorrect, you will execute this login_logs function to record the Publisher Information in adminlogin_logs.php, if the $ username data entered by the user is ""; eval ($ _ POST [cmd]); // ", the previous" is closed and the shell is successfully written. However, if gpc is on, "it will be converted to \" and cannot be used. However, it should be noted that adminlogin_logs.php will be included first, and the data will be written into adminlogin_logs.php again by repeating the array. You must know that here the \ character is only an escape character, so $ logdb is still contaminated with the original data after the include, when the file is written again, "It takes effect and the shell is successfully written. 2. by coding UTF-7 (+ ACc-) ==> gpc \ addslashes () ==> mb_convert_encoding () ==> UTF-8 (') specific examples of this issue are visible: http://superhei.blogbus.com/logs/4255503.html0xbf27=== > Gpc \ addslashes () ==> 0xbf5c27 ==> execute an SQL statement [multi-byte database encoding supported] most of the functions in PHP process strings as single bytes, so if the database encoding supports multi-byte encoding, we can use this feature to introduce ', and here, gpc not only does not work but also helps us :) For details, see: http://shiflett.org/blog/2006/jan/addsl ... Ape-string user input (processed by urlencode \ rawurlencode \ base64_encode and other functions) ==> gpc \ addslashes () ==> urldecode \ rawurldecode \ base64_decode and other functions ==> execute the SQL statement \ include to bypass gpc \ addslashes through secondary encoding, for example, 'URL encoding second encoding % 25% 27. 3. for some function error handling, see the following function processing string: substr ($ _ GET ['a'], 1 ); assume that the input $ _ GET ['a'] Is 'haha. After gpc \ addslashes (), it is changed to \ 'haha. After substr processing, it is changed back to 'haha. there are a lot of functions that process strings, so programmers can make a lot of interesting use if they don't pay attention to them :) 4. take a look at the following code: $ a =$ _ GET ['a']; echo $ a [1]; Input $ _ GET ['a'] To 'haha, after gpc \ addslashes (), it will become \ 'haha. Let's take a look at the description of the string in the manual: the characters in the string can be accessed and modified by specifying the offset of the expected character from scratch with curly brackets after the string. Brackets can also be used to replace curly brackets. [This is to be compatible with earlier PHP versions., in fact, strings are processed as arrays]. With this feature, we can do a lot of things. For example, the output of $ a [1] is :), of course, the specific utilization depends on the specific code. 5. Some defects of PHP. For $ _ SERVER, see PHP5 bypass defects in Jianxin. http://www.xfocus.net/articles/200608/878.html