Summary of the CTF PHP black Magic

Following the previous PHP version of the posture (different version of the use of features), the article summarizes the PHP version differences, and now in a local diary summary of the PHP black Magic, is used to do the CTF encountered and recorded, it is very suitable for the CTF code audit time to look over.

One, the requirement variable original value is different but MD5 or SHA1 the same case

1.0e all equal (= = judgment)

The 240610708 and Qnkcdzo MD5 value types are similar, but not the same, and the result returns true under the operation of the "= =" equality operator.

Like Md5 and SHA1.

2. Using array bypass (= = =)

MD5 and SHA1 encrypt an array to return NULL, and Null===null returns True, so you can bypass the judgment.

Second, S trcmp using array bypass

View the PHP manual

int strcmp (String $str 1, String $str 2)

Return Values

Returns < 0 if str1 is less than str2; > 0 if STR1 is greater than str2, and 0 if they is equal.

An unexpected return value is generated when the two value entered is not a string:

Like what

PHP

<?  $password=$_get[' Password 'if(strcmp(' am0s ',$password ) {    echo ' false! ' ;} Else {    echo ' success! ' ;}? >

In this piece of code, the input Password[]=1 returns success, successfully bypassing the validation

Third, when there are two is_numeric to determine and connect with and, the is_numeric behind and can bypass

PHP

$a=$_get[' A '];$b=$_get[' B '];$c=Is_numeric($a) andIs_numeric($b);Var_dump(Is_numeric($a));Var_dump(Is_numeric($b));Var_dump($c);//$b can be not a number, also returns True$test=falseandtrue;Var_dump($test);//returns True

Four, null,0, "0″,array () will return true when compared with = = and false.

Five,eregi match

• Array Bypass

Ereg is the string that is processed, and after the array is passed, EREG returns null

• %00 Truncation Bypass

Http://www.secbox.cn/hacker/1889.html

Six, the receive parameter $ A is present, and $a==0 is available. Bypass (non-numeric can be bypassed)

Php

Test code:<? PHP $a=$_get[' a ']; if ($a==0) {echo "1";} if ($a) {echo "must";}

Seven, the receive parameter cannot appear a character, but the following must use can php://Pseudo Protocol bypass

The current encounter is file_get_contents other circumstances specific

Eight,is_numeric bypass

Spaces, T, N, R, V, F, +,-can appear at the beginning of the argument, "point" can be anywhere in the parameter, E, E can only appear in the middle of the parameter.

Nine, php5,3,29, here can directly use%0B to bypass S (whitespace character) matching

Ten, is both 0 and 1 of the situation

$a ==1& $test [$a]=t

• PHP accuracy (over 16) var_dump (9999999999999999999==1);//true
• Scientific counting method. 1e1 echo $b ['. 1e1 ']//output t

It is a string so it becomes 0 in the array, but in is_numeric the normal output is a number.

Xi. You can continue execution when switch has no break

PHP

<?PHPif(isset($_get[' which '] )) {$which=$_get[' which '];Switch($which) { Case0: Case1: Case2:Echo $which. '. php '; Break;default:Echo"1"; Break;}} $which Enter the loop without break, in order

Summary of the CTF PHP black Magic