Let's take a look at the code snippet:
Copy codeThe Code is as follows:
$ Ip = "1.1.1.255". chr (0). "haha ";
If (ereg ("^ [0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3 }\. [0-9] {1, 3} $ ", $ ip )){
Echo $ ip;
} Else {
Echo "unknown ";
}
This ereg Regular Expression limits the data of $ ip to xxx. xxx. xxx. in the form of xxx, the above Code should output "unknown", but "1.1.1.255haha" is actually output, because the ereg function has the NULL Truncation Vulnerability, which causes Regular Expression Filter Bypass. 4 \ 2 n + Y6 |; Z7 O
6 e & b6 C5 F-W-F $ z we must introduce \ x00 (% 00) when using it ), when GPC is ON, % 00 will be escaped and cannot be used. But what if ereg () processes the data that $ _ SERVER (can bypass GPC in PHP5) or is processed by functions such as urldecode that cause GPC to be bypassed? For example, some programs use the above method to verify the IP address submitted by $ _ SERVER. Then we can use NULL truncation to bypass regular filtering to construct the data we need :)