Analysis of PHP Function Vulnerability principle

Source: Internet
Author: User
Tags ereg php language md5 hash sha1 strcmp

PHP is the world's best language, yes, PHP in the world to feed two categories of people, one is to write PHP code, a class of people engaged in security xxx, because there are loopholes in PHP function.
Under certain conditions, these functions are not parsed according to the will of the inventor of the function.
In the CTF Web World is also counted for a few months, to learn the problems encountered in the function of a brief summary.

MD5 () function

定义:Md5()函数计算字符串的MD5散列

Question 1: A string hash processed by the MD5 () function will be considered equal to 0 when it is processed by PHP, if it occurs at the beginning of 0e.
Source:

<?php    $user=$_GET[‘user‘];    $pass=$_GET[‘pass‘];    if($user!=$pass){        if(md5($user) == md5($pass)){            echo "this is flag";        }        else{            echo "no no no";        }    }else{        echo "字符串不能相同";    }?>

Code function: Determines whether the MD5 hash string of the parameters passed in by the Get method is equal, and is not equal to the two parameter values.
Test results:

Principle Analysis:
When two strings are MD5 encrypted, a hash value starting with 0e is generated. PHP to judge the time of the 0e ... will be regarded as the scientific notation, 0 of the n-th is equal to zero. So these two strings are MD5 () encrypted and equal to zero.
Var_dump (0 = = 0e123456)

Issue 2: Return NULL when working with arrays
Source:

<?php    $user=$_GET[‘user‘];    $pass=$_GET[‘pass‘];    if($user!=$pass){        if(md5($user) == md5($pass)){            echo "this is flag";        }        else{            echo "no no no";        }    }else{        echo "字符串不能相同";    }

Test:

Principle Analysis:
MD5 (String,raw) syntax: string must, specify the string to be computed, raw optional, specify the output format, TRUE-16 character binary format, false-default, 32-character hexadecimal number.
The function author specifies that the string type to be processed is str string for normal output. The pass array cannot be processed. Causes the output to be null

Issue 3: Creating a SQL Injection vulnerability

Some query statements, especially when querying passwords, tend to use the MD5 () function and then go back to database query comparisons, which can pose some risks.
Query statement:
Select from user where passwd = '. MD5 ($password, true) ';
This place has a special string that can be bypassed to query the contents of the user table without knowing the password.
String: FFIFDYOP
Test:

You can see that the string was encrypted by MD5 () and became ' or ' 6 ...,
Added to the query statement becomes the
Select
from user where password= ' or ' 6 ... ' (...) Garbled, does not affect the query)
At this time we will take the encrypted things to the database query.

Look, all the data in the database can be isolated.
Principle Analysis:
The or statement does not repeat, just say, the database operation, in the query, where the back does not have to follow the parameters to be able to query.

True if the value at the back of the where is not equal to zero. equals zero to False

And where the value is the string, but the first one is a non-zero can also query all the content

So also explained, for very early garbled still set up the problem.

Extend the same function: SHA1 () function. The exact usage is the same. Its hash value begins with 0e, SHA1 (' Aarozmok ') SHA1 (' Aak1stfy ') SHA1 (' AAO8ZKZF ') SHA1 (' aa3off9m ')

Ereg () function

    定义:正则表达式匹配

Issue 1: can 00 truncate
Source:
if (isset ($_get[' num ')) {
if (Ereg (' ^[a-za-z0-9]+$ ', $_get[' num ') = = = = FALSE) {
echo "Please enter in accordance with the requirements";
}else{
echo "Your input meets the requirements";
}
}
Code Analysis: Only when entering numbers and letters, the input is correct, if the input contains symbols will prompt incorrect.
Exploit: Enter 123%00
Look at the string containing the symbol, you should return the "Please enter the required" prompt. But the vulnerability was caused by a 00 truncation.

Principle Analysis:
When the Ereg () function encounters%00, it will assume that the string ends and will not continue to detect.
Issue 2: The return of the array is null when the parameter is encountered
The same source code, test results:

Implementation principle: Because the return is null,null! = FALSE, so the match is correct

Intval () function

    定义用法;    获取变量的整数值,允许以使用特定的进制返回。默认10进制     注:如果参数为整数,则不做任何处理。

Problem: You can construct a string bypass
Test:

Problem Resolution:
The above experiment shows that when retrieving a string integer, if the string contains non-numeric characters, it will return the first integer preceded by a non-numeric character. If no number returns 0.

Unset () function

定义用法:unset() 销毁指定的变量。

There is a problem: May destroy the original defined variables, to bypass

Source:

$abc[‘a‘] = true;foreach(array(‘_GET‘,‘_POST‘) as $method) {    foreach($$method as $key=>$value) {      unset($$key);    }}if ($abc[‘a‘] == false) {    echo ‘flag {123}‘;}?>

Test:

Analytical:
If the unset variable exists in the request parameter, there will be the phenomenon that the destroy variable implements the bypass. As here, through the $$ symbol, $key =abc;$ $key = $ABC, and finally the unset () function becomes unset ($ABC) and the original defined $abc[' a ']=true is destroyed.

Extract () function

定义用法:extract() 函数从数组中将变量导入到当前的符号表。该函数使用数组键名作为变量名,使用数组键值作为变量值。针对数组中的每个元素,将在当前符号表中创建对应的一个变量。EXTR_OVERWRITE - 默认。如果有冲突,则覆盖已有的变量。EXTR_SKIP - 如果有冲突,不覆盖已有的变量。EXTR_PREFIX_SAME - 如果有冲突,在变量名前加上前缀 prefix。EXTR_PREFIX_ALL - 给所有变量名加上前缀 prefix。EXTR_PREFIX_INVALID - 仅在不合法或数字变量名前加上前缀 prefix。EXTR_IF_EXISTS - 仅在当前符号表中已有同名变量时,覆盖它们的值。其它的都不处理。EXTR_PREFIX_IF_EXISTS - 仅在当前符号表中已有同名变量时,建立附加了前缀的变量名,其它的都不处理。EXTR_REFS - 将变量作为引用提取。导入的变量仍然引用了数组参数的值。这个函数的重点就是默认将已经有的变量给覆盖掉

There is a problem; Overwrite the original variable to bypass

Source:

    $a = ‘yaun‘;      extract($_GET);     if($auth == 1){          echo "private!";      } else{          echo "public!";      }  

Test:

Problem Resolution: When I pass the a=1, the extract () function discovers the original variable, and then overwrites the value of the original variable into a a=1, in the judgment of the IF condition statement.

Parse_str () function

定义用法:parse_str() 函数用于把查询字符串解析到变量中,如果没有array 参数,则由该函数设置的变量将覆盖已存在的同名变量。 极度不建议 在没有 array参数的情况下使用此函数,并且在 PHP 7.2 中将废弃不设置参数的行为。此函数没有返回值。

Source:

  if(empty($_GET[‘id‘])){    show_source(__FILE__);    die();}else{    include(‘flag.php‘);    $a = "http://blog.51cto.com/12332766";    $id = $_GET[‘id‘];    @parse_str($id);    if($a[0] == ‘yaun‘){        echo "yes is flag";    }else{        exit(‘其实很简单,其实并不难‘);    }}

Test:


Problem Resolution:
When the pass parameter is Id=a[]=yaun, the PARSE_STR () function is processed to change a to a variable. However, there is a variable with the same name, so the original variable is overwritten, and the value of the variable is overwritten.

Variable overlay extension: When you encounter $$ in PHP, you will also see variable coverage. For details, please go to: http://blog.51cto.com/12332766/2120800.

strcmp () function

定义用法:Strcmp(string1,string2)函数比较两个字符串

return value:
0-If two strings are equal
<0-if string1 is less than string2 >0-if string1 is greater than string2

Problem: null is returned when working with arrays

Source

$a="yaun";$pass=$_GET[‘pass‘];if(strcmp($a, $pass) == 0){    echo "成功";}else{    echo "失败";}

Test:


Problem Resolution:
When passing an array, the function has no way of comparing the array, and returning the null,php language itself is a weakly typed language, null==0 is equal in value. However, they vary in type.

Is_numeric () function

定义用法:is_numeric() 函数用于检测变量是否为数字或数字字符串。如果指定的变量是数字和数字字符串则返回 TRUE,否则返回 FALSE

Issue 1: Passing hex will invalidate the detection.
Source:

$a=$_GET[‘num‘];if(is_numeric($a)){    echo "您输入的是数字";}else{    echo "请输入合法字符";}

Test:
Enter a string of query statements converted to hexadecimal


Successful bypassing of function detection
Problem Resolution: This function not only detects the decimal, but also considers the hexadecimal to be legal. You can then construct a hexadecimal statement to bypass this function.

Preg_match () function

定义用法:Preg_match()函数匹配正则表达式。

return value:
Returns the number of occurrences of pattern. Its value will be 0 times (mismatched) or 1 times, because Preg_match () will stop the search after the first match. If an error occurs, Preg_match () returns FALSE.
Problem: If you do not limit the start and end of strings (^ and $) when you make regular expression matches, there can be a problem with bypassing
Source:

$ip=$_GET[‘ip‘];if(!preg_match("/(\d+)\.(\d+)\.(\d+)\.(\d+)/",$ip)) {  die(‘error‘);} else {   echo "this is flag";}

Test:
Enter a string that does not match the matching rule and still return flag

Problem Resolution:
Because this function does not specify what to start or end with when executing a matching rule, only the specified character is present in the string, and the other characters can be added to bypass.

In_array () function

定义用法:in_array(search,array) 函数搜索数组中是否存在指定的值。

return value:
Returns true if the given value, search, exists in an array of arrays. If no arguments are found in the array, the function returns FALSE.

$array=[0,1,2,‘3‘];  var_dump(in_array(‘abc‘, $array)); var_dump(in_array(‘1bc‘, $array));

Test:

Problem Analysis:
You can see that the above situation returns true because ' abc ' translates to 0, ' 1BC ' to 1.
Input string where all PHP is considered int, will be cast

Unserialize () function
For specific use, see another blog: http://blog.51cto.com/12332766/2121394

Strpos () function

定义用法:strpos() 函数查找字符串在另一字符串中第一次出现的位置(区分大小写)。注释:strpos() 函数是区分大小写的。注释:该函数是二进制安全的。

Grammar:
Strpos (String,find,start) string must specify the string to be searched; Find must, specify the string to find, start optional, specify where to start the search.
return value:
Returns the position of the first occurrence of a string in another string, or FALSE if no string is found. Note: string position starting from 0, not starting from 1
Source:

if(strpos($_GET[‘password‘],‘abc‘) == 0 ){    echo ‘123‘;}else{    echo ‘456‘;}

Pass an array into the test so that the return result is 123

We can see that the input does not meet the requirements, but still gives the output of 123.
Problem Resolution:
This function is also a string type only parse, give him the number of the group do not know how to parse, and then return to null. null==0!

Strlen () function

定义用法:strlen() 函数返回字符串的长度

Grammar:
Strlen (String) string-must specify the string to be checked.

Source:

if(strlen($_GET[‘password‘]) == 0  ){    echo ‘1233‘;}else{    echo ‘4566‘;}

Test:
Pass an array so that it returns to 1233

Problem Analysis:
This function is also a string type only parse, give him the number of the group do not know how to parse, and then return to null. null==0!

This blog as a personal note, if there are errors in the place please understand!

Analysis of PHP Function Vulnerability principle

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.