Php's comparison operators include (equal to) loose comparison and (totally equal to) strict comparison, which introduces many interesting questions. This article will explain the security of php comparison operators for you, related Resources for php Operators
Php's comparison operators include = (equal to) loose comparison, = (completely equal to) strict comparison, which introduces many interesting questions, this article describes the security of php comparison operators and related resources for php operators.
Php's comparison operators include = (equal to) loose comparison, = (completely equal to) strict comparison, which introduces many interesting questions.
In case of loose comparison, php will unify their types, such as characters to numbers, and convert non-bool types to bool types. In order to avoid unexpected running effects, we should use strict comparison. The following table lists the comparison operators on php manual:
Example name result $ a = $ B is equal to TRUE. If $ a is equal to $ B after type conversion. $ A ===$ B all equal to TRUE, if $ a is equal to $ B, and their types are the same. $! = $ B is not equal to TRUE. If $ a is not equal to $ B after type conversion. $ A <> $ B is not equal to TRUE. If $ a is not equal to $ B after type conversion. $! = $ B is not all TRUE, if $ a is not equal to $ B, or they are of different types. $ A <$ B Small and TRUE, if $ a is strictly less than $ B. $ A> $ B is greater than TRUE if $ a is strictly greater than $ B. $ A <= $ B is less than or equal to TRUE, if $ a is less than or equal to $ B. $ A >=$ B is greater than or equal to TRUE if $ a is greater than or equal to $ B.
0x01 security questions
1. hash comparison Defect
Php will be used to process hash strings! =, = For hash comparison. If the hash value starts with 0e and is followed by a number and then compared with a number, it is interpreted as 0*10 ^ n or 0, it will be judged to be equal and bypass the logon process.
Root @ kali :~ /Tool # php-r'var _ dump ("00e0345" = "0"); var_dump ("0e123456789" = "0 "); var_dump ("0e1234abc" = "0 ");'
Bool (true)
Bool (true)
Bool (false)
When all the values are numbers, the loose comparison will perform the best effort mode. For example, 0e12345678 will be interpreted as 0*10 ^ 12345678, except that e is not all numbers, this can be seen from var_dump ("0e1234abc" = "0.
2 bool Spoofing
When json_decode and unserialize exist, some structures will be interpreted as bool type and will also cause spoofing. Sample json_decode code:
$ Json_str = '{"user": true, "pass": true}'; $ data = json_decode ($ json_str, true ); if ($ data ['user'] = 'admin' & $ data ['pass'] = 'secirity ') {print_r ('logined in as bool '. "\ n ");}
Running result:
Root @ kali:/var/www # php/root/php/hash. php
Logined in as bool
Unserialize sample code:
$ Unserialize_str = 'a: 2: {s: 4: "user"; B: 1; s: 4: "pass"; B: 1 ;}'; $ data_unserialize = unserialize ($ unserialize_str); if ($ data_unserialize ['user'] = 'admin' & $ data_unserialize ['pass'] = 'secirity ') {print_r ('logined in unserialize '. "\ n ");}
The running result is as follows:
Root @ kali:/var/www # php/root/php/hash. php
Logined in unserialize
3. Digital Conversion Spoofing
$ User_id = ($ _ POST ['user _ id']); if ($ user_id = "1") {$ user_id = (int) ($ user_id ); # $ user_id = intval ($ user_id); $ qry = "SELECT * FROM 'users' WHERE user_id = '$ user_id';" ;}$ result = mysql_query ($ qry) or die ('
' . mysql_error() . '
'); Print_r (mysql_fetch_row ($ result ));
Send user_id = 0.999999999999999999999 and the result is as follows:
Array
(
[0] => 0
[1] => lxx'
[2] =>
[3] =>
[4] =>
[5] =>
)
The data of user_id is to be queried, but the result is the data of user_id = 0. Int and intval are both low when converting numbers. The following code is used:
If ($ _ POST ['uid']! = 1) {$ res = $ db-> query ("SELECT * FROM user WHERE uid = % d", (int) $ _ POST ['uid']); mail (...);} else {die ("Cannot reset password of admin ");}
If 1.1 is input, $ _ POST ['uid'] is bypassed. The user with uid = 1 can be operated. In addition, intval also has a best effort mode, that is, to convert all numbers until a non-number is encountered, if you use:
If (intval ($ qq) === '000000') {$ db-> query ("select * from user where qq = $ qq ")}
Attackers pass in 123456 union select version () for attack.
4 PHP5.4.4 Special Cases
One php modification in this version causes two numeric characters to overflow, resulting in equal comparison.
$ Php-r 'var _ dump ("61529519452809720693702583126814" = "61529519452809720000000000000000 ");'
Bool (true)
3. digress:
There are also similar problems with the php strcmp function, which is explained in manual. int strcmp (string $ str1, string $ str2), str1 is the first string, str2 is the second string. If str1 is smaller than str2, <0 is returned. If str1> str2,> 0 is returned. If the two are equal, 0 is returned. What if str2 is an array?
$ _ GET ['key'] = array (); $ key = "maid"; $ flag = strcmp ($ key, $ _ GET ['key']); if ($ flag = 0) {print "Welcome! ";} Else {print" Bad key! ";}
Running result:
Root @ kali :~ /Php # php strcmp. php
PHP Warning: strcmp () expects parameter 2 to be string, array given in/root/php/strcmp. php on line 13
Welcome!
Compare multiple types
Operation count 1 operation count 1 Result
Null or stringstringNULLConvert to "" For comparison of numbers or words
Bool or null any other type to bool,FALSE<TRUE
Objectobject built-in classes can define their own comparison, different classes cannot be compared, the same classes and arrays are the same way to compare attributes (in PHP 4), PHP 5 has its own instructions
String, resource, or string, resource, or convert string and resource into numbers.
Arrayarray has a small array of fewer Members. If the key in operation 1 does not exist in operation 2, the array cannot be compared; otherwise, the values are compared one by one (see the following example)
Array any other type of array is always larger
Any other object type of the object is always larger.