I. Description of
The Intval function has an attribute: "Until the number or sign symbol is started to do the conversion, and then encountered Non-numeric or end of the string (/0) End Conversion", in some applications due to the Intval function This feature is not known enough, the use of errors leads to bypass some security judgments lead to security vulnerabilities.
Second, analysis
Php_function (intval) { Zval **num, **a Rg_base; Int base; Switch (Zend_num_args ()) { Case 1: If (ZEND_GET_PARAMETERS_EX (1, &num) = = failure) { Wron G_param_count; } Base = ten; Break; Case 2: If (ZEND_GET_PARAMETERS_EX (2, &num, &arg_base) = = failure) { Wrong_param_count; } Convert_to_long_ex (arg_base); Base = z_lval_pp (Arg_base); Break; Default: Wrong_param_count; } Retval_zval (*num, 1, 0); Convert_to_long_base (Return_value, base); } Zend/zend_operators.c->>convert_to_long_base () ... Case is_string: Strval = z_strval_p (OP); Z_lval_p (OP) = Strtol (Strval, NULL, base); Str_free (strval); Break; |
When the Intval function accepts a string parameter that calls Convert_to_long_base () processing, the next call is Z_lval_p (OP) = Strtol (Strval, NULL, Base), and the parameters are processed by the Strtol function.
The function prototype is as follows:
Long int strtol (const char *nptr,char **endptr,int base); |
This function converts the parameter nptr string based on the parameter base to the number of growth integers, the parameters base range from 2 to 36, or 0. Parameter base represents the method used, such as the base value of 10 is 10, if the base value of 16 is 16.
The process is:
Strtol () scans the parameter nptr string and skips the preceding space character until it encounters a number or positive sign before starting the conversion, and then returns to the end of a non-numeric or string (/0) ending conversion.
Then when the intval is used in the judgment of if, it will cause this judgment to be meaningful, and thus lead to security vulnerabilities.
Third, test code
intval.php $var = "20070601"; if (Intval ($var)) echo "It ' safe"; echo ' $var = '. $var; echo " "; $var 1= "1 Union Select 1,1,1 from admin"; if (Intval ($var 1)) echo "It ' s safe too"; Echo ' $var 1= '. $var 1; |
Iv. Practical Application
WordPress <= 2.0.6 wp-trackback.php zend_hash_del_key_or_index/sql injection Exploit |