PHP code auditing tips: Analysis of PHP string offset Characteristics

0x01 Introduction
 
This is the [PCH-009] Security risk of php string offset I published in the 80 vul Journal, according to my understanding, for the PHP offset feature, from the actual point of view, write analysis. Address: http://www.bkjia.com/Article/201202/119105.html
 
0x02 Overview
 
PHP has such a feature in the string array. When we do not explicitly declare a string variable as an array, we directly assign a value to it, for example, $ test = 'tpc '. After the code, we want to use this string variable as a string array, for example, echo $ test ['hello']. What will we get? Let's take a look at the effect, such:
 
 
 


Through the experiment, we can know that when the corresponding key does not exist (hello), php will take the value (T) with the offset value of this string as the value of this key.
 
0x03 Exploitation
 
What does this feature help with our attacks?
 
Currently, the php Service generally enables magic quotation marks by default. If it is not enabled, it will also perform backslash processing in the key parameter section. Imagine if a controllable variable is transmitted through an array. Obscenity is too abstract. Let's take an example ?.
 
Assume that a source code contains the following code:
 
 
 
SQL variables are the SQL statements to be executed. By default, magic quotes are enabled for php. Let's take a look at the results of normal submission.
 
 
 
The single quotation mark is filtered out by the backslash. Next let's try another method of submission to see how it works.
 
 
 
Test is completely out of the hateful single quotes. Now it's just a matter of days. You can just insert SQL. Why is this happening? Let's dump some key variables to see how this situation is caused.
 
Code:
 
 


Run



These two images, in combination with the PHP offset feature we mentioned earlier, are easy to understand. Xigr [] = 'first. Due to the limitation of magic quotation marks, xigr [] = \'. When xigr [] [uid] is passed, due to the PHP offset feature, "\" is passed into the variable. In this way, "\", which protects SQL statements from being injected, becomes a helper and helps us escape normal "'" in SQL.