This article is mainly to share with you some of the PHP functions of the vulnerability collection sharing, hope to help everyone.
1. Weak type comparison
2.MD5 Compare Vulnerability
When PHP handles a hash string, if it uses "! =" or "= =" to compare the hash value, it interprets each hash value starting with "0x" as the number of times (0) of scientific notation 0, so if two different passwords are hashed, their hashes start with "0e". Then PHP will think they are the same.
The common payload have
0x01 MD5 (str) Qnkcdzo 240610708 s878926199a s155964671a s214587387a s214587387a0x02 SHA1 (str) SHA1 (' Aarozmok ') SHA1 (' Aak1stfy ') SHA1 (' AAO8ZKZF ') SHA1 (' aa3off9m ')
At the same time MD5 can not handle the array, if the following judgment can be used to bypass the array
if (@md5 ($_get[' a ')) = = @md5 ($_get[' B ')) { echo "yes";} http://127.0.0.1/1.php?a[]=1&b[]=2
3.ereg Function Vulnerability: 00 truncation
Ereg ("^[a-za-z0-9]+$", $_get[' password ') = = = FALSE
string comparison parsing
Here if $_get[' password '] is an array, the return value is null
If the 123 | | ASD | | 12as | | 123%00&&&**, the return value is True
The rest is False
4. What is $key?
Don't forget that the program can also extract the key of the variable itself as a variable to the function processing.
<?php Print_r (@$_get); foreach ($_get as $key = $value) { print $key. \ n "; }?" >
5. Variable override
The main function involved is the extract function, see an example
<?php $auth = ' 0 '; This can overwrite the variable value of $auth print_r ($_get); echo "</br>"; Extract ($_get); if ($auth = = 1) { echo "private!"; } else{ echo "public!"; } ? >
Extract can receive an array, and then re-assign a value to the variable, the process page is simple.
While PHP features $ can be used to assign variable names can also cause variable overrides!
<?php $a = ' hi '; foreach ($_get as $key = $value) { echo $key. </br> ". $value; $ $key = $value; } Print "</br>". $a;? >
Structure http://127.0.0.1:8080/test.php?a=12
to achieve the goal.
6.strcmp
If STR1 is less than str2 returns < 0, if STR1 is greater than str2 returns > 0, if both are equal, 0 is returned. First, two parameters are first converted to string type. When comparing arrays and strings, the return is 0. If the argument is not of type string, return directly
<?php $password =$_get[' password ']; if (strcmp (' xd ', $password)) { echo ' no! '; } else{ echo ' yes! '; }? >
Structurehttp://127.0.0.1:8080/test.php?password[]=
7.is_numeric
No more words:
<?phpecho is_numeric (233333); # 1echo Is_numeric (' 233333 '); # 1echo Is_numeric (0x233333); # 1echo Is_numeric (' 0x233333 '); # 1echo Is_numeric (' 233333abc '); # 0?>
8.preg_match
If there is no limit to the start and end of strings (^ and $) when a regular expression is matched, there can be a problem with bypassing
<?php$ip = ' asd 1.1.1.1 ABCD '; You can bypass if (!preg_match ("/(\d+) \. \d+) \. (\d+) \. (\d+)/", $ip)) {die (' Error ');} else { echo (' key ... ');}? >
9.parse_str
A function similar to PARSE_STR () is Mb_parse_str (), which parse_str parses the string into multiple variables, and if the parameter str is the query string that the URL passes in (query string), it resolves to a variable and sets it to the current scope.
One of the time variable overrides
<?php $var = ' init '; Print $var. " </br> "; Parse_str ($_server[' query_string '); echo $_server[' query_string ']. " </br> "; Print $var;? >
10. String comparisons
<?php echo 0 = = ' a ';//A is converted to a number of 0 notes ////The 0x will be treated as 16 binary 54975581388 with 16 binary as 0XCCCCCCCCC //16 binary and integer, converted to the same A binary comparison of ' 0xccccccccc ' = = ' 54975581388 '; strings are automatically converted to numbers before they are compared to numbers, and if they cannot be converted to numbers they become 0 1 = = ' 1 '; 1 = = ' n '; Ten = = ' 1e1 '; ' + ' = = ' 1e2 '; Hexadecimal number with hexadecimal number with space, converted to hexadecimal integer ' 0xABCdef ' = = ' 0xABCdef '; echo ' 0010e2 ' = = ' 1e3 '; 0e beginning will be treated as a number, is equal to 0*10^xxx=0//if MD5 is beginning with 0e, in the comparison, you can use this method to bypass ' 0e509367213418206700842008763514 ' = = ' 0e481036490867661113260034900752 '; ' 0e481036490867661113260034900752 ' = = ' 0 '; Var_dump (MD5 (' 240610708 ') = = MD5 (' Qnkcdzo ')); Var_dump (MD5 (' aabg7xss ') = = MD5 (' Aabc9rqs ')); Var_dump (SHA1 (' aarozmok ') = = SHA1 (' aak1stfy ')); Var_dump (SHA1 (' aao8zkzf ') = = SHA1 (' aa3off9m '));? >
11.unset
Unset (bar); Used to destroy the specified variable, if the variable bar is contained in the request parameter, some variables may be destroyed to implement the program logic bypass.
<?php $_config[' extrasecure '] = True;foreach (Array (' _get ', ' _post ') as $method) { foreach ($ $method as $key = > $value) { //$key = = _config //$ $key = = $_config// This function destroys the $_config variable unset ($ $key);} } if ($_config[' extrasecure ' = = False) { echo ' flag {* *} ';}? >
12.intval ()
int to string:
$var = 5; Mode 1: $item = (string) $var; Mode 2: $item = Strval ($var);
String to Int:intval () function.
Var_dump (Intval (' 2 '))//2 var_dump (intval (' 3ABCD '))//3 var_dump (intval (' ABCD '))//0 can use the string-0 conversion, A method from Wechall
When the Intval () conversion is described, it will be converted from the beginning of the string until a non-numeric character is encountered. Even if a string cannot be converted, intval () does not error but returns 0
By the way, intval can be truncated by%00.
if ($req [' Number ']!=strval (intval ($req [' number '])) { $info = "Number must be equal to it's integer!!"; }
If $req[' number ']=0%00 can be bypassed
13.switch ()
If switch is the case of a numeric type, switch converts the arguments in it to the int type, which is equivalent to the Intval function. As follows:
<?php $i = "abc"; Switch ($i) {case 0: Case 1: Case 2: echo "I was less than 3 and not negative"; break; Case 3: echo "I am 3"; }?>
14.in_array ()
$array =[0,1,2, ' 3 ']; Var_dump (In_array (' abc ', $array)); True var_dump (In_array (' 1BC ', $array));//true
Input string where all PHP is considered int, will be cast
15.serialize and Unserialize Vulnerabilities
Here we briefly introduce the Magic method in PHP (here if the class, objects, methods are not ripe first to learn it), that is, the Magic method, the PHP class may contain some special functions called magic function, Magic function named after the symbol __, such as __construct , __destruct,__tostring,__sleep,__wakeup and so on. These functions are automatically called at some special times. For example, the __construct () method is called automatically when an object is created, and the corresponding __destruct is called when an object is destroyed, and so on. There are two more special magic methods, and the __sleep method is called when an object is serialized. The __wakeup method is called when an object is deserialized.
<?phpclass test{public $username = "; Public $password = '; Public $file = '; Public function out () { echo "username:". $this->username. " <br> "." Password: ". $this->password; } Public Function __tostring () { return file_get_contents ($this->file);} } $a = new test (); $a->file = ' C:\Users\YZ\Desktop\plan.txt '; echo serialize ($a);? The >//tostring method executes at the time of the output instance and can be read if the instance path is a hidden file.
echo unserialize triggers the __tostring function, so you can read the C:\Users\YZ\Desktop\plan.txt file below.
<?phpclass test{public $username = "; Public $password = '; Public $file = '; Public function out () { echo "username:". $this->username. " <br> "." Password: ". $this->password; } Public Function __tostring () { return file_get_contents ($this->file);} } $a = ' o:4: ' Test ': 3:{s:8: "username"; s:0: "; s:8:" Password "; s:0:" "; s:4:" File "; s:28:" C:\Users\YZ\Desktop\plan.txt ";} '; echo unserialize ($a);? >
16.session Deserialization Vulnerability
The main reason is
Ini_set (' Session.serialize_handler ', ' php_serialize ');
Ini_set (' Session.serialize_handler ', ' php ');
The two ways of dealing with the session are different \users\yz\desktop\plan.txt ";}"; echo unserialize ($a);? >
16.session Deserialization Vulnerability
The main reason is
Ini_set (' Session.serialize_handler ', ' php_serialize ');
Ini_set (' Session.serialize_handler ', ' php ');
The two ways of dealing with a session are different
Related recommendations:
Some common security vulnerabilities and corresponding precautions in PHP websites
PHP about deserialization Object Injection vulnerability
Recommended 9 Articles for file vulnerability