The Intval function has an attribute: "Until a number or symbol is encountered to do the conversion, and then to the end of a non-numeric or string end conversion", in some applications due to the characteristics of the Intval function is not known enough, the use of errors leads to bypass some security judgments lead to security vulnerabilities.
Second, analysis
| Php_function (intval) { Zval **num, **arg_base; Int base; Switch (Zend_num_args ()) { Case 1: If (ZEND_GET_PARAMETERS_EX (1, &num) = = failure) { W Rong_param_count; } Base = ten; Break; Case 2: If (ZEND_GET_PARAMETERS_EX (2, &num, &arg_base) = = failure) { Wrong_param_count; } Convert_to_long_ex (arg_base); Base = z_lval_pp (Arg_base); Break; Default: Wrong_param_count; } Retval_zval (*num, 1, 0); Convert_to_long_base (Return_value, base); } Zend/zend_operators.c->>convert_to_long_base () ... Case is_string: Strval = z_strval_p (OP); Z_lval_p (OP) = Strtol (Strval, NULL, base); Str_free (strval); Break; |
When the Intval function accepts a string parameter that calls Convert_to_long_base () processing, the next call is Z_lval_p (OP) = Strtol (Strval, NULL, Base), and the parameters are processed by the Strtol function.
The function prototype is as follows:
| Long int strtol (const char *nptr,char **endptr,int base); |
This function converts the parameter nptr string based on the parameter base to the number of growth integers, the parameters base range from 2 to 36, or 0. Parameter base represents the method used, such as the base value of 10 is 10, if the base value of 16 is 16.
The process is:
Strtol () scans the parameter nptr string and skips the preceding space character until it encounters a number or positive sign to begin the conversion, then ends the conversion at a non-numeric or string end and returns the result.
Then when the intval is used in the judgment of if, it will cause this judgment to be meaningful, and thus lead to security vulnerabilities.
Third, test code
intval.php $var = "20070601"; if (Intval ($var)) echo "It ' safe"; echo ' $var = '. $var; echo " "; $var 1= "1 Union Select 1,1,1 from admin"; if (Intval ($var 1)) echo "It ' s safe too"; Echo ' $var 1= '. $var 1; |
Iv. Practical Application
| WordPress <= 2.0.6 wp-trackback.php zend_hash_del_key_or_index/sql injection Exploit |
Edit Finishing
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
