Let's look at a code fragment:
Copy Code code as follows:
$ip = "1.1.1.255". Chr (0). " Haha ";
if (Ereg ("^[0-9]{1,3}\.[ 0-9]{1,3}\. [0-9] {1,3}\. [0-9] {1,3}$ ", $ip)) {
Echo $ip;
} else {
echo "Unknown";
}
This ereg is restricting the $IP data to xxx.xxx.xxx.xxx such form, on the surface, the above code should output "unknown", but actually output "1.1.1.255haha" because the Ereg function has a null truncation vulnerability, resulted in regular filtering being bypassed. 4 \2 n+ Y6 |; Z7 O
6 e& b6 C5 f-w-f$ Z We have to introduce \x00 (%00) When we use it, and in the case of GPC on,%00 is escaped and cannot be exploited. But what if the ereg () is dealing with $ _server (which bypasses the GPC under PHP5) or a function such as urldecode that causes the GPC to bypass the data? For example, some programs use the above method to verify the $ _server submitted IP, then we can use null truncation bypass regular filtering to construct the data we need:
