PHP Weak type detailed

Recently do a CTF topic will often encounter php weak type of topic, this article mainly and everyone to share the PHP weak type summary, hope to help everyone.

Knowledge Introduction:

There are two kinds of comparisons in php = = = and = = =

<?php$a = $b; $a = = = $b;? >

= = = When comparing, the two types of strings are judged to be equal and then compared
= = when comparing, the string type will be converted to the same, then compare

If you compare a number and a string or compare a string that involves a numeric content, the string is converted to a numeric value and compared to a numeric value.

PHP does not rigorously verify the type of variable passed in, or the variable can be freely converted.

For example, in the comparison of $ A = $b

$a = null; $b = false; True  $a = '; $b = 0;//the same is true

In addition, if a numeric value is compared to a string, the string is converted to a numeric value

<?phpvar_dump ("admin" ==0);  Truevar_dump ("1admin" ==1); Truevar_dump ("Admin1" ==1)//falsevar_dump ("Admin1" ==0)//truevar_dump ("0e123456" = = "0e4456789"); True?>

1, observe the above code, "admin" ==0 comparison, will be the admin converted to numeric value, forced conversion, because the admin is a string, the result of conversion is 0 natural and 0 equal.

2, "1admin" ==1 comparison will convert 1admin into a value, the result is 1, and "Admin1" ==1 is equal to the error, that is, "Admin1" was converted to 0.

3, "0e123456" = = "0e456789" when compared to each other, will be 0e such a string recognized as the number of science and technology Law, 0 of no matter how many times the square is zero, so equal.
It should be noted that when a string is treated as a numeric value, the result and type are as follows: If the string does not contain '. ', ' e ', ' e ', and its numeric value within the range of shaping, the string is taken as an int, and all other cases are evaluated as float. The starting part of the string determines its value, and if the string starts with a valid value, the value is used, or the number is 0.

bypass type :
md5 bypass (hash comparison defect)

<?php if (isset ($_get[' Username ')) && isset ($_get[' password '])) {$logined = true;      $Username = $_get[' Username ');         $password = $_get[' password ');       if (!ctype_alpha ($Username)) {$logined = false;}       if (!is_numeric ($password)) {$logined = false;}       if (MD5 ($Username)! = MD5 ($password)) {$logined = false;}       if ($logined) {echo "successful";         }else{echo "Login failed!"; }}; 

The main idea is to enter a string and a number type, and their MD5 value is equal, you can successfully execute the next statement

Introduction of a batch of MD5 starting with a 0e string mentioned above, 0e in comparison will be considered as a scientific notation, so no matter what the 0e behind, 0 of the number of times or 0. MD5 (' 240610708 ') = = MD5 (' Qnkcdzo ') successfully bypassed!
= = South Mail CTF bypass again= =
See the code when you open it:

if (Isset ($_get[' a ')) and isset ($_get[' B '])) {if ($_get[' a ']! = $_get[' B ']) if (MD5 ($_get[' a ')) = = MD5 ($_get[' B '])) Die (' Flag: '. $flag); Elseprint ' wrong. ';}

The source code requires that two unequal values be submitted so that their MD5 values are strictly equal. The MD5 () function requires the receipt of a string that, if passed in an array, returns NULL, which is var_dump (MD5 (Array (2)) ===null) and a value of bool (TRUE)

You can pass two unequal arrays called A, B to the $_get array, causing MD5 () to return empty, and then get flag. Construct Url:http://chinalover.sinaapp.com/web17/index.php?a[]=0&b[]=1 JSON bypass

<?phpif (isset ($_post[' message ")) {    $message = Json_decode ($_post[' message ');    $key = "*********";    if ($message->key = = $key) {        echo "flag";    }     else {        echo "fail";}    } else{     echo "~ ~ ~ ~";}? >

Enter a JSON type string, the Json_decode function is decrypted into an array, determine whether the value of the key in the array is equal to the value of $key, but the value of $key we do not know, but you can use the 0== "admin" this form to bypass

Final payload message={"key": 0}.

strcmp Vulnerability Bypass

<?php     $password = "***************"      if (isset ($_post[' password ')) {          if (strcmp ' $_post['], $ password) = = 0) {             echo "right!!! Login Success "; n             exit ();         } else {             echo" wrong password. ";         }?>

STRCMP is a comparison of two strings, if STR1<STR2 returns <0 if STR1 is greater than str2 returns >0 if the two equals return 0

We do not know the value of the $password, the topic requires strcmp to determine the value of the accepted and $password must be equal, strcmp the expected type of incoming is a string type, what if the number of groups passed?

Our incoming password[]=xxx can be bypassed because the function accepts a non-conforming type, an error occurs, but it is still judged equal

Payload:password[]=xxx

Related recommendations:

Case analysis of type judgment in PHP weakly typed language

Summary of PHP weak type security

php how the weakly typed variable is implemented