Security experts describe the security features of PHP Functions

I. PHP forced conversion feature
(1) forced conversion of PHP

The mandatory conversion in PHP should add the target type enclosed in brackets before the converted variable. You can also use the settype () function. The Code 0x1. php is as follows:

　　

$ A = $ _ GET [a]; //? A = "1abc ";

$ Int = (int) $;

$ Float = (float) $;

$ String = (string) $;

$ Array = settype ($ int, array );

?>

You can also use the intval () floatval () strval () function for forced conversion. The Code 0x2. php is as follows:

　　

$ A = $ _ GET [a]; //? A = "1.23abc"

$ Int = intval ($ );

$ Flo = floatval ($ );

$ String = strval ($)

?>

When forced type conversion is required for variables, improper use of the above methods will lead to security vulnerabilities.

(2) simulated testing

We conduct a simulated test on the vulnerability code. The intval forced conversion sample code 0x3. php:

　　

$ A = "123a and 1 = 1 ";

Intval ($ );

Echo $;

Echo"

--------------------------------------------------------------------------------
";

$ A_safe = "123a ";

$ A_safe = intval ($ a_safe );

Echo $ a_safe;

Echo"

--------------------------------------------------------------------------------
";

?>

Running result:

123a and 1 = 1

123

$ A is output as is instead of being converted to a non-integer type. The corresponding $ a_safe is forcibly converted.

Int forced conversion example code 0x4. php:

　　

$ B = "123b and 1 = 2 ";

(Int) $ B;

Echo $ B;

Echo"

--------------------------------------------------------------------------------
";

$ B _safe = "123b ";

$ B _safe = (int) $ B _safe;

Echo $ B _safe;

Echo"

--------------------------------------------------------------------------------
";

?>

Running result:

123b and 1 = 2

123

$ B is not converted to an integer, but is output as is. $ B _safe is converted.

Bringing the above security risks into PHP Process Control

If sample code 0x5. php:

　　

$ C = "123.3c ";

If (floatval ($ c )){

Echo $ c ."

--------------------------------------------------------------------------------
";

}

$ C_safe = "123.3c ";

If ($ c_safe = floatval ($ c_safe )){

Echo $ c_safe ."

--------------------------------------------------------------------------------
";

}

?>

Running result:

123.3c

123.3

We can see that the first if condition does not convert $ c to a non-floating point value, and the corresponding $ c_safe is converted.

Switch sample code 0x6. php:

　　

$ D = "123.3d ";

Switch (intval ($ d )){

Case "123.3d": echo $ d ."
";

Case "123": echo $ d. "Its not safe

--------------------------------------------------------------------------------
";

}

$ D_safe = "123.3d ";

$ D_safe = intval ($ d_safe );

Switch ($ d_safe ){

Case "123.3d": echo $ d_safe ."
Its not safe ";

Case "123": echo $ d_safe. "Its safe

--------------------------------------------------------------------------------
";

}

?>

Running result:

123.3 dIts not safe

123Its safe

$ D is not converted to an integer in the switch, or is output as is. $ D_safe is converted.

While sample code 0x7. php

　　

$ E = 123e;

While (intval ($ e )){

Echo $ e. "triggering an endless loop ";

}

?>

Running result:

Parse error: parse error in D: xampphtdocs80vulsrcx7. php on line 2

While is always true, causing an endless loop, but $ e is not forcibly converted to uninteger.

After testing, it is concluded that, because all variables are forced type conversion, the returned value is not assigned to a variable, so there is a vulnerability.

For instance demonstration, you can refer to "PHP and MySQL injection summary" on my blog.

Address: Http: // hi.baidu.com/menzhi0072.

Example 1: When magic_quotes_gpc = Off, code 0x8. php is as follows:

　　

$ Id = $ _ GET [id];

$ Id = htmlspecialchars ($ id );

Echo $ id ."
";

$ Id_safe = $ _ GET [id];

$ Id_safe = htmlspecialchars ($ id_safe );

Echo $ id_safe;

?>

Submit URL: http: // 127.0.0.1/80vul/src/0x8. php? Id = 1 and 1 = 2

Running result:

1 and 1 = 2

1 and 1 = 2

Extended Example 2. Let's look at another interesting example. Code 0x09. php is as follows:

　　

$ Id = $ _ GET [id];

$ Id = htmlspecialchars ($ id );

Echo $ id ."
";

$ Id_safe = $ _ GET [id];

$ Id_safe = htmlspecialchars ($ id_safe); // pay attention to the dual-equal sign.

Echo $ id_safe;

?>

Running result:

1 and 1 = 2

1 and 1 = 2

No filtering. The two equal signs are not a value assignment statement, so they still do not play a filtering role.

When we submit a URL? When id = a and 1 = 2, the variable id is not filtered by the htmlspecialchars function, causing security risks.

Example 3: Code 0x10. php is as follows:

　　

$ Str = one | two | three | four;

Explode (|, $ str, 2 );

Echo"
";

Print_r ($ str );

$ Str_safe = one | two | three | four;

$ Str_safe = explode (|, $ str_safe, 2 );

Echo"
";

Print_r ($ str_safe );

?>

Running result:

Array ([0] => one [1] => two | three | four)

One | two | three | four

If we do not assign the returned result to a variable name, filtering is meaningless.

After testing, it is concluded that PHP is a weak language that allows two identical variable names to be defined, and the variables defined later will overwrite the previously defined variables. If no variable name points to this variable, the PHP Garbage collection mechanism (Garbage Collector) will destroy it in the memory to prevent memory overflow. The _ destruct () destructor is executed when the garbage object is recycled. Unset destroys the variable pointing to the object. We can expand all the variables filtered by functions. If the returned results are not assigned to another variable, the variable will be automatically recycled by the PHP memory recycle mechanism GC, its value does not change because of the influence of the previous function. For example, the Code "(int) $ B;" in the 0x1. php sample is placed in the memory and recycled by the memory.

This article was extended to 80vul's pch-001, and strongly thanked 80vul, Ph4nt0m, and paid tribute to them. This security risk is caused by the commonality of PHP functions. As a program designer, we should do our best to develop code specifications to avoid such risks. Of course, I hope you can correct the mistakes in this article.

Iii. Actual use

Wordpress 2 _ 0_5 Trackback UTF-7 Remote SQL Injection

Http://www.milw0rm.com/exploits/3095

References:

Http://www.80vul.com/pch/pch-001.txt

Http://superhei.blogbus.com/logs/4255503.html