Summary of functions in PHP that are vulnerable

This article is about PHP in the existence of these small loopholes in PHP functions, did not know PHP in the vulnerability function can see, in the actual PHP development to use these functions need to pay attention to what things, we talk less, take a look at this article!

1. Weak type comparison

2.MD5 Compare Vulnerability

When PHP handles a hash string, if it uses "! =" or "= =" to compare the hash value, it interprets each hash value starting with "0x" as the number of times (0) of scientific notation 0, so if two different passwords are hashed, their hashes start with "0e". Then PHP will think they are the same.

The common payload have

0x01 MD5 (str)    Qnkcdzo    240610708    s878926199a    s155964671a    s214587387a    s214587387a0x02 SHA1 (str)    SHA1 (' Aarozmok ')      SHA1 (' Aak1stfy ')    SHA1 (' AAO8ZKZF ')    SHA1 (' aa3off9m ')

At the same time MD5 can not handle the array, if the following judgment can be used to bypass the array

if (@md5 ($_get[' a ')) = = @md5 ($_get[' B ')) {    echo "yes";} http://127.0.0.1/1.php?a[]=1&b[]=2

3.ereg Function Vulnerability: 00 truncation

Ereg ("^[a-za-z0-9]+$", $_get[' password ') = = = FALSE

string comparison parsing
Here if $_get[' password '] is an array, the return value is null
If the 123 | | ASD | | 12as | | 123%00&&&**, the return value is True
The rest is False

4. What is $key?

Don't forget that the program can also extract the key of the variable itself as a variable to the function processing.

<?php    Print_r (@$_get);     foreach ($_get as $key = $value)    {        print $key. \ n ";    }?" >

5. Variable override

The main function involved is the extract function, see an example

<?php      $auth = ' 0 ';      This can overwrite the variable value of $auth    print_r ($_get);    echo "</br>";    Extract ($_get);     if ($auth = = 1) {          echo "private!";      } else{          echo "public!";      }  ? >

Extract can receive an array, and then re-assign a value to the variable, the process page is simple.

While PHP features $ can be used to assign variable names can also cause variable overrides!

<?php      $a = ' hi ';    foreach ($_get as $key = $value) {        echo $key. </br> ". $value;        $ $key = $value;    }    Print "</br>". $a;? >

Structure http://127.0.0.1:8080/test.php?a=12 to achieve the goal.

6.strcmp

If STR1 is less than str2 returns < 0, if STR1 is greater than str2 returns > 0, if both are equal, 0 is returned. First, two parameters are first converted to string type. When comparing arrays and strings, the return is 0. If the argument is not of type string, return directly

<?php    $password =$_get[' password '];    if (strcmp (' xd ', $password)) {     echo ' no! ';    } else{        echo ' yes! ';    }? >

Structurehttp://127.0.0.1:8080/test.php?password[]=

7.is_numeric

No more words:

<?phpecho is_numeric (233333);       # 1echo Is_numeric (' 233333 ');    # 1echo Is_numeric (0x233333);    # 1echo Is_numeric (' 0x233333 ');   # 1echo Is_numeric (' 233333abc ');  # 0?>

8.preg_match

If there is no limit to the start and end of strings (^ and $) when a regular expression is matched, there can be a problem with bypassing

<?php$ip = ' asd 1.1.1.1 ABCD '; You can bypass if (!preg_match ("/(\d+) \. \d+) \. (\d+) \. (\d+)/", $ip)) {die  (' Error ');} else {   echo (' key ... ');}? >

9.parse_str

A function similar to PARSE_STR () is Mb_parse_str (), which parse_str parses the string into multiple variables, and if the parameter str is the query string that the URL passes in (query string), it resolves to a variable and sets it to the current scope.
One of the time variable overrides

<?php    $var = ' init ';      Print $var. " </br> ";    Parse_str ($_server[' query_string ');      echo $_server[' query_string ']. " </br> ";    Print $var;? >

10. String comparisons

<?php      echo 0 = = ' a ';//A is converted to a number of 0    notes    ////The 0x will be treated as 16 binary 54975581388 with 16 binary as 0XCCCCCCCCC    //16 binary and integer, converted to the same A binary comparison of    ' 0xccccccccc ' = = ' 54975581388 ';    strings are automatically converted to numbers before they are compared to numbers, and if they cannot be converted to numbers they become 0    1 = = ' 1 ';    1 = = ' n ';    Ten = = ' 1e1 ';    ' + ' = = ' 1e2 ';        Hexadecimal number with hexadecimal number with space, converted to hexadecimal integer    ' 0xABCdef '  = = '     0xABCdef ';    echo ' 0010e2 ' = = ' 1e3 ';    0e beginning will be treated as a number, is equal    to 0*10^xxx=0//if MD5 is beginning with 0e, in the comparison, you can use this method to bypass    ' 0e509367213418206700842008763514 ' = = ' 0e481036490867661113260034900752 ';    ' 0e481036490867661113260034900752 ' = = ' 0 ';    Var_dump (MD5 (' 240610708 ') = = MD5 (' Qnkcdzo '));    Var_dump (MD5 (' aabg7xss ') = = MD5 (' Aabc9rqs '));    Var_dump (SHA1 (' aarozmok ') = = SHA1 (' aak1stfy '));    Var_dump (SHA1 (' aao8zkzf ') = = SHA1 (' aa3off9m '));? >

11.unset

Unset (bar); Used to destroy the specified variable, if the variable bar is contained in the request parameter, some variables may be destroyed to implement the program logic bypass.

<?php  $_config[' extrasecure '] = True;foreach (Array (' _get ', ' _post ') as $method) {    foreach ($ $method as $key = > $value) {      //$key = = _config      //$ $key = = $_config//      This function destroys the $_config variable      unset ($ $key);}    } if ($_config[' extrasecure ' = = False) {    echo ' flag {* *} ';}? >

12.intval ()

int to string:

$var = 5;  Mode 1: $item = (string) $var;  Mode 2: $item = Strval ($var);

String to Int:intval () function.

Var_dump (Intval (' 2 '))//2  var_dump (intval (' 3ABCD '))//3  var_dump (intval (' ABCD '))//0//can use a string-0 conversion, A method from Wechall

When the Intval () conversion is described, it will be converted from the beginning of the string until a non-numeric character is encountered. Even if a string cannot be converted, intval () does not error but returns 0
By the way, intval can be truncated by%00.

if ($req [' Number ']!=strval (intval ($req [' number '])) {     $info = "Number must be equal to it's integer!!";  }

If $req[' number ']=0%00 can be bypassed

13.switch ()

If switch is the case of a numeric type, switch converts the arguments in it to the int type, which is equivalent to the Intval function. As follows:

<?php    $i = "abc";      Switch ($i) {case      0: Case      1: Case      2:      echo "I was less than 3 and not negative";      break;      Case 3:      echo "I am 3";      }?>

14.in_array ()

$array =[0,1,2, ' 3 '];  Var_dump (In_array (' abc ', $array)); True  var_dump (In_array (' 1BC ', $array));//true

Input string where all PHP is considered int, will be cast

15.serialize and Unserialize Vulnerabilities

Here we briefly introduce the Magic method in PHP (here if the class, objects, methods are not ripe first to learn it), that is, the Magic method, the PHP class may contain some special functions called magic function, Magic function named after the beginning of the symbol, such as construct, Destruct,tostring,sleep,wakeup and so on. These functions are automatically called at some special times. For example, the construct () method is called automatically when an object is created, and the corresponding destruct is called when an object is destroyed, and so on. There are two more special magic methods, and the sleep method is called when an object is serialized. The wakeup method is called when an object is deserialized.

<?phpclass test{public    $username = ";    Public $password = ';    Public $file = ';    Public function out () {        echo "username:". $this->username. " <br> "." Password: ". $this->password;    }     Public Function toString () {        return file_get_contents ($this->file);}    } $a = new test (); $a->file = ' C:\Users\YZ\Desktop\plan.txt '; echo serialize ($a);? The >//tostring method executes at the time of the output instance and can be read if the instance path is a hidden file.

echo unserialize triggers the ToString function, and you can read the C:\Users\YZ\Desktop\plan.txt file below.

<?phpclass test{public    $username = ";    Public $password = ';    Public $file = ';    Public function out () {        echo "username:". $this->username. " <br> "." Password: ". $this->password;    }     Public Function toString () {        return file_get_contents ($this->file);}    } $a = ' o:4: ' Test ': 3:{s:8: "username"; s:0: "; s:8:" Password "; s:0:" "; s:4:" File "; s:28:" C:\Users\YZ\Desktop\plan.txt ";} '; echo unserialize ($a);? >

16.session Deserialization Vulnerability

The main reason is
Ini_set (' Session.serialize_handler ', ' php_serialize ');
Ini_set (' Session.serialize_handler ', ' php ');
The two ways of dealing with a session are different
This thing is not very clear, behind the special to write a puzzle!
There's a problem here, eh! It's a question.

Related recommendations:

Basic structure of PHP functions