Summary of PHP multi-byte encoding Vulnerabilities

If there is any misunderstanding in the summary, please submit it. Vulnerability nature: php uses the php_escape_shell_cmd function to escape the command line string and process it as a single byte. When the operating system sets the wide byte character set such as GBK, EUC-KR, and SJIS, set... if there is any misunderstanding in the summary, please submit it.Vulnerability nature:Php uses the php_escape_shell_cmd function to escape the command line string and process it as a single byte. When the operating system sets the wide byte character set such as GBK, EUC-KR, and SJIS, these command line strings are passed to MySQL for multi-byte processing. Let's look at a simple example.

<? Phpheader ('content-type: text/html; charset = gbk'); // connect to MySQL $ conn = mysql_connect ("localhost", "root ",""); // select database mysql_select_db ("test", $ conn); // SET the character set encoding mysql_query ("set character set 'gbk'", $ conn ); // create demo table if mysql_query ("create table if not exists 'Demo' ('uid' int (10) not null AUTO_INCREMENT, 'username' varchar (32) not null, 'Password' varchar (32) not null, primary key ('uid') ENGINE = MyISAM DEF Ault charset = gbk AUTO_INCREMENT = 1; ", $ conn); // insert test data mysql_query (" replace into 'Demo' VALUES ('', 'admin ', 'admin888') ", $ conn); // get user input $ username = isset ($ _ REQUEST ['username'])? $ _ REQUEST ['username']: ''; // run the query and DEBUG $ SQL =" SELECT * FROM demo WHERE username = '{$ username} 'limit 1 "; echo "SQL :". $ SQL. "<br/>"; $ res = mysql_query ($ SQL, $ conn); $ row = mysql_fetch_array ($ res); echo "result: <br/> "; var_dump ($ row);?>

 

When GPC = OFF: username is not filtered. This is a typical stable SQL injection test address: http: // localhost/gbk. php? Username = 'or 1% 23 http: // localhost/gbk. php? Username = 'or 0% 23 of course, in many cases, when GPC = OFF, some functions are used to filter user input.

// Escape the variables passed by the user if (! Get_magic_quotes_gpc () {$ username = addslashes ($ username );}

 

It seems that there is no problem, but due to the multi-byte encoding problem, we can still inject the test address: http: // localhost/gbk. php? Username = % df % 27 using the mysql_real_escape_string function to escape user input. Currently, many open-source systems prevent multi-byte encoding problems by setting the client character set to binary. // Replace mysql_query ("set character set 'gbk'", $ conn); mysql_query ("SET character_set_connection = gbk, character_set_results = gbk, character_set_client = binary ", $ conn); test again: http: // localhost/gbk. php? Username = % df % 27 OK, so that the multi-byte encoding problem does not exist? When mb_convert_encoding and iconv are used to incorrectly convert character sets, the vulnerability occurs again (the problem also exists when GPC = ON) for example: $ username = iconv ('gbk ', 'utf-8', $ username); or $ username = mb_convert_encoding ($ username, 'utf-8', 'gbk '); check the vulnerability file of ECSHOP 2.6.x/2.7.x GBK on T00ls in api/checkorder. php line 28

$sql = "SELECT COUNT(*) ".        " FROM " . $ecs->table('admin_user') .        " WHERE user_name = '" . trim($_REQUEST['username']). "' AND password = '" . md5(trim($_REQUEST['password'])) . "'";

 

Let's take a look at the acquisition process of $ _ REQUEST ['username '].

$ _ REQUEST ['username'] = json_str_iconv ($ _ REQUEST ['username']); json_str_iconv () is defined in the functions des/lib_base.php, the function is to convert a non-UTF-8 encoded string, and then return ecs_iconv ('utf-8', EC_CHARSET, $ str); ecs_inonv is also defined in includes/lib_base.php, take a look at the function: function ecs_iconv ($ source_lang, $ target_lang, $ source_string = '') {static $ chs = NULL;/* If the string is NULL or the string does not need to be converted, directly return */if ($ source_lang ==$ target_lang | $ source_string = ''| preg_match ("/[\ x80-\ xFF] +/", $ source_string) = 0) {return $ source_string;} if ($ chs = NULL) {require_once (ROOT_PATH. 'shortdes/cls_iconv.php'); $ chs = new Chinese (ROOT_PATH);} return $ chs-> Convert ($ source_lang, $ target_lang, $ source_string );}

 

First, the file des/cls_iconv.php is introduced, and then the Chinese class is instantiated, for the Convert method of the call class, see line 127 $ string = $ this-> _ convert_iconv_mbstring ($ this-> SourceText, $ this-> config ['target _ lang '], $ this-> config ['source _ lang ']); another function _ conver_iconv_mbstring is called. For details, see line 278. // The incorrect character set here is converted from gbk to utf8, therefore, the vulnerability generates $ return_string = @ mb_convert_encoding ($ string, $ target_lang, $ source_lang );