Summary of weak PHP security issues and summary of php security issues

Summary of weak PHP security issues and summary of php security issues

Preface

I believe everyone knows that PHP is the best language in the world. The problems of PHP itself can also be regarded as an aspect of web security. In PHP, the feature is weak type and built-in functions loose processing of input parameters.

This article mainly records the problems in the PHP functions I encountered on the attack and defense platform and the problems caused by the weak PHP types. It has some reference value for everyone when learning or using php. Let's take a look at it.

Introduction to weak PHP types

Xiaobian believes that php is very powerful because php provides many unique features for developers, one of which is the weak php type mechanism.

In PHP, you can perform the following operations.

$param = 1;$param = array();$param = "stringg";

Weak languages have no restrictions on the Data Types of variables. You can assign values to any other types of variables at any time, at the same time, variables can be converted to any other type of data.

Type conversion problems

Type conversion is unavoidable. For example, if you want to convert the GET or POST parameters to the int type, or the two variables do not match, PHP will automatically convert the variables. However, PHP is a weak type language, which causes many unexpected problems during type conversion.

Comparison operator

Type conversion

In$a==$bIs being compared

$a=null;$b=flase ; //true$a='';$b=null; //true

There are still many such examples. Such comparisons are equal.

There is also a type conversion problem when using comparison operators, as shown below:

0=='0' //true0 == 'abcdefg' //true0 === 'abcdefg' //false1 == '1abcdef' //true

Variable conversion may occur when different types of variables are compared.

Hash comparison

In addition to the above method, there will also be problems during hash comparison. As follows:

"0e132456789"=="0e7124511451155" //true"0e123456abc"=="0e1dddada" //false"0e1abc"=="0"  //true

If you encounter0e\d+This string will be parsed into scientific notation. Therefore, in the above example, the values of the two numbers are both 0 and therefore equal. If not0e\d+This mode will not be equal. This question has been tested in the md5 collision of the attack and defense platform.

Hexadecimal conversion

There is also a problem in the comparison operation of a hex-system remainder string.

Example:

"0x1e240"=="123456" //true"0x1e240"==123456 //true"0x1e240"=="1e240" //false

When one of the strings starts with 0x, PHP parses the strings into decimal digits and then compares them. 0x1240 is parsed into decimal digits as 123456, therefore, it is equal to 123456 of int and string types. It is really difficult to identify the attack and defense platform as this feature.

Type conversion

The common conversion is to convert int to string and string to int.

Int to string:

$ Var = 5; Method 1: $ item = (string) $ var; Method 2: $ item = strval ($ var );

String to int:intval()Function.

For this function, we can look at two examples first.

var_dump(intval('2')) //2var_dump(intval('3abcd')) //3var_dump(intval('abcd')) //0

Descriptionintval()During conversion, a non-numeric character is encountered when the conversion starts from the string. Even if a string cannot be converted,intval()0 is returned instead of an error.

intval()This feature is available in the MYSQL question on the attack and defense platform.

At the same time, programmers should not use the following code during programming:

if(intval($a)>1000) { mysql_query("select * from news where id=".$a)}

At this time, the value of $ a may be 1002 union .....

Loose of built-in function parameters

The loose of built-in functions is that parameter types that cannot be accepted by the function are passed to the function when the function is called. To explain the problem, you can use actual examples to illustrate the problem. The following describes several such functions.

Md5 ()

$array1[] = array( "foo" => "bar", "bar" => "foo",);$array2 = array("foo", "bar", "hello", "world");var_dump(md5($array1)==var_dump($array2)); //true

The md5 () function in the PHP manual is described as follows:string md5 ( string $str [, bool $raw_output = false ] ) ,md5()Must be a string type parameter. But when you pass an array,md5()No error is reported. Knowledge cannot correctly find the md5 value of the array, which will lead to equal md5 values of any two arrays. Thismd5()In the attack and defense platform, the bypass again feature is also tested.

Strcmp ()

strcmp()The description of a function in the PHP official manual is:int strcmp ( string $str1 , string $str2 ), You needstrcmp()Two string-type parameters are passed. If str1 is less than str2,-1 is returned. If it is equal, 0 is returned. Otherwise, 1 is returned. The essence of the strcmp function to compare strings is to convert two variables into ascii, then perform the subtraction operation, and then determine the return value based on the operation results.

Ifstrcmp()Is the parameter a number?

$ Array = [123, 3]; var_dump (strcmp ($ array, '000000'); // null, in a sense, null is equivalent to false.

The strcmp feature has been tested in pass check on the attack and defense platform.

Switch ()

If the switch is a case of the numeric type, the switch converts the parameter to the int type. As follows:

$i ="2abc";switch ($i) {case 0:case 1:case 2: echo "i is less than 3 but not negative"; break;case 3: echo "i is 3";}

In this case, the program outputsi is less than 3 but not negative, Becauseswitch()The function converts $ I to type. The conversion result is 2.

In_array ()

In the PHP manual,in_array()The function is interpretedbool in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] )If the strict parameter is not provided, in_array will use loose comparison to determine$needleIn$haystack. When the strince value is true,in_array()Compare whether the needls type is the same as the haystack type.

$array=[0,1,2,'3'];var_dump(in_array('abc', $array)); //truevar_dump(in_array('1bc', $array)); //true

We can see that all of the above results are true, because 'abc' is converted to 0, and '1bc' is converted to 1.

array_search()Andin_array()The same is true.

Summary

The above is a summary of some weak PHP security questions. I hope this article will help you in your study or work. If you have any questions, please leave a message.