Variable coverage of PHP code audits

Variable overrides are typically caused by these four functions

<?php $b =3; $a = array (' b ' = ' 1 '), extract ($a, extr_overwrite);p Rint_r ($b),//extract has three forms that can cause variable overrides, The first is the second parameter, Extr_overwrite, which indicates that if there is a conflict, overwrite the original variable. The second case is to pass in the first parameter only, the default is Extr_overwrite mode, and the third is extr_if_exists, which means that when a variable with the same name already exists in the current symbol table, the value is overwritten, and the other does not register the new variable.//Keyword: extract, extr_overwrite//Reference Vulnerability:http://wooyun.jozxing.cc/static/bugs/wooyun-2015-096990.html?>

　　

<?php$b=3;parse_str (' b=2 ');p rint_r ($b); the function of//parse_str () is to parse a string that is registered as a variable, and the second parameter $arr is an array//keyword: parse_str ()//?>

　　

<?php$b=3;import_request_variables (' GP ');p rint_r ($b);//import_request_variables () action is to Get,post, The parameters of the cookie are registered as variables, and the PHP version between 4.1 and 5.4 is required when register_globals is disabled. Keyword:import_request_variables?>

　　

<?php$b=3;foreach (Array (' _cookie ', ' _post ', ' _get ') as $_request) {foreach ($$_request as $_key = $_value) {echo $_ Key. ' <br/> '; $$_key=addcslashes ($_value);}} echo $b;//$$ variable override//keyword: $$?>

　　

For the core file, the early CMS will generally have such a GPC statement

if (0 < count ($_cookie)) {foreach ($_cookie as $s _key = $s _value) {$_cookie[$s _key] = addslashes (Strip_tags ($s _val UE)); $ $s _key = $_cookie[$s _key];} Reset ($_cookie);}

(1) $$ causes the variable to overwrite, this time we just need to find out the variable does not have the initial declaration, enters the SQL query or the include contains the file, will produce the flaw.
(2) Variable function (variable 1, variable 2); Because the global registration is turned on, and the post is extract, the variable is overwritten, the variable is executed as a function, and the code executes eventually.
(3) If the variable is declared in the IF, if the variable is not declared, the variable can be overwritten.
(4) etc

Here are some of the more classic bugs seen over the past few days, copied from Excel.

wooyun-2016-0168661 Tongda OA 2015 multiple vulnerability collection global variable overlay
Wooyun-2015-0131548phpcms a function-induced security vulnerability PARSE_STR variable overwrite two decoding causes injection
Wooyun-2015-0126295metinfo the latest version of SQL injection a single quote is not wrapped, and the variable overrides
wooyun-2015-095672 Thinksns arbitrary code execution Vulnerability variable is overwritten with an include variable that causes extract to overwrite the include variable
wooyun-2014-088251 from thinkphp on the security variables covered by the framework Development program there is an include variable that causes extract to overwrite the include variable
wooyun-2014-080524 Qibo Local Portal Chicken file contains the high-risk SQL injection foreground file contains, contains the get variable that exists extract and require_once does not contain the global application, causing the variable to overwrite
Wooyun-2011-01732mvmmall Online Store System injection vulnerability variable is declared in the IF, if not through if, the variable is not declared, you can do variable overwrite
WOOYUN-2013-017119PHPCMSV9 arbitrary user Password Modification Logic vulnerability did not understand
wooyun-2013-023501 Phpshe does not pay directly to complete the order payment! Variable overrides the status of the order parameter
Wooyun-2013-023693acfun Station again Getshell variable coverage Vulnerability analysis and the use of variables as function execution, variable function (variable 1, variable 2), due to open global registration, and post is extract, resulting in variable overwrite
Wooyun-2013-039281destoon the latest full version of the SQL Injection vulnerability explained require

Variable coverage of PHP code audits