Home > Article > Backend Development > Aegis encryption and decryption tutorial (1) Characters available for PHP variables_PHP tutorial
Aegis encryption and decryption tutorial (1) Characters available for PHP variables_PHP tutorial
- WBOYOriginal
- 2016-07-13 10:29:15820browse
Let’s talk about the naming rules of PHP variables first. Baidu will catch up with them:
(1) PHP variable names are case-sensitive;
(2) Variable names must start with the dollar sign $;
(3) The variable name can start with an underscore;
(4) The variable name cannot start with a numeric character.
In fact, the naming convention that is similar to all programming is:
1. The first character of a variable is preferably a letter or _, and cannot start with a number
2. The second character allows numbers, letters, and _
Okay, that’s pretty much it, but that’s not the point.
Today we talk about the available characters of PHP variables, not just numbers, letters, _ oh.
A few days ago, a friend on QQ sent me a shell. It was encrypted and garbled throughout. However, there was a comment on it called "Aegis Encryption". It looked so domineering.
It uses some relatively unfamiliar knowledge points, the most obvious of which is variable names, so today we will start with variables.
Of course, I didn’t find any authoritative material on the Internet that strongly explains the characters available in PHP variable names, so I could only test it myself. (My English is not good, so I can’t Google to find any favorable evidence)
Let’s first look at the method I used. (If you have a better method, please share it.)
if ($_POST) {
$chr = chr($_POST['chr']);
eval('$'.$chr."=1;");
echo 'ok';
exit;
}
?>
<script><br> for(var i = 0x00; i <= 0xFF; i++) { // 0x00 - 0xFF 255 characters<br> $. <br> data === 'ok' && console.log( "\x"+(i).toString(16) ); // If only ok is returned, it means it can be executed normally, otherwise an exception will be thrown <br> } );<br> }<br> </script>
For example, the character a will be parsed eval('$a=1;'); This result is definitely no problem, so no exception will be thrown, and the returned result is the ok character.
If the character - then it will be parsed eval('$-=1;'); This is obviously wrong, so it will throw PHP Parse error: syntax error, unexpected '-', expecting T_VARIABLE or '$' and ok character.
The following ajax part uses whether the return result is 'ok' to determine whether it is a valid variable name.
Let’s see what the result is after execution:
"A, B, C, D, E, F, G, H, I, J, K, L, M, N, O, P, Q, R, S, T, U, V , W, X, Y, Z, _, a, b, c, d, e, f, g, h, i, j, k, l, m, n, o, p, q, r, s, t , u, v, w, x, y, z, , ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ? , ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, , ¡ , ¢, £, ¤, ¥, ¦, §, ¨, ©, ª, «, ¬, , ®, ¯, °, ±, ², ³, ´, µ, ¶, ·, ¸, ¹, º, », ¼, ½, ¾, ¿ , À, Á, Â, Ã, Ä , Å, Æ, Ç, È, É, Ê, Ë, Ì, Í, Î, Ï, Ð, Ñ, Ò, Ó, Ô, Õ, Ö, ×, Ø, Ù, Ú, Û, Ü, Ý , Þ, ß, à, á, â, ã, ä, å, æ, ç, è, é, ê, ë, ì, í, î, ï, ð, ñ, ò, ó, ô, õ, ö , ÷, ø, ù, ú, û, ü, ý, þ, ÿ"
In addition to the familiar A-Z_a-z in the front, the messy things in the back can also be used as normal variable names, which is incredible.
In fact, it is just PHP that expands the character range of variable names. On top of A-Z_a-z, it expands the available character range of variables to x7f-xff.
So, the first character range should be [a-zA-Z_x7f-xff]
Then let’s continue to test whether the second character can be the same.
Change eval('$'.$chr."=1;"); in the above php code to eval('$a'.$chr."=1;"); Save the test,
"x9, xa, xd, x20, x30, x31, x32, x33, x34 , x35, x36, x37, x38, x39, x41, x42, x43, x44, x45, x46, x47, x48, x49, x4a, x4b, x4c, x4d, x4e, x4f, x50, x51, x52, x53, x54 , x55, x56, x57, x58, x59, x5a, x5f, x61, x62, x63, x64, x65, x66, x67, x68, x69, x6a, x6b, x6c, x6d, x6e, x6f, x70, x71, x72 , x73, x74, x75, x76, x77, x78, x79, x7a, x7f, x80, x81, x82, x83, x84, x85, x86, x87, x88, x89, x8a, x8b, x8c, x8d, x8e, x8f , x90, x91, x92, x93, x94, x95, x96, x97, x98, x99, x9a, x9b, x9c, x9d, x9e, x9f, xa0, xa1, xa2, xa3, xa4, xa5, xa6, xa7, xa8 , xa9, xaa, xab, xac, xad, xae, xaf, xb0, xb1, xb2, xb3, xb4, xb5, xb6, xb7, xb8, xb9, xba, xbb, xbc, xbd, xbe, xbf, xc0, xc1 , xc2, xc3, xc4, xc5, xc6, xc7, xc8, xc9, xca, xcb, xcc, xcd, xce, xcf, xd0, xd1, xd2, xd3, xd4, xd5, xd6, xd7, xd8, xd9, xda , xdb, xdc, xdd, xde, xdf, xe0, xe1, xe2, xe3, xe4, xe5, xe6, xe7, xe8, xe9, xea, xeb, xec, xed, xee, xef, xf0, xf1, xf2, xf3 , xf4, xf5, xf6, xf7, xf8, xf9, xfa, xfb, xfc, xfd, xfe, xff"
I found that there are a lot more characters in the result. In fact, some of them we need to remove. For example, x20 is actually a space, which is equivalent to eval('$a =1;');. Of course, it can be executed normally.
In addition to spaces, trn are all removed because these are also allowed by PHP syntax: t=x9, n=xa, r=xd, so we have to remove the first 4 data x9, xa, xd, x20 in the result.
The final result is actually just more x30, x31, x32, x33, x34, x35, x36, x37, x38, x39. People who are familiar with ascii may see it at a glance. These are the numbers 0-9
So the first character range should be [wx7f-xff] Those who are not familiar with regular expressions may wonder why it is not [0-9a-zA-Z_x7f-xff]. In fact, w is 0-9a-zA-Z_
Maybe someone will say $$a; ${$a}; What about variables like this?
I think this is out of the scope of variable naming, isn't it?
Okay, I have finished sharing the knowledge about the characters available in PHP variables. If there is anything wrong, please leave a message and I will correct it in time to avoid misleading everyone.
My guess: ascii range 0-127 (x00-x7f), latin1 range 0-255 (x00-xff), maybe PHP has expanded the range to latin1 character set, of course I have not seen the PHP source code, only It can be said to be just a conjecture.