This article describes the existence of some PHP functions with small vulnerabilities in PHP. Those who have not understood the vulnerable functions in PHP can take a look at what to pay attention to when using these functions in actual PHP development. Let’s stop talking nonsense and read this article together!

##2.MD5 compare vulnerability
When PHP processes hash strings, if you use "!=" or "==" to Comparing hash values, it interprets each hash value starting with "0x" as the power of 0 in scientific notation (0), so if two different passwords are hashed, their hash value will be If the hash values all start with "0e", then PHP will think that they are the same.0x01 md5(str) QNKCDZO 240610708 s878926199a s155964671a s214587387a s214587387a 0x02 sha1(str) sha1('aaroZmOk') sha1('aaK1STfY') sha1('aaO8zKZF') sha1('aa3OFF9m')At the same time, MD5 cannot process arrays. If the following judgments are made, arrays can be used to bypass
if(@md5($_GET['a']) == @md5($_GET['b'])) { echo "yes"; } //http://127.0.0.1/1.php?a[]=1&b[]=2
3.ereg function vulnerability :00 truncationereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE
String comparison analysis Here if $_GET['password'] is an array, the return value is NULL
If it is 123 || asd || 12as || 123%00&&&**, the return value is true
The rest is false
4.What is $key?
Don’t forget that the program can extract the key of the variable itself as a variable and give it to the function for processing.<?php print_r(@$_GET); foreach ($_GET AS $key => $value) { print $key."\n"; } ?>
5. Variable coverage
The main function involved is the extract function. Let’s look at an example<?php $auth = '0'; // 这里可以覆盖$auth的变量值 print_r($_GET); echo "</br>"; extract($_GET); if($auth == 1){ echo "private!"; } else{ echo "public!"; } ?>extract can receive an array and then give it again Variable assignment, procedure page is very simple.

<?php $a='hi'; foreach($_GET as $key => $value) { echo $key."</br>".$value; $$key = $value; } print "</br>".$a; ?>Construction
http://127.0.0.1:8080/test.php?a=12 can achieve the purpose.
6.strcmp如果 str1 小于 str2 返回 0;如果两者相等,返回 0。
先将两个参数先转换成string类型。
当比较数组和字符串的时候,返回是0。
如果参数不是string类型,直接return
<?php
$password=$_GET['password'];
if (strcmp('xd',$password)) {
echo 'NO!';
} else{
echo 'YES!';
}
?>
Constructionhttp://127.0.0.1:8080/test.php?password[]=
7.is_numeric
Needless to say:<?php echo is_numeric(233333); # 1 echo is_numeric('233333'); # 1 echo is_numeric(0x233333); # 1 echo is_numeric('0x233333'); # 1 echo is_numeric('233333abc'); # 0 ?>
8.preg_match
If in progress Regular expressionWhen matching, if there is no restriction on the beginning and end of the string (^ and $), there may be bypass problems
<?php $ip = 'asd 1.1.1.1 abcd'; // 可以绕过 if(!preg_match("/(\d+)\.(\d+)\.(\d+)\.(\d+)/",$ip)) { die('error'); } else { echo('key...'); } ?>
9.parse_str
Similar functions to parse_str() include mb_parse_str(). parse_str parses the string into multiple variables. If the parameter str is the query string passed in by the URL, then It is resolved to a variable and set to the current scope.A type of time variable coverage
<?php $var='init'; print $var."</br>"; parse_str($_SERVER['QUERY_STRING']); echo $_SERVER['QUERY_STRING']."</br>"; print $var; ?>
10.String comparison<?php
echo 0 == 'a' ;// a 转换为数字为 0 重点注意
// 0x 开头会被当成16进制54975581388的16进制为 0xccccccccc
// 十六进制与整数,被转换为同一进制比较
'0xccccccccc' == '54975581388' ;
// 字符串在与数字比较前会自动转换为数字,如果不能转换为数字会变成0
1 == '1';
1 == '01';
10 == '1e1';
'100' == '1e2' ;
// 十六进制数与带空格十六进制数,被转换为十六进制整数
'0xABCdef' == ' 0xABCdef';
echo '0010e2' == '1e3';
// 0e 开头会被当成数字,又是等于 0*10^xxx=0
// 如果 md5 是以 0e 开头,在做比较的时候,可以用这种方法绕过
'0e509367213418206700842008763514' == '0e481036490867661113260034900752';
'0e481036490867661113260034900752' == '0' ;
var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));
?>
11.unset
unset(bar); is used to destroy the specified variable. If the variable bar is included in therequest parameters, some variables may be destroyed to bypass the program logic.
<?php $_CONFIG['extraSecure'] = true; foreach(array('_GET','_POST') as $method) { foreach($$method as $key=>$value) { // $key == _CONFIG // $$key == $_CONFIG // 这个函数会把 $_CONFIG 变量销毁 unset($$key); } } if ($_CONFIG['extraSecure'] == false) { echo 'flag {****}'; } ?>
12.intval()
int to string:$var = 5; 方式1:$item = (string)$var; 方式2:$item = strval($var);string to int: intval() function.
var_dump(intval('2')) //2 var_dump(intval('3abcd')) //3 var_dump(intval('abcd')) //0 // 可以使用字符串-0转换,来自于wechall的方法Explains that when converting intval(), it will convert from the beginning of the string until it encounters a non-numeric character. Even if a string that cannot be converted appears, intval() will not report an error but return 0
By the way, intval can be truncated by %00
if($req['number']!=strval(intval($req['number']))){ $info = "number must be equal to it's integer!! "; }If $req['number']=0% 00 can bypass
13.switch()
If switch is a case of numeric type, switch will convert the parameters into int type. The effect is equivalent to the intval function. As follows:<?php $i ="abc"; switch ($i) { case 0: case 1: case 2: echo "i is less than 3 but not negative"; break; case 3: echo "i is 3"; } ?>
14.in_array()$array=[0,1,2,'3'];
var_dump(in_array('abc', $array)); //true
var_dump(in_array('1bc', $array)); //true
Entering a string in any place where PHP considers it to be an int will be
15.serialize and unserialize vulnerabilities这里我们先简单介绍一下php中的魔术方法(这里如果对于类、对象、方法不熟的先去学学吧),即Magic方法,php类可能会包含一些特殊的函数叫magic函数,magic函数命名是以符号开头的,比如 construct, destruct,toString,sleep,wakeup等等。这些函数都会在某些特殊时候被自动调用。
例如construct()方法会在一个对象被创建时自动调用,对应的destruct则会在一个对象被销毁时调用等等。
这里有两个比较特别的Magic方法,sleep 方法会在一个对象被序列化的时候调用。 wakeup方法会在一个对象被反序列化的时候调用。
<?php
class test
{
public $username = '';
public $password = '';
public $file = '';
public function out(){
echo "username: ".$this->username."<br>"."password: ".$this->password ;
}
public function toString() {
return file_get_contents($this->file);
}
}
$a = new test();
$a->file = 'C:\Users\YZ\Desktop\plan.txt';
echo serialize($a);
?>
//tostring方法会在输出实例的时候执行,如果实例路径是隐秘文件就可以读取了
echo unserialize triggers the tostring function, and the C:\Users\YZ\Desktop\plan.txt file can be read below <?php class test { public $username = ''; public $password = ''; public $file = ''; public function out(){ echo "username: ".$this->username."<br>"."password: ".$this->password ; } public function toString() { return file_get_contents($this->file); } } $a = 'O:4:"test":3:{s:8:"username";s:0:"";s:8:"password";s:0:"";s:4:"file";s:28:"C:\Users\YZ\Desktop\plan.txt";}'; echo unserialize($a); ?>
16.session deserialization vulnerability
The main reason isini_set('session.serialize_handler', 'php_serialize');
ini_set( 'session.serialize_handler', 'php');
The two methods of handling sessions are different
I don't understand this thing very well, I will write a solution later!
There is a question here! This is a
topic
Related recommendations:
The basic structure of PHP functions
The above is the detailed content of Summary of vulnerable functions in PHP. For more information, please follow other related articles on the PHP Chinese website!

php把负数转为正整数的方法:1、使用abs()函数将负数转为正数,使用intval()函数对正数取整,转为正整数,语法“intval(abs($number))”;2、利用“~”位运算符将负数取反加一,语法“~$number + 1”。

实现方法:1、使用“sleep(延迟秒数)”语句,可延迟执行函数若干秒;2、使用“time_nanosleep(延迟秒数,延迟纳秒数)”语句,可延迟执行函数若干秒和纳秒;3、使用“time_sleep_until(time()+7)”语句。

php除以100保留两位小数的方法:1、利用“/”运算符进行除法运算,语法“数值 / 100”;2、使用“number_format(除法结果, 2)”或“sprintf("%.2f",除法结果)”语句进行四舍五入的处理值,并保留两位小数。

判断方法:1、使用“strtotime("年-月-日")”语句将给定的年月日转换为时间戳格式;2、用“date("z",时间戳)+1”语句计算指定时间戳是一年的第几天。date()返回的天数是从0开始计算的,因此真实天数需要在此基础上加1。

php判断有没有小数点的方法:1、使用“strpos(数字字符串,'.')”语法,如果返回小数点在字符串中第一次出现的位置,则有小数点;2、使用“strrpos(数字字符串,'.')”语句,如果返回小数点在字符串中最后一次出现的位置,则有。

方法:1、用“str_replace(" ","其他字符",$str)”语句,可将nbsp符替换为其他字符;2、用“preg_replace("/(\s|\ \;||\xc2\xa0)/","其他字符",$str)”语句。

php字符串有下标。在PHP中,下标不仅可以应用于数组和对象,还可应用于字符串,利用字符串的下标和中括号“[]”可以访问指定索引位置的字符,并对该字符进行读写,语法“字符串名[下标值]”;字符串的下标值(索引值)只能是整数类型,起始值为0。

在PHP中,可以利用implode()函数的第一个参数来设置没有分隔符,该函数的第一个参数用于规定数组元素之间放置的内容,默认是空字符串,也可将第一个参数设置为空,语法为“implode(数组)”或者“implode("",数组)”。


Hot AI Tools

Undresser.AI Undress
AI-powered app for creating realistic nude photos

AI Clothes Remover
Online AI tool for removing clothes from photos.

Undress AI Tool
Undress images for free

Clothoff.io
AI clothes remover

AI Hentai Generator
Generate AI Hentai for free.

Hot Article

Hot Tools

Safe Exam Browser
Safe Exam Browser is a secure browser environment for taking online exams securely. This software turns any computer into a secure workstation. It controls access to any utility and prevents students from using unauthorized resources.

ZendStudio 13.5.1 Mac
Powerful PHP integrated development environment

SublimeText3 English version
Recommended: Win version, supports code prompts!

Zend Studio 13.0.1
Powerful PHP integrated development environment

Dreamweaver CS6
Visual web development tools
