Sharing a collection of vulnerabilities in PHP functions-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

Sharing a collection of vulnerabilities in PHP functions

小云云

Mar 13, 2018 pm 01:53 PM

phpsharegather

This article mainly shares with you a collection of vulnerabilities in PHP functions, hoping to help everyone.

1. Weak type comparison

Sharing a collection of vulnerabilities in PHP functions

##2.MD5 compare vulnerability

When PHP processes hash strings, if you use "!=" or "==" to compare hash values, it will interpret every hash value starting with "0x" as scientific notation 0 to the power (0), so if two different passwords are hashed and their hash values start with "0e", then PHP will think that they are the same.

Common payloads include

0x01 md5(str)
    QNKCDZO
    240610708
    s878926199a
    s155964671a
    s214587387a
    s214587387a
0x02 sha1(str)
    sha1(&#39;aaroZmOk&#39;)  
    sha1(&#39;aaK1STfY&#39;)
    sha1(&#39;aaO8zKZF&#39;)
    sha1(&#39;aa3OFF9m&#39;)

At the same time, MD5 cannot process arrays. If the following judgments are made, arrays can be used to bypass

if(@md5($_GET[&#39;a&#39;]) == @md5($_GET[&#39;b&#39;]))
{
    echo "yes";
}
//http://127.0.0.1/1.php?a[]=1&b[]=2

3.ereg function vulnerability: 00 truncation

ereg ("^[a-zA-Z0-9]+$", $_GET[&#39;password&#39;]) === FALSE

String comparison analysis

Here if $_GET['password'] is an array, the return value is NULL
If it is 123 || asd || 12as || 123%00&&&* *, the return value is true
The rest is false

4.What is $key?

Don’t forget that the program can extract the key of the variable itself as a variable and give it to the function for processing.

<?php
    print_r(@$_GET); 
    foreach ($_GET AS $key => $value)
    {        print $key."\n";
    }?>

5. Variable coverage

The main function involved is the extract function. Let’s look at an example

<?php  
    $auth = &#39;0&#39;;  
    // 这里可以覆盖$auth的变量值
    print_r($_GET);    echo "</br>";
    extract($_GET); 
    if($auth == 1){  
        echo "private!";  
    } else{  
        echo "public!";  
    }  
?>

extract can receive an array and then give it again Variable assignment, procedure page is very simple.

at the same time! PHP's feature $ can be used to assign variable names and can also cause variable overwriting!

<?php  
    $a=&#39;hi&#39;;    foreach($_GET as $key => $value) {        echo $key."</br>".$value;        $$key = $value;
    }    print "</br>".$a;?>

Construction

http://127.0.0.1:8080/test.php?a=12 can achieve the purpose.

6.strcmp

如果 str1 小于 str2 返回 < 0； 如果 str1 大于 str2 返回 > 0；如果两者相等，返回 0。 
先将两个参数先转换成string类型。 
当比较数组和字符串的时候，返回是0。 
如果参数不是string类型，直接return

<?php
    $password=$_GET[&#39;password&#39;];    if (strcmp(&#39;xd&#39;,$password)) {     echo &#39;NO!&#39;;
    } else{        echo &#39;YES!&#39;;
    }?>

Construction

http://127.0.0.1:8080/test.php?password[]=

7.is_numeric

Needless to say:

<?phpecho is_numeric(233333);       # 1echo is_numeric(&#39;233333&#39;);    # 1echo is_numeric(0x233333);    # 1echo is_numeric(&#39;0x233333&#39;);   # 1echo is_numeric(&#39;233333abc&#39;);  # 0?>

8.preg_match

If in progress When matching regular expressions, if there are no restrictions on the beginning and end of the string (^ and $), there may be bypass problems

<?php$ip = &#39;asd 1.1.1.1 abcd&#39;; // 可以绕过if(!preg_match("/(\d+)\.(\d+)\.(\d+)\.(\d+)/",$ip)) {  die(&#39;error&#39;);
} else {   echo(&#39;key...&#39;);
}?>

9.parse_str

Similar functions to parse_str() are mb_parse_str(). parse_str parses the string into multiple variables. If the parameter str is the query string passed in by the URL, parse it into a variable and set it. to the current scope.

A type of time variable coverage

<?php
    $var=&#39;init&#39;;  
    print $var."</br>";
    parse_str($_SERVER[&#39;QUERY_STRING&#39;]);  
    echo $_SERVER[&#39;QUERY_STRING&#39;]."</br>";    print $var;?>

10. String comparison

<?php  
    echo 0 == &#39;a&#39; ;// a 转换为数字为 0    重点注意
    // 0x 开头会被当成16进制54975581388的16进制为 0xccccccccc
    // 十六进制与整数，被转换为同一进制比较
    &#39;0xccccccccc&#39; == &#39;54975581388&#39; ;    // 字符串在与数字比较前会自动转换为数字，如果不能转换为数字会变成0
    1 == &#39;1&#39;;    1 == &#39;01&#39;;    10 == &#39;1e1&#39;;    &#39;100&#39; == &#39;1e2&#39; ;    

    // 十六进制数与带空格十六进制数，被转换为十六进制整数
    &#39;0xABCdef&#39;  == &#39;     0xABCdef&#39;;    echo &#39;0010e2&#39; == &#39;1e3&#39;;    // 0e 开头会被当成数字，又是等于 0*10^xxx=0
    // 如果 md5 是以 0e 开头，在做比较的时候，可以用这种方法绕过
    &#39;0e509367213418206700842008763514&#39; == &#39;0e481036490867661113260034900752&#39;;    &#39;0e481036490867661113260034900752&#39; == &#39;0&#39; ;

    var_dump(md5(&#39;240610708&#39;) == md5(&#39;QNKCDZO&#39;));
    var_dump(md5(&#39;aabg7XSs&#39;) == md5(&#39;aabC9RqS&#39;));
    var_dump(sha1(&#39;aaroZmOk&#39;) == sha1(&#39;aaK1STfY&#39;));
    var_dump(sha1(&#39;aaO8zKZF&#39;) == sha1(&#39;aa3OFF9m&#39;));?>

11.unset

unset (bar); is used to destroy the specified variable. If the variable bar is included in the request parameters, some variables may be destroyed to bypass the program logic.

<?php  $_CONFIG[&#39;extraSecure&#39;] = true;foreach(array(&#39;_GET&#39;,&#39;_POST&#39;) as $method) {    foreach($$method as $key=>$value) {      // $key == _CONFIG
      // $$key == $_CONFIG
      // 这个函数会把 $_CONFIG 变量销毁
      unset($$key);
    }
}if ($_CONFIG[&#39;extraSecure&#39;] == false) {    echo &#39;flag {****}&#39;;
}?>

12.intval()

int to string:

$var = 5;  
方式1：$item = (string)$var;  
方式2：$item = strval($var);

string to int: intval() function.

var_dump(intval(&#39;2&#39;)) //2  var_dump(intval(&#39;3abcd&#39;)) //3  var_dump(intval(&#39;abcd&#39;)) //0 可以使用字符串-0转换，来自于wechall的方法

Explanation: When converting intval(), it will convert from the beginning of the string until it encounters a non-numeric character. Even if a string that cannot be converted appears, intval() will not report an error but return 0

By the way, intval can be truncated by %00

if($req[&#39;number&#39;]!=strval(intval($req[&#39;number&#39;]))){     $info = "number must be equal to it&#39;s integer!! ";  
}

If $req['number']=0% 00 can bypass

13.switch()

If switch is a case of numeric type, switch will convert the parameters into int type. The effect is equivalent to the intval function. As follows:

<?php
    $i ="abc";  
    switch ($i) {  
    case 0:  
    case 1:  
    case 2:  
    echo "i is less than 3 but not negative";  
    break;  
    case 3:  
    echo "i is 3";  
    } 
?>

14.in_array()

$array=[0,1,2,&#39;3&#39;];  
var_dump(in_array(&#39;abc&#39;, $array)); //true  var_dump(in_array(&#39;1bc&#39;, $array)); //true

Entering a string in any place where PHP considers it to be an int will be forced to convert

15.serialize and unserialize vulnerabilities

这里我们先简单介绍一下php中的魔术方法（这里如果对于类、对象、方法不熟的先去学学吧），即Magic方法，php类可能会包含一些特殊的函数叫magic函数，magic函数命名是以符号__开头的，比如 __construct， __destruct，__toString，__sleep，__wakeup等等。这些函数都会在某些特殊时候被自动调用。 
例如__construct()方法会在一个对象被创建时自动调用，对应的__destruct则会在一个对象被销毁时调用等等。 
这里有两个比较特别的Magic方法，__sleep 方法会在一个对象被序列化的时候调用。 __wakeup方法会在一个对象被反序列化的时候调用。

<?phpclass test{
    public $username = &#39;&#39;;    public $password = &#39;&#39;;    public $file = &#39;&#39;;    public function out(){
        echo "username: ".$this->username."<br>"."password: ".$this->password ;
    }     public function __toString() {
        return file_get_contents($this->file);
    }
}$a = new test();$a->file = &#39;C:\Users\YZ\Desktop\plan.txt&#39;;echo serialize($a);?>//tostring方法会在输出实例的时候执行，如果实例路径是隐秘文件就可以读取了

echo unserialize triggers the __tostring function, and the C:\Users\YZ\Desktop\plan.txt file can be read below

<?phpclass test{
    public $username = &#39;&#39;;    public $password = &#39;&#39;;    public $file = &#39;&#39;;    public function out(){
        echo "username: ".$this->username."<br>"."password: ".$this->password ;
    }     public function __toString() {
        return file_get_contents($this->file);
    }
}$a = &#39;O:4:"test":3:{s:8:"username";s:0:"";s:8:"password";s:0:"";s:4:"file";s:28:"C:\Users\YZ\Desktop\plan.txt";}&#39;;echo unserialize($a);?>

16.session deserialization vulnerability

The main reason is

ini_set('session.serialize_handler', 'php_serialize');
ini_set('session.serialize_handler' , 'php');
The two handle sessions differently
\Users\YZ\Desktop\plan.txt";}';echo unserialize($a);?>

16.session deserialization vulnerability

The main reason is

ini_set('session.serialize_handler', 'php_serialize');
ini_set(' session.serialize_handler', 'php');
The two methods of handling sessions are different
Related recommendations:

Some common security vulnerabilities in php websites and corresponding preventive measures

phpAbout deserialization object injection vulnerability

Recommended 9 articles about file vulnerabilities

The above is the detailed content of Sharing a collection of vulnerabilities in PHP functions. For more information, please follow other related articles on the PHP Chinese website!

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

The Continued Use of PHP: Reasons for Its EnduranceApr 19, 2025 am 12:23 AM

What’s still popular is the ease of use, flexibility and a strong ecosystem. 1) Ease of use and simple syntax make it the first choice for beginners. 2) Closely integrated with web development, excellent interaction with HTTP requests and database. 3) The huge ecosystem provides a wealth of tools and libraries. 4) Active community and open source nature adapts them to new needs and technology trends.

PHP and Python: Exploring Their Similarities and DifferencesApr 19, 2025 am 12:21 AM

PHP and Python are both high-level programming languages that are widely used in web development, data processing and automation tasks. 1.PHP is often used to build dynamic websites and content management systems, while Python is often used to build web frameworks and data science. 2.PHP uses echo to output content, Python uses print. 3. Both support object-oriented programming, but the syntax and keywords are different. 4. PHP supports weak type conversion, while Python is more stringent. 5. PHP performance optimization includes using OPcache and asynchronous programming, while Python uses cProfile and asynchronous programming.

PHP and Python: Different Paradigms ExplainedApr 18, 2025 am 12:26 AM

PHP is mainly procedural programming, but also supports object-oriented programming (OOP); Python supports a variety of paradigms, including OOP, functional and procedural programming. PHP is suitable for web development, and Python is suitable for a variety of applications such as data analysis and machine learning.

PHP and Python: A Deep Dive into Their HistoryApr 18, 2025 am 12:25 AM

PHP originated in 1994 and was developed by RasmusLerdorf. It was originally used to track website visitors and gradually evolved into a server-side scripting language and was widely used in web development. Python was developed by Guidovan Rossum in the late 1980s and was first released in 1991. It emphasizes code readability and simplicity, and is suitable for scientific computing, data analysis and other fields.

Choosing Between PHP and Python: A GuideApr 18, 2025 am 12:24 AM

PHP is suitable for web development and rapid prototyping, and Python is suitable for data science and machine learning. 1.PHP is used for dynamic web development, with simple syntax and suitable for rapid development. 2. Python has concise syntax, is suitable for multiple fields, and has a strong library ecosystem.

PHP and Frameworks: Modernizing the LanguageApr 18, 2025 am 12:14 AM

PHP remains important in the modernization process because it supports a large number of websites and applications and adapts to development needs through frameworks. 1.PHP7 improves performance and introduces new features. 2. Modern frameworks such as Laravel, Symfony and CodeIgniter simplify development and improve code quality. 3. Performance optimization and best practices further improve application efficiency.

PHP's Impact: Web Development and BeyondApr 18, 2025 am 12:10 AM

PHPhassignificantlyimpactedwebdevelopmentandextendsbeyondit.1)ItpowersmajorplatformslikeWordPressandexcelsindatabaseinteractions.2)PHP'sadaptabilityallowsittoscaleforlargeapplicationsusingframeworkslikeLaravel.3)Beyondweb,PHPisusedincommand-linescrip

How does PHP type hinting work, including scalar types, return types, union types, and nullable types?Apr 17, 2025 am 12:25 AM

PHP type prompts to improve code quality and readability. 1) Scalar type tips: Since PHP7.0, basic data types are allowed to be specified in function parameters, such as int, float, etc. 2) Return type prompt: Ensure the consistency of the function return value type. 3) Union type prompt: Since PHP8.0, multiple types are allowed to be specified in function parameters or return values. 4) Nullable type prompt: Allows to include null values and handle functions that may return null values.

See all articles