The content shared with you in this article is about weak type conversion in php. The content is of great reference value. I hope it can help friends in need.
1 Preface
In the recent CTF competition, the question of PHP weak types has appeared more than once. I would like to summarize the knowledge about PHP weak types and how to bypass them
2 Introduction
There are two comparison symbols == and ===
1 <?php 2 $a = $b ; 3 $a===$b ; 4 ?>
=== in php. When comparing, it will first determine whether the types of the two strings are equal, and then Comparison
== When comparing, the string type will be converted to the same type first, and then compared
如果比较一个数字和字符串或者比较涉及到数字内容的字符串,则字符串会被转换成数值并且比较按照数值来进行
It is clearly stated here that if a value is compared with a string When comparing, the string will be converted into a numerical value
1 <?php
2 var_dump("admin"==0); //true
3 var_dump("1admin"==1); //true
4 var_dump("admin1"==1) //false
5 var_dump("admin1"==0) //true
6 var_dump("0e123456"=="0e4456789"); //true
7 ?> //上述代码可自行测试1 Observe the above code, "admin"==0 When compared, admin will be converted into a numerical value, forced conversion, because admin is a string, The result of the conversion is that 0 is naturally equal to 0
2 "1admin"==1 When compared, 1admin will be converted into a numerical value, and the result is 1, but "admin1"==1 is equal to an error, that is, "admin1" is Converted to 0, why? ? 3 "0e123456"=="0e456789" When compared with each other, strings such as 0e will be recognized as numbers under the Science and Technology Law. No matter how many times 0 is raised, it is zero, so they are equal
For the above question, I checked the PHP manual
When a string is treated as a numerical value, the result and type are as follows: If the string does not contain '.', 'e', 'E' and its numerical value is within the range of integer
The string is treated as an int to obtain the value. In all other cases, it is treated as a float to obtain the value. The starting part of the string determines Its value is used if the string begins with a legal numeric value, otherwise its value is 0.
1 <?php 2 $test=1 + "10.5"; // $test=11.5(float) 3 $test=1+"-1.3e3"; //$test=-1299(float) 4 $test=1+"bob-1.3e3";//$test=1(int) 5 $test=1+"2admin";//$test=3(int) 6 $test=1+"admin2";//$test=1(int) 7 ?>
So this explains the reason why "admin1"==1 =>False
3 Actual combat
md5 bypass (Hash comparison defect)
1 <?php
2 if (isset($_GET['Username']) && isset($_GET['password'])) {
3 $logined = true;
4 $Username = $_GET['Username'];
5 $password = $_GET['password'];
6
7 if (!ctype_alpha($Username)) {$logined = false;}
8 if (!is_numeric($password) ) {$logined = false;}
9 if (md5($Username) != md5($password)) {$logined = false;}
10 if ($logined){
11 echo "successful";
12 }else{
13 echo "login failed!";
14 }
15 }
16 ?>The main idea of the question is to input a string and a numeric type, and their md5 values are equal, you can successfully execute the next statement
Introducing a batch of md5 strings starting with 0e mentioned above I've been there before, 0e will be treated as scientific notation when comparing, so no matter what comes after 0e, the power of 0 is still 0. md5('240610708') == md5('QNKCDZO')Successfully bypassed!
QNKCDZO 0e830400451993494058024219903391 s878926199a 0e545993274517709034328855841020 s155964671a 0e342768416822451524974117254469 s214587387a 0e848240448830537924465865611904 s214587387a 0e848240448830537924465865611904 s878926199a 0e545993274517709034328855841020 s1091221200a 0e940624217856561557816327384675 s1885207154a 0e509367213418206700842008763514
json bypass
<?php
if (isset($_POST['message'])) {
$message = json_decode($_POST['message']);
$key ="*********";
if ($message->key == $key) {
echo "flag";
}
else {
echo "fail";
}
}
else{
echo "~~~~";
}
?>Enter a json type string, json_decode The function decrypts into an array and determines whether the value of key in the array is equal to the value of $key, but we don’t know the value of $key. But we can use the form 0=="admin" to bypass it
Final payload message={"key":0}
array_search is_array bypass
1 <?php
2 if(!is_array($_GET['test'])){exit();}
3 $test=$_GET['test'];
4 for($i=0;$i<count($test);$i++){
5 if($test[$i]==="admin"){
6 echo "error";
7 exit();
8 }
9 $test[$i]=intval($test[$i]);
10 }
11 if(array_search("admin",$test)===0){
12 echo "flag";
13 }
14 else{
15 echo "false";
16 }
17 ?>The above is one written by myself, first judge the incoming Is it an array, then loop through each value in the array, and each value in the array cannot be equal to admin, and convert each value into int type, and then determine whether the incoming array contains admin, if so, return flag
payload test[]=0 can be bypassed
The following is the official manual’s introduction to array_search
mixed array_search ( mixed $needle , array $haystack [, bool $strict = false ] )
$needle, $haystack is required, $strict is optional Function judgment$ The value in haystack exists in $needle. If it exists, the key value of the value is returned. The third parameter defaults to false. If set to true, strict filtering will be performed.
1 <?php
2 $a=array(0,1);
3 var_dump(array_search("admin",$a)); // int(0) => 返回键值0
4 var_dump(array_seach("1admin",$a)); // int(1) ==>返回键值1
5 ?>array_search function is similar to ==, that is, $ a=="admin" is of course $a=0. Of course, if the third parameter is true, it cannot bypass the
strcmp vulnerability. Bypass php -v
1 <?php
2 $password="***************"
3 if(isset($_POST['password'])){
4
5 if (strcmp($_POST['password'], $password) == 0) {
6 echo "Right!!!login success";n
7 exit();
8 } else {
9 echo "Wrong password..";
10 }
11 ?>
strcmp is Compare two strings. If str1
We don’t know the value of $password. The question requires strcmp to judge. The accepted value must be equal to $password. The expected type passed in by strcmp is a string type. What will happen if an array is passed in?
We pass in password[]=xxx and can be bypassed because of the function If an incompatible type is received, an error will occur, but it will still be judged to be equal
payload: password[]=xxx
switch bypass
1 <?php
2 $a="4admin";
3 switch ($a) {
4 case 1:
5 echo "fail1";
6 break;
7 case 2:
8 echo "fail2";
9 break;
10 case 3:
11 echo "fail3";
12 break;
13 case 4:
14 echo "sucess"; //结果输出success;
15 break;
16 default:
17 echo "failall";
18 break;
19 }
20 ?>This principle is the same as the previous one Similar, I won’t explain it in detail
4 Summary
These PHP weak types are just the tip of the iceberg. The above has verified the importance of code audit
Related recommendations:
Usage examples of keyword var in PHP
php queue processing: PHP message queue implementation principle (picture and text)
The above is the detailed content of Implementation of weak type conversion in php. For more information, please follow other related articles on the PHP Chinese website!
Working with Flash Session Data in LaravelMar 12, 2025 pm 05:08 PMLaravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-
Build a React App With a Laravel Back End: Part 2, ReactMar 04, 2025 am 09:33 AMThis is the second and final part of the series on building a React application with a Laravel back-end. In the first part of the series, we created a RESTful API using Laravel for a basic product-listing application. In this tutorial, we will be dev
cURL in PHP: How to Use the PHP cURL Extension in REST APIsMar 14, 2025 am 11:42 AMThe PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.
Simplified HTTP Response Mocking in Laravel TestsMar 12, 2025 pm 05:09 PMLaravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>
12 Best PHP Chat Scripts on CodeCanyonMar 13, 2025 pm 12:08 PMDo you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom
Notifications in LaravelMar 04, 2025 am 09:22 AMIn this article, we're going to explore the notification system in the Laravel web framework. The notification system in Laravel allows you to send notifications to users over different channels. Today, we'll discuss how you can send notifications ov
Explain the concept of late static binding in PHP.Mar 21, 2025 pm 01:33 PMArticle discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
PHP Logging: Best Practices for PHP Log AnalysisMar 10, 2025 pm 02:32 PMPHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
SAP NetWeaver Server Adapter for Eclipse
Integrate Eclipse with SAP NetWeaver application server.
Atom editor mac version download
The most popular open source editor
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
SecLists
SecLists is the ultimate security tester's companion. It is a collection of various types of lists that are frequently used during security assessments, all in one place. SecLists helps make security testing more efficient and productive by conveniently providing all the lists a security tester might need. List types include usernames, passwords, URLs, fuzzing payloads, sensitive data patterns, web shells, and more. The tester can simply pull this repository onto a new test machine and he will have access to every type of list he needs.
