Shulou(Shulou.com)06/01 Report--

Variable coverage vulnerability

The functions that often cause variable coverage vulnerabilities are: extract (), parsestr () and importrequestvariables () and $$(variable)

Variable coverage vulnerability caused by $variable

First, let's look at the source code for analysis.

1. Include calls the flag.php file.

2. $_ 200 defines two parameters, as well as parameter values.

3. Then there are two judgment statements to determine whether the method of accessing the page is the post method and whether there is a parameter flag.

4. Then two foreach functions traverse the array function. Here, we traverse the data transferred by the get method as an array, assign the traversal parameter to key, and copy the parameter value to value.

5. There is also an if judgment statement to determine whether the data transmitted by the post method is the same as the value of $flag, and if so, output flag.

6. Finally output the content of $200.

Second, as can be seen from the source file, if you want to get flag, you must know the original flag, which is impossible.

At this point, we can use variables to cover vulnerabilities.

1. We can see that in the first array

Foreach ($_ GET as $key = > $value) $$key = $$value

$$key = $$value appears in this traversal, where keys and values are used as variables. For this topic, we pass in the get method: _ 200=flag, which is changed to $_ 200=$flag after the processing of $$key = $value, so that the original value of $_ 200 is overwritten and replaced with the value of $flag

3. Traversal of the second array

Foreach ($_ POST as $key = > $value) $$key = $value

$$key = $value appears in this traversal, which simply treats the array key as the next variable and the value of the array as the value of the $$key. For example, if the post method is passed in flag=abc, it becomes $flag=abc after processing. This results in overwriting the value of flag that we need to get.

Third, through multiple analysis, we can first assign the value of $flag to $_ 200 through the first array traversal, and then output it through die ($_ 200), but at the same time we should meet the judgment conditions of the source code and pass the value of flag through the post method. Here we have given the value of flag to $_ 200, so you don't have to worry about overwriting the value of flag, you can enter it as you like.

4. So our payload is:

Get method transfer:? _ 200=flag

Post method transfer: flag=abcde

5. Verification results:

Because it is a recurring topic, flag is different.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.