Shulou(Shulou.com)05/31 Report--

What are the common vulnerability functions in PHP code audit? I believe many inexperienced people are at a loss about this. Therefore, this paper summarizes the causes and solutions of the problem. Through this article, I hope you can solve this problem.

Preface

PHP is a powerful server-side scripting language for creating dynamic interactive sites, free of charge and widely used. The current construction of the PHP environment is also quite simple, and you can use tools such as PhpStudy to achieve it in one step.

In addition to the theoretical explanation of the vulnerability exploitation of PHP common functions, but also combined with the CTF topic, practical explanation.

As we all know, PHP is a weakly typed scripting language. The vulnerabilities introduced here start with type conversion defects and lax type conversions.

1.is_numeric type defect conversion

PHP provides the is_numeric function, which is used to determine whether a variable is a number. A feature of the PHP weakly typed language that when an integer is compared to a row of other types, other types of intval are digitized first and then compared.

The intval () function is used to get the integer value of a variable.

/ / the idea of solving the problem requires you to enter a number greater than 2019 to get flag, but if the variable is a number, the program ends and falls into contradiction. / / taking advantage of the weak type comparison of PHP, when other types are compared with integers, other types will be automatically compared with integers, and this feature will be used to bypass, that is, assign a to 10000abc and bypass.

Construct Payload: http://192.168.200.148/php_lab/lab1.php?a=10000a

2.Hash comparison defect

This function requires us to enter a, this a can not be 240610708, but requires that its MD5 value is consistent, also caught in a dilemma.

At this time, we still take advantage of PHP weak type defects.

First, the MD5 value of 240610708 is: 0e462097431906509019562988736854

Here it starts with 0e, and when making a comparison, PHP uses it as a scientific counter, zero no matter how many powers of zero. So here we take advantage of the weak type comparison defect to solve the problem: if the value of md5 starts with 0e, then it is equal to the other Md5 values that start with 0e. We found s1885207154a and its MD5 is: 0e509367213418206700842008763514

Construct Payload: http://192.168.200.148/php_lab/lab2.php?a=s1885207154a

3.switch judgment bypass

This chapter will cover a little bit of regularization-related knowledge, if students with zero foundation, you can learn through the link below.

Https://www.runoob.com/regexp/regexp-syntax.html regular expression learning

We assign a to 4abc, which meets the matching requirements. Finally, in the judgment, because 4abc is not an integer, it will be converted and rounded automatically, so the value is 4, and we get flag.

Construct Payload: http://192.168.200.148/php_lab/lab3.php?a=4abc

Bypass the 4.strcmp () string comparison function

Int strcmp (string $str1, string $str2), function introduction: return if str1 is less than str2

0; returns 0 if the two are equal.

But strcmp only handles string parameters, and if given an array, it returns NULL. And NULL==0 is bool (true), which satisfies the logic of if judgment, and you get flag.

Construct payload: http://192.168.200.148/php_lab/lab4.php?a[]=7

5.sha1 () secure hash function is more bypassed

The default input parameter type of the sha1 () function is string, so if you pass an array to it, you will get an error, so that the sha1 () function returns false, and the two false will output flag in accordance with the condition.

Construct Payload: http://192.168.200.148/php_lab/lab5.php?a[]=6&b[]=7

After reading the above, have you mastered the methods of common vulnerability functions in PHP code audit? If you want to learn more skills or want to know more about it, you are welcome to follow the industry information channel, thank you for reading!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.