Shulou(Shulou.com)06/01 Report--

Variable coverage vulnerability caused by Extract () function

This function uses the array key name as the variable name and the array key value as the variable value. However, when there is an element with the same name in the variable, the function overwrites the original value by default. This creates a variable coverage vulnerability.

First, let's look at a string of codes:

1. The file transmits the value of the get method through the extrace () function.

2. Judge whether there is a gift variable through two if statements, and whether the value of the variable gift is equal to the value of the variable content. The value of the variable content is obtained by reading the value of the variable test. Output flag if two variables are equal. If not equal, output error.

But we don't know what the value of test is. So we use variables to override vulnerabilities and reassign test.

For example, $GET ['test'] =' test='', after being processed by the extract () function, becomes a variable $test=''; with the same name as $test='a', overwriting its value. And the value of the gift parameter transmitted by the get method is also a. So, $gift=$content. You can get flag.

Construct our payload:

The Get method passes the value:? gift=a&test=a.

Finally, the test is conducted:

Get the flag we've always dreamed of.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.