Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "how to use the string parsing feature of PHP Bypass". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

We know that PHP converts the query string (in URL or body) into an internal $_ GET or associative array $_ POST. For example: /? foo=bar becomes Array ([foo] = > "bar"). It is worth noting that some characters are deleted or replaced by underscores in the process of parsing the query string. For example, /?% 20news [id=42 will be converted to Array ([news_id] = > 42). If there is a rule in an IDS/IPS or WAF that intercepts when the value of the news_id parameter is a non-numeric value, then we can bypass it with the following statement:

/ news.php?%20news [id=42 "+ AND+1=0--

The value of the parameter% 20news [id of the above PHP statement is stored in $_ GET ["news_id"].

HP needs to convert all parameters to valid variable names, so when parsing the query string, it does two things:

1. Delete a blank character

two。 Convert some characters to underscores (including spaces)

For example:

User inputDecoded PHPvariable name%20foo_barfoo_barfoo_barfoo%20barfoo barfoo_ barfoo% 5bbarfoo [Barfoo _ bar

Through the following example, you can see more intuitively how the parser_str function handles strings:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.