Shulou(Shulou.com)05/31 Report--

This article mainly introduces the example analysis of php function vulnerabilities, which has a certain reference value, interested friends can refer to, I hope you can learn a lot after reading this article, let the editor take you to understand it.

PHP is the best language in the world. Yes, php feeds two kinds of people in the world, one is those who write php code, the other is those who engage in security, because there are vulnerable functions in php.

Under certain conditions, these functions are not parsed according to the wishes of the inventors of the functions.

I have been staying in the web world of ctf for several months. I will briefly summarize the problematic functions encountered in my study.

Md5 () function

Definition: the Md5 () function calculates the MD5 hash of a string

Problem 1: if a string hash processed by the MD5 () function begins with 0e, it will be considered equal to 0 when processed by php.

Source code:

Code function: to determine whether the hash string of the parameter MD5 passed in by the get method is equal, and if the values of the two parameters are not equal.

Test results:

Principle analysis:

When two strings are encrypted by MD5, a hash value that begins with 0e is generated. When Php makes a judgment, 0e... Will be seen as scientific counting, where the n-th power of 0 is equal to zero. So both strings are equal to zero after being encrypted by md5 ().

Var_dump (0 = = 0e123456)

Question 2: return null when dealing with arrays

Source code:

Test:

Parsing:

If the unset variable exists in the request parameters, the phenomenon of destroying the variable implementation will occur. As here, with the $$symbol, the last unset () function of $key=abc;$$key=$abc; becomes unset ($abc), destroying the originally defined $abc ['a'] = true.

Extract () function

Define usage: the extract () function imports variables from an array into the current symbol table. This function uses the array key name as the variable name and the array key value as the variable value. For each element in the array, a corresponding variable is created in the current symbol table. EXTR_OVERWRITE-default. If there is a conflict, the existing variables are overwritten. EXTR_SKIP-if there is a conflict, existing variables are not overwritten. EXTR_PREFIX_SAME-if there is a conflict, prefix the variable name with prefix. EXTR_PREFIX_ALL-prefix all variable names with prefix. EXTR_PREFIX_INVALID-prefix prefix only to illegal or numeric variable names. EXTR_IF_EXISTS-overrides the values of variables with the same name only if they already exist in the current symbol table. I don't deal with the rest. EXTR_PREFIX_IF_EXISTS-create a prefixed variable name only if there is already a variable with the same name in the current symbol table, and nothing else is processed. EXTR_REFS-extract variables as references. The imported variable still references the value of the array parameter. The point of this function is to overwrite existing variables by default.

There is a problem; overwrite the original variable and bypass it

Source code:

$a = 'yaun'; extract ($_ GET); if ($auth = = 1) {echo "private!";} else {echo "public!";}

Test:

Problem resolution: when I passed aqum1, the extract () function found that there was an original variable, so it overwrote the value of the original variable and changed it into axi1, which is used to judge the if conditional statement.

Parse_str () function

Define usage: the parse_str () function is used to parse the query string into a variable. If there is no array parameter, the variable set by this function will override the existing variable with the same name. It is highly discouraged to use this function without an array parameter, and the behavior of not setting parameters will be discarded in PHP 7.2. This function does not return a value.

Source code:

If (empty ($_ GET ['id'])) {show_source (_ FILE__); die ();} else {include (' flag.php'); $a = "https://blog.51cto.com/12332766"; $id = $_ GET ['id']; @ parse_str ($id); if ($a [0] = =' yaun') {echo" yes is flag " } else {exit ('it's simple, it's not difficult');}}

Test:

Problem resolution:

When the parameter id=a [] = yaun is passed, an is changed into a variable by the parse_str () function. But there is a variable with the same name, so the original variable is overwritten, and the value of the variable is also covered.

Variable coverage extension: variable coverage also occurs when $$is encountered in php. For more information, please visit https://blog.51cto.com/12332766/2120800.

Strcmp () function

Define usage: the Strcmp (string1,string2) function compares two strings

Return value:

0-if two strings are equal

0-if string1 is greater than string2

Problem: return null when processing arrays

Source code "

$a = "yaun"; $pass=$_GET ['pass']; if (strcmp ($a, $pass) = = 0) {echo "success";} else {echo "failure";}

Test:

Problem resolution:

When passing an array, the function has no way to compare the array, and returns that the null,php language itself is a weakly typed language, and null==0 is numerically equal. But it varies in type.

Is_numeric () function

Define usage: the is_numeric () function is used to detect whether a variable is a number or a numeric string. Returns TRUE if the specified variable is a number and a numeric string, otherwise returns FALSE

Problem 1: passing hexadecimal will invalidate the detection.

Source code:

$a=$_GET ['num']; if (is_numeric ($a)) {echo "you entered a number";} else {echo "Please enter legal characters";}

Test:

Enter a series of query statements to convert the hexadecimal

Successfully bypass function detection

Problem resolution: this function not only detects decimal, but also considers hexadecimal to be legal. You can then construct hexadecimal statements to bypass this function.

Preg_match () function

Define usage: the Preg_match () function matches the regular expression.

Return value:

Returns the number of matches for pattern. Its value will be 0 (mismatch) or 1, because preg_match () will stop searching after the first match. If an error occurs, preg_match () returns FALSE.

Problem: if there are no restrictions on the beginning and end of the string (^ and $) when doing regular expression matching, there can be a problem of bypass

Source code:

Ip=$_GET ['ip']; if (! preg_match ("/ (\ d+)\. (\ d+) /", $ip)) {die (' error');} else {echo "this is flag";}

Test:

Enter a string that does not match the matching rules and still return flag

Problem resolution:

Because this function does not specify what to start or end with when executing the matching rule, you only need to have the specified characters in the string, and other characters can be added to bypass.

In_array () function

Define usage: the in_array (search,array) function searches for the existence of the specified value in the array.

Return value:

Returns true if the given value search exists in the array array. If no arguments are found in the array, the function returns false.

$array=]; var_dump (in_array ('abc', $array)); var_dump (in_array (' 1bcmovie, $array))

Test:

Problem analysis:

You can see that true is returned in the above case, because 'abc'' will be converted to 0memery 1bc' and converted to 1.

Enter string in all places where php considers it to be int, and it will be forced to convert

Unserialize () function

For more information on how to use it, see another blog post: https://blog.51cto.com/12332766/2121394

Strpos () function

Define usage: the strpos () function looks for the first occurrence of a string in another string (case sensitive). Note: the strpos () function is case sensitive. Note: this function is binary safe.

Syntax:

Strpos (string,find,start) string must specify the string to be searched, find must specify the string to find, and start optional, specify the location to start the search.

Return value:

Returns the position where the string first appears in another string, or FALSE if the string is not found. Note: the string position starts at 0, not at 1

Source code:

If (strpos ($_ GET ['password'],' abc') = = 0) {echo '123;} else {echo' 456;}

Pass an array into the test so that the return result is 123

We can see that our input does not meet the requirements, but still gives an output of 123.

Problem resolution:

This function also parses only strings of type string, giving him an array and doesn't know how to parse it, so it returns null. Null==0!

Strlen () function

Define usage: the strlen () function returns the length of the string

Syntax:

Strlen (string) string- must specify the string to check.

Source code:

If (strlen ($_ GET ['password']) = = 0) {echo' 1233;} else {echo '4566;}

Test:

Pass an array so that the return is 1233

Problem analysis:

This function also parses only strings of type string, giving him an array and doesn't know how to parse it, so it returns null. Null==0!

Thank you for reading this article carefully. I hope the article "sample Analysis of php function vulnerabilities" shared by the editor will be helpful to everyone. At the same time, I also hope that you will support us and pay attention to the industry information channel. More related knowledge is waiting for you to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.