Shulou(Shulou.com)06/01 Report--

Variable coverage vulnerability caused by Parse_str () function

The parse_str () function is used to parse the query string into a variable, and if there is no array parameter, the variable set by this function will override the existing variable with the same name. It is highly discouraged to use this function without an array parameter, and the behavior of not setting parameters will be discarded in PHP 7.2. This function does not return a value

First, analyze the source code of the title:

1. The error_reporting () function specifies different levels of errors. Here, the error report is closed.

2. Show_source () function, alias highlight_file () to highlight the file.

3. Whether a variable of the empty () function ginger tea is empty, so we must send the request with the id parameter.

4. Include ('flag.php') calls the flag.php file, which should be the file where the flag is stored

5. @ parse_str ($id) parses the query string into a variable without using the array option. If there is a variable with the same name, overwrite the original one. The original value of $an is obviously overwritten here.

6. $a [0]! = 'QNKCDZO' & & md5 ($a [0]) = = md5 (' QNKCDZO') determines that the value of $a [0] is not QNKCDZO and that the MD5 value of $a [0] is the same as that of QNKCDZO. We know it's hard to find such a string.

Second, construct our payload

The overall source code has been analyzed, and the only thing to do now is to find values that are different strings but have the same MD5 value. It's hard to find out. At this point, you can use php to deal with the defect of the MD5 hash string.

Principle of defects: take advantage of php's weak language features. "10" = "1e1"? It is not equal in this way, but when it comes to php processing, he will treat 1e1 as a scientific counting method to calculate 1e 1x 1 * 10 ^ 1 = 10. Is that equal?

The MD5 value of QNKCDZO given here is: 0e830400451993494058024219903391. After php processing, it will be considered 0 * 10 ^ n. So the result is zero.

So, we can find the string MD5 encrypted and the result begins with 0e. Here is an article that records a lot of such strings: http://www.cnblogs.com/Primzahl/p/6018158.html

So our payload is

? id=a [] = s878926199a (string whose MD5 value of s878926199a begins with 0e)

Third, test results.

Transfer the payload using the get method:

Get flag.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.