Shulou(Shulou.com)06/01 Report--

This article mainly talks about "what is the difference between PHP7 and PHP5 in security". Interested friends may wish to take a look. The method introduced in this paper is simple, fast and practical. Let's let the editor take you to learn "what's the difference between PHP7 and PHP5 in security?"

Function modification

1. The / e modifier is no longer supported by preg_replace ()

People also use a lot of backdoors to execute code using the\ e modifier, as described in the official paragraph:

If this deprecated modifier is set, preg_replace (), after performing a backward reference replacement of the replacement string, executes the replaced string as a php code evaluation (eval function) and uses the execution result as the string that actually participates in the replacement. Single quotation marks, double quotation marks, backslashes (), and NULL characters are escaped with backslashes when they are replaced by backward references.

Unfortunately, the\ e modifier is no longer supported in PHP7 and above, and we are officially given a new function, preg_replace_callback:

Here we can use it as our back door with a little change:

2. Create_function () is abandoned

There is one less function that can be used as a backdoor, which is actually implemented by executing eval. not essential.

3. Remove all members of mysql_* series

If you want to use the old version of the mysql_* series function on PHP7, you need to install it on your own. It is not official to bring it with you. Now the official recommendation is mysqli or pdo_mysql. Does this indicate a significant reduction in SQL injection vulnerabilities on PHP in the future?

4. Add an optional whitelist parameter to unserialize ()

$data = unserialize ($serializedObj1, ["allowed_classes" = > true]); $data2 = unserialize ($serializedObj2, ["allowed_classes" = > ["MyClass1", "MyClass2"]])

In fact, it is a whitelist, if the class name in the anti-sequence data is not in the whitelist, it will report an error.

A mistake like this!

It can be a class name or Boolean data, and if it is FALSE, all objects will be converted to _ _ PHP_Incomplete_Class objects. There is no limit to TRUE. You can also pass in the class name to implement the whitelist.

Fortunately, it is optional and not required now, and if the default FALSE forces the programmer to make a whitelist, then he will really vomit blood.

5. Assert () can no longer execute code by default

This is the main culprit that many horses cannot use. Too many horses use assert () to execute code, and this update is basically destroyed. In general, it can be changed to eval.

To mention, the kitchen knife also happens to use the assert function when implementing the file manager, which makes it impossible for the kitchen knife to work properly on PHP7.

Syntax modification

1. Foreach no longer changes the internal array pointer

The result of the above code running in PHP5 is as follows:

The running result of PHP7 is as follows:

You think I'm going to say that this has been changed back in a later version? No, as of the PHP7.3 version, there is still no sign of going back, and officials say it won't change again. It hurts to be reasonable.

4. Remove ASP and script PHP tags

Now only such tags can run on php7.

Literally, the impact is not very great (but there will be fewer tricks in the future).

5. Super large floating point type conversion truncation

When converting a floating-point number to an integer, if the floating-point value is too large to be expressed as an integer, in the PHP5 version, the conversion truncates the integer directly and does not raise an error. In PHP7, an error will be reported.

CTF also lacks a set of questions, which I have only seen on CTF, and the impact should not be great.

At this point, I believe you have a deeper understanding of "what is the difference between PHP7 and PHP5 in security". You might as well do it in practice. Here is the website, more related content can enter the relevant channels to inquire, follow us, continue to learn!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.