Shulou(Shulou.com)06/03 Report--

This article introduces the relevant knowledge of "the security issues of the php comparison operator". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Php's comparison operators are = = (equal to) loose comparison, = = (completely equal to) strict comparison, which introduces a lot of interesting questions.

In loose comparisons, php unifies their types, such as character to number, non-bool types to bool types, and strict comparisons should be used to avoid unexpected results. The following is the table of comparison operators on php manual:

Example name results $a = $b equals TRUE if $an equals $b after type conversion. $a = = $b congruent TRUE, if $an equals $b, and they are of the same type. $a! = $b is not equal to TRUE, if $an is not equal to $b after type conversion. $a $b is not equal to TRUE, if $an is not equal to $b after type conversion. $a! = $b is not congruent TRUE, if $an is not equal to $b, or they are of different types. $a

$b is greater than TRUE if $an is strictly greater than $b. $a = $b is greater than or equal to TRUE if $an is greater than or equal to $b.

0x01 security issues

1 hash comparison defect

Php uses! =, = = for hash comparison when dealing with hash strings. If the hash value starts with 0e, followed by numbers, it will be interpreted as 0 * 10 ^ n or 0, and will be judged to be equal, bypassing the login process.

Root@kali:~/tool# php-r 'var_dump ("00e0345" = = "0"); var_dump ("0e123456789" = = "0"); var_dump ("0e1234abc" = = "0");'

Bool (true)

Bool (true)

Bool (false)

When all are numbers, loose comparisons will perform best-effort mode, such as 0e12345678 will be interpreted as 0 * 10 ^ 12345678, except when e is not all numbers will not be equal, as can be seen from var_dump ("0e1234abc" = = "0").

2 bool spoofing

When there are json_decode and unserialize, some of the structures are interpreted as bool types, which can also cause spoofing. Json_decode sample code:

$json_str ='{"user": true, "pass": true}'; $data = json_decode ($json_str,true); if ($data ['user'] = =' admin' & & $data ['pass'] = =' secirity') {print_r ('logined in as bool'. "\ n");}

Running result:

Root@kali:/var/www# php/ root/php/hash.php

Logined in as bool

Unserialize sample code:

$unserialize_str = 'adata_unserialize 2: {Svav 4: "user"; BRV 1th SV 4: "pass"; BRV 1;}'; $data_unserialize = unserialize ($unserialize_str); if ($data_unserialize ['user'] = =' admin' & & $data_unserialize ['pass'] = =' secirity') {print_r ('logined in unserialize'. "\ n");}

The running results are as follows:

Root@kali:/var/www# php/ root/php/hash.php

Logined in unserialize

3 digital conversion deception

$user_id= ($_ POST ['user_id']); if ($user_id= = "1") {$user_id= (int) ($user_id); # $user_id= intval ($user_id); $qry = "SELECT * FROM `users`WHERE user_id='$user_id';";} $result = mysql_query ($qry) or die (''. Mysql_error (). ''); print_r (mysql_fetch_row ($result))

Send the user_id=0.999999999999999999999 and the result is as follows:

Array

(

[0] = > 0

[1] = > lxx'

[2] = >

[3] = >

[4] = >

[5] = >

)

It was supposed to query the data of user_id, but it turned out to be the data of user_id=0. Both int and intval are low when converting numbers, as shown in the following code:

If ($_ POST ['uid']! = 1) {$res = $db- > query ("SELECT * FROM user WHERE uid=%d", (int) $_ POST [' uid']); mail (...);} else {die ("Cannot reset password of admin");}

If you pass 1. 1, you bypass $_ POST ['uid']! With the judgment of = 1, you can operate on the users of uid=1. In addition, intval also has a best-effort mode, which is to convert all numbers until a non-number is encountered. If you use:

If (intval ($qq) = = '123456') {$db- > query ("select * from user where qq = $qq")}

The attacker passes in 123456 union select version () to attack.

4 PHP5.4.4 special case

A modification to this version of php causes two numeric characters to overflow, resulting in comparison equality.

$php-r 'var_dump ("6152951945280920693702583126814" = "6152951945720000000000000000");'

Bool (true)

3 extra questions:

There is also a similar problem with the php strcmp function, as explained on manual, int strcmp (string $str1, string $str2), str1 is the first string, str2 is the second string, if str1 is less than str2, return str2, return > 0, the two are equal to return 0, what if str2 is an array?

$_ GET ['key'] = array (); $key = "llocdpocuzion5dcp2bindhspiccy"; $flag = strcmp ($key, $_ GET [' key']); if ($flag = = 0) {print "Welcome!";} else {print "Bad key!";}

Running result:

Root@kali:~/php# php strcmp.php

PHP Warning: strcmp () expects parameter 2 to be string, array given in / root/php/strcmp.php on line 13

Welcome!

Compare various types

Operand 1 type Operand 1 type null or stringstring converts NULL to "" for numeric or lexical comparisons bool or null any other type converted to bool,FALSE < TRUEobjectobject built-in classes can define their own comparisons, different classes cannot be compared, the same classes and arrays compare properties in the same way (in PHP 4), PHP 5 has its own instructions string,resource or numberstring,resource or number converts strings and resources into numbers According to general mathematical comparison arrayarray has fewer members of the array is smaller, if the key in Operand 1 does not exist in Operand 2, then the array can not be compared, otherwise value by value comparison (see example below) array any other type of array is always larger object any other type of object is always larger "php comparison operator security issues" content is introduced here, thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.