In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)06/03 Report--
This article is to share with you about PHP variable coverage loopholes, the editor feels very practical, so share with you to learn, I hope you can get something after reading this article, say no more, follow the editor to have a look.
Global variable coverage
When register_global=ON, the source of variables may be different, such as the form of the page, Cookie, etc.
< ?php echo "Register_globals: ".(int)ini_get("register_globals")." "; if ($auth){ echo "private!"; } ?>There is nothing wrong with this code when register_globals=OFF.
But when register_globals=ON occurs, the submit request URL: http://www.xuebuyuan.com/test.php?auth=1, variable $auth is automatically assigned. The result is
Register_globals:1
Private!
Note: if the variable $auth has been assigned an initial value in the above code, such as $auth=0, then even if there is / test.php?auth=1 in URL, the variable will not be overwritten, that is, the private will not be printed!
Variables obtained through $GLOBALS may also cause variable overrides.
< ?php echo "Register_globals:".(int)ini_get("register_globals")." "; if (ini_get('register_globals')) foreach($_REQUEST as $k=>$v) unset (${$k})
Print $a
Print $_ get [b]
? >
The variable $an is not initialized, and when you register_globals=ON, try to control the value of "$a" (http://www.xuebuyuan.com/test1.php?a=1&b=2), which will cause an error because of this code.
When you try to inject "globals [a]" to override the global variable (http://www.xuebuyuan.com/test1.php?GLOBALS[a]=1&b=2)), you can successfully control the value of the variable "$a". This is because unset () only destroys local variables by default, and you must use $GLOBALS to destroy global variables.
In register_globals=OFF, global variables cannot be overridden.
Note: register_globals means to register as a global variable, so when On, the passed value will be directly registered as a global variable and directly used, when it is OFF, you need to get it in a specific array. Unset is used to release a given variable
Extract () variable override
< ?php $auth = '0'; extract($_GET); if($auth==1){ echo "private!"; }else{ echo "public!"; } ?>Suppose the user constructs the following link: http://www.xuebuyuan.com/test1.php?auth=1
Private will be printed on the interface!
It is safe to use EXTR_SKIP when calling extract () after determining register_globals=OFF to ensure that existing variables are not overwritten.
Note: the PHP extract () function imports variables from an array into the current symbol table. For each element in the array, the key name is used for the variable name and the key value is used for the variable value.
Traversing initialization variables
Some common code that releases variables by traversing may cause variable overrides.
< ?php $chs = ''; if($_POST && $charset != 'utf-8'){ $chs = new Chinese('UTF-8', $charset); foreach($_POST as $key =>$value) {
$key = $chs- > Convert ($value)
}
Unset ($chs)
}
? >
If you submit the parameter chs, you can override the value of the variable "$chs".
Note: in the code audit, it should be noted that a variable assignment similar to "$k" may overwrite existing variables, resulting in some uncontrollable results.
Import_request_variables variable override
< ?php $auth = '0'; import_request_variables('G'); if($auth == 1){ echo "private!"; }else{ echo "public!"; } ?>When the user enters http://www.xuebuyuan.com/test1.php?auth=1, private will be output on the web page!
Import_request_variables ('G') specifies the variables in the import GET request, resulting in variable overrides.
Note: import_request_variables-imports GET/POST/Cookie variables into the global scope. This function is useful if you disable register_globals but want to use some global variables.
Parse_str () variable override
/ / var.php?var=new
$var='init'
Parse_str ($_ SERVER ['QUERY_STRING'])
Print $var
A function similar to parse_str () is mb_parse_str ().
Note: parse_str-parses a string into multiple variables, and if the parameter str is a query string (query string) passed in by URL, parse it to a variable and set it to the current scope.
These are the vulnerabilities of PHP variable coverage, and the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 263
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.