Detailed explanation of the results of bypassing the vulnerability due to offset characters in PHP

This article mainly introduces to you the relevant information about the bypass vulnerability caused by the character offset feature in PHP. The article not only introduces the formation of the vulnerability in detail, but more importantly, introduces the repair method, which is of certain significance to everyone. For reference learning value, friends who need it can take a look below.

Character offset feature in php

The string in php has a very interesting feature, the string in php can also be like Values ​​are obtained in the same way as an array.

$test = "hello world";
echo $test[0];

The final result is h.

However, the above characteristics sometimes have unexpected effects. Look at the following code.

$mystr = "hello world";
echo $mystr["pass"];

The output of the above code is h.Why is this? In fact, it is very simple. Like many other languages, strings in PHP can use subscripts to obtain values ​​just like arrays. The pass in $mystr["pass"] will be implicitly converted to 0, so the output result of $mystr[0] is the initial letter h.
Similarly , if you try the following code:

$mystr = "hello world";
echo $mystr["1pass"];

The output result is e. Because 1pass will be implicitly converted to 1, $mystr[1] The output result is the second letter e.

Vulnerability caused by character characteristics

The following code is used in phpspy2006 Determine the code used when logging in.

$admin['check'] = "1";
$admin['pass'] = "angel";
......
if($admin['check'] == "1") {
....
}

Such verification logic can be easily bypassed by utilizing the above features. $admin is not initially defined as an array type, so when we submit it with a string phpsyp.php?admin=1abc, php will take the first bit of the string 1xxx and successfully bypass the if condition. judge.

The above code is a code fragment, and the following code is a complete logical code, which comes from question 5 in php4fun, which is quite interesting.

<?php
# GOAL: overwrite password for admin (id=1)
#  Try to login as admin
# $yourInfo=array( //this is your user data in the db
# &#39;id&#39; => 8,
# &#39;name&#39; => &#39;jimbo18714&#39;,
# &#39;pass&#39; => &#39;MAYBECHANGED&#39;,
# &#39;level&#39; => 1
# );
require &#39;db.inc.php&#39;;

function mres($str)
{
 return mysql_real_escape_string($str);
}

$userInfo = @unserialize($_GET[&#39;userInfo&#39;]);

$query = &#39;SELECT * FROM users WHERE id = \&#39;&#39; . mres($userInfo[&#39;id&#39;]) . &#39;\&#39; AND pass = \&#39;&#39; . mres($userInfo[&#39;pass&#39;]) . &#39;\&#39;;&#39;;

$result = mysql_query($query);
if (!$result || mysql_num_rows($result) < 1) {
 die(&#39;Invalid password!&#39;);
}

$row = mysql_fetch_assoc($result);
foreach ($row as $key => $value) {
 $userInfo[$key] = $value;
}

$oldPass = @$_GET[&#39;oldPass&#39;];
$newPass = @$_GET[&#39;newPass&#39;];
if ($oldPass == $userInfo[&#39;pass&#39;]) {
 $userInfo[&#39;pass&#39;] = $newPass;
 $query = &#39;UPDATE users SET pass = \&#39;&#39; . mres($newPass) . &#39;\&#39; WHERE id = \&#39;&#39; . mres($userInfo[&#39;id&#39;]) . &#39;\&#39;;&#39;;
 mysql_query($query);
 echo &#39;Password Changed.&#39;;
} else {
 echo &#39;Invalid old password entered.&#39;;
}

The Internet only gives a final answer to this question, and the principles are not explained or not explained in detail. In fact, the principle is the character characteristics of PHP mentioned above.

The question requirement is very simple: change the password of admin, and the id of admin is 1. We need to think about the following questions:

• How to change the id to 1 during update

• $userInfo['pass '] = $newPass;What does this line of code do? Why does this kind of code exist in the if judgment statement?

After figuring out these two problems, then in the end The solution is also available. Change the password of the user with id 8 to 8, then pass in a userInfo string '8' to break through the query protection, and finally use $userInfo['pass'] = $newPass to change the id to 1.

The final payload is;

First submission, index.php?userInfo=a:2:{s:2:"id"; i:8;s:4:"pass";s:12:"MAYBECHANGED";}&oldPass=MAYBECHANGED&newPass=8, the purpose is to change the password of user with id 8 to 8

The second submission, index.php?userInfo=s:1:"8";&oldPass=8&newPass=1, in this way, the string '8' obtained by serializing $userInfo is $userInfo = '8' , so that the database query verification can pass. The subsequent if verification can also pass, through this line of code $userInfo['pass'] = $newPass;, since the value of $newpass is 1, then the above code becomes $userInfo[' pass'] = 1; ,$userInfoDue to a string type, the final result is $userInfo='1' , and finally the user with id 1 can be updated password.

Fixing method

The repairing method of this kind of vulnerability is also very simple. Define the data type in advance and check all the data types before use. Whether the data type used is consistent with the expected one. Otherwise, the above-mentioned bypass problems will occur. At the same time, input must be controlled, and the input data must be checked and not used casually.

The above is the detailed content of Detailed explanation of the results of bypassing the vulnerability due to offset characters in PHP. For more information, please follow other related articles on the PHP Chinese website!