Implementation of weak type conversion in php

The content shared with you in this article is about weak type conversion in php. The content is of great reference value. I hope it can help friends in need.

1 Preface

In the recent CTF competition, the question of PHP weak types has appeared more than once. I would like to summarize the knowledge about PHP weak types and how to bypass them

2 Introduction

There are two comparison symbols == and ===

1 <?php
2 $a = $b ;
3 $a===$b ;
4 ?>

=== in php. When comparing, it will first determine whether the types of the two strings are equal, and then Comparison

== When comparing, the string type will be converted to the same type first, and then compared

如果比较一个数字和字符串或者比较涉及到数字内容的字符串，则字符串会被转换成数值并且比较按照数值来进行

It is clearly stated here that if a value is compared with a string When comparing, the string will be converted into a numerical value

1 <?php
2 var_dump("admin"==0);  //true
3 var_dump("1admin"==1); //true
4 var_dump("admin1"==1) //false
5 var_dump("admin1"==0) //true
6 var_dump("0e123456"=="0e4456789"); //true 
7 ?>  //上述代码可自行测试

1 Observe the above code, "admin"==0 When compared, admin will be converted into a numerical value, forced conversion, because admin is a string, The result of the conversion is that 0 is naturally equal to 0
2 "1admin"==1 When compared, 1admin will be converted into a numerical value, and the result is 1, but "admin1"==1 is equal to an error, that is, "admin1" is Converted to 0, why? ? 3 "0e123456"=="0e456789" When compared with each other, strings such as 0e will be recognized as numbers under the Science and Technology Law. No matter how many times 0 is raised, it is zero, so they are equal

For the above question, I checked the PHP manual

When a string is treated as a numerical value, the result and type are as follows: If the string does not contain '.', 'e', 'E' and its numerical value is within the range of integer
The string is treated as an int to obtain the value. In all other cases, it is treated as a float to obtain the value. The starting part of the string determines Its value is used if the string begins with a legal numeric value, otherwise its value is 0.

1 <?php
2 $test=1 + "10.5"; // $test=11.5(float)
3 $test=1+"-1.3e3"; //$test=-1299(float)
4 $test=1+"bob-1.3e3";//$test=1(int)
5 $test=1+"2admin";//$test=3(int)
6 $test=1+"admin2";//$test=1(int)
7 ?>

So this explains the reason why "admin1"==1 =>False

3 Actual combat

md5 bypass (Hash comparison defect)

 1 <?php
 2 if (isset($_GET[&#39;Username&#39;]) && isset($_GET[&#39;password&#39;])) {
 3     $logined = true;
 4     $Username = $_GET[&#39;Username&#39;];
 5     $password = $_GET[&#39;password&#39;];
 6 
 7      if (!ctype_alpha($Username)) {$logined = false;}
 8      if (!is_numeric($password) ) {$logined = false;}
 9      if (md5($Username) != md5($password)) {$logined = false;}
10      if ($logined){
11     echo "successful";
12       }else{
13            echo "login failed!";
14         }
15     }
16 ?>

The main idea of ​​the question is to input a string and a numeric type, and their md5 values ​​​​are equal, you can successfully execute the next statement

Introducing a batch of md5 strings starting with 0e mentioned above I've been there before, 0e will be treated as scientific notation when comparing, so no matter what comes after 0e, the power of 0 is still 0. md5('240610708') == md5('QNKCDZO')Successfully bypassed!

QNKCDZO
0e830400451993494058024219903391

s878926199a
0e545993274517709034328855841020
  
s155964671a
0e342768416822451524974117254469
  
s214587387a
0e848240448830537924465865611904
  
s214587387a
0e848240448830537924465865611904
  
s878926199a
0e545993274517709034328855841020
  
s1091221200a
0e940624217856561557816327384675
  
s1885207154a
0e509367213418206700842008763514

json bypass

<?php
if (isset($_POST[&#39;message&#39;])) {
    $message = json_decode($_POST[&#39;message&#39;]);
    $key ="*********";
    if ($message->key == $key) {
        echo "flag";
    } 
    else {
        echo "fail";
    }
 }
 else{
     echo "~~~~";
 }
?>

Enter a json type string, json_decode The function decrypts into an array and determines whether the value of key in the array is equal to the value of $key, but we don’t know the value of $key. But we can use the form 0=="admin" to bypass it

Final payload message={"key":0}

array_search is_array bypass

 1 <?php
 2 if(!is_array($_GET[&#39;test&#39;])){exit();}
 3 $test=$_GET[&#39;test&#39;];
 4 for($i=0;$i<count($test);$i++){
 5     if($test[$i]==="admin"){
 6         echo "error";
 7         exit();
 8     }
 9     $test[$i]=intval($test[$i]);
10 }
11 if(array_search("admin",$test)===0){
12     echo "flag";
13 }
14 else{
15     echo "false";
16 }
17 ?>

The above is one written by myself, first judge the incoming Is it an array, then loop through each value in the array, and each value in the array cannot be equal to admin, and convert each value into int type, and then determine whether the incoming array contains admin, if so, return flag

payload test[]=0 can be bypassed

The following is the official manual’s introduction to array_search

mixed array_search ( mixed $needle , array $haystack [, bool $strict = false ] )

$needle, $haystack is required, $strict is optional Function judgment$ The value in haystack exists in $needle. If it exists, the key value of the value is returned. The third parameter defaults to false. If set to true, strict filtering will be performed.

1 <?php
2 $a=array(0,1);
3 var_dump(array_search("admin",$a)); // int(0) => 返回键值0
4 var_dump(array_seach("1admin",$a));  // int(1) ==>返回键值1
5 ?>

array_search function is similar to ==, that is, $ a=="admin" is of course $a=0. Of course, if the third parameter is true, it cannot bypass the

strcmp vulnerability. Bypass php -v <5.3

 1 <?php
 2     $password="***************"
 3      if(isset($_POST[&#39;password&#39;])){
 4 
 5         if (strcmp($_POST[&#39;password&#39;], $password) == 0) {
 6             echo "Right!!!login success";n
 7             exit();
 8         } else {
 9             echo "Wrong password..";
10         }
11 ?>

strcmp is Compare two strings. If str10. If they are equal, return 0.

We don’t know the value of $password. The question requires strcmp to judge. The accepted value must be equal to $password. The expected type passed in by strcmp is a string type. What will happen if an array is passed in?

We pass in password[]=xxx and can be bypassed because of the function If an incompatible type is received, an error will occur, but it will still be judged to be equal

payload: password[]=xxx

switch bypass

 1 <?php
 2 $a="4admin";
 3 switch ($a) {
 4     case 1:
 5         echo "fail1";
 6         break;
 7     case 2:
 8         echo "fail2";
 9         break;
10     case 3:
11         echo "fail3";
12         break;
13     case 4:
14         echo "sucess";  //结果输出success;
15         break;
16     default:
17         echo "failall";
18         break;
19 }
20 ?>

This principle is the same as the previous one Similar, I won’t explain it in detail

4 Summary

These PHP weak types are just the tip of the iceberg. The above has verified the importance of code audit

Related recommendations:

Usage examples of keyword var in PHP

php queue processing: PHP message queue implementation principle (picture and text)

The above is the detailed content of Implementation of weak type conversion in php. For more information, please follow other related articles on the PHP Chinese website!