php substr_replace replaces characters at specified positions and memory corruption vulnerability_PHP tutorial

​

php tutorial substr_replace replaces characters at specified positions and memory corruption vulnerability

Tips and Notes
Note: If start is negative and length is less than or equal to start, length is 0.

$username = "zongzi";
echo substr_replace($username,'**','1','2');

Definition and usage
The substr_replace() function replaces part of a string with another string.

Grammar
substr_replace(string,replacement,start,length) parameter description
string required. Specifies the string to check.
replacement required. Specifies the string to be inserted.
start is required. Specifies where in the string to begin replacement.

Positive number - start replacing
at offset start Negative numbers - replace
starting at start offset from the end of the string 0 - Start replacing
at the first character in the string
charlist Optional. Specifies how many characters to replace.

Positive number - the length of the string to be replaced
Negative number - the number of characters to be replaced starting from the end of the string
0 - insert instead of replace

The function is the same as php’s substr_replace()

'Parameters: replaced content, replacement content, starting bit, replacement length

function substr_replace(sourcecon,repcon,startx,lenx)
dim reped
reped = mid(sourcecon,startx,lenx) 'Extract the original content of the same length
dim scleftx,scleft
scleftx = startx-1
If scleftx<1 then
scleft = ""
else
scleft = left(sourcecon,scleftx)
end if
Substr_replace = replace(sourcecon,reped,repcon,startx,1)
substr_replace = scleft&substr_replace
end function

() Interrupt Memory Corruption Vulnerability
bugraq id:
cve id:cve-2010-2190
cncve id:cncve-20102190

Vulnerability release time: 2010-05-31
Vulnerability update time: 2010-06-28

Cause of vulnerability
Design error
Hazard level
Low

Influence system
php 5.2 <= 5.2.13
php 5.3 <= 5.3.2

No system impact

Hazard
A remote attacker could exploit the vulnerability to leak sensitive information.

Required conditions for attack
An attacker would have to gain access to an application that uses the substr_replace() function.

Vulnerability information
PHP is a popular web programming language.
There is an information leakage problem in PHP's substr_replace() function:

php_function(substr_replace)
{
    ...
    if (zend_parse_parameters(zend_num_args() tsrmls_cc, "zzz|z", &str, &repl, &from, &len) == failure) {
        return;
    }
   
    if (z_type_pp(str) != is_array) {
        convert_to_string_ex(str);
    }
    if (z_type_pp(repl) != is_array) {
        convert_to_string_ex(repl);
    }
    if (z_type_pp(from) != is_array) {
        convert_to_long_ex(from);
    }
    if (argc > 3) {
        separate_zval(len);
        if (z_type_pp(len) != is_array) {
            convert_to_long_ex(len);
            l = z_lval_pp(len);
        }
    } else {
        if (z_type_pp(str) != is_array) {
            l = z_strlen_pp(str);
        }
    }
    if (z_type_pp(str) == is_string) {
        if (
            (argc == 3 && z_type_pp(from) == is_array) ||
            (argc == 4 && z_type_pp(from) != z_type_pp(len))
        ) {
            php_error_docref(null tsrmls_cc, e_warning, "'from' and 'len' should be of same type - numerical or array ");
            return_stringl(z_strval_pp(str), z_strlen_pp(str), 1);     
        }

使用不同类型的‘from’和'len'参数调用substr_replace()函数，会触发e_warning错误。如果php没有删除调用时通过引用传递功能，用户空间错误处理器会使用这个中断更改'str'参数类型。如果'str'类型更改为整数类型可导致泄漏任意内存，如果'str'更改为数组，允许泄漏使用重要内存偏移的哈希表。

http://www.bkjia.com/PHPjc/445368.htmlwww.bkjia.comtruehttp://www.bkjia.com/PHPjc/445368.htmlTechArticlephp教程 substr_replace替换指定位置字符与内存破坏漏洞 提示和注释 注释：如果 start 是负数且 length 小于等于 start，则 length 为 0。 $username =...