This article mainly introduces to you the relevant information about the bypass vulnerability caused by the character offset feature in PHP. The article not only introduces the formation of the vulnerability in detail, but more importantly, introduces the repair method, which has a certain reference for everyone. Learning value, I hope it can help everyone.
Character offset feature in php
The string in php has a very interesting feature. The string in php can also be valued like an array.
$test = "hello world"; echo $test[0];
The final result is h.
However, the above characteristics sometimes have unexpected effects. Look at the following code.
$mystr = "hello world"; echo $mystr["pass"];
The output result of the above code is h. Why is this? In fact, it is very simple. Like many other languages, strings in PHP can use subscripts to obtain values just like arrays. The pass in $mystr["pass"] will be implicitly converted to 0, so that the output result of $mystr[0] is the initial letter h.
Similarly, if you try the following code:
$mystr = "hello world"; echo $mystr["1pass"];
The output result is e. Because 1pass will be converted to 1 by implicit type, the output result of $mystr[1] is the second letter e.
Vulnerabilities caused by character characteristics
The following code is used in phpspy2006 to determine when logging in.
$admin['check'] = "1";
$admin['pass'] = "angel";
......
if($admin['check'] == "1") {
....
}Such verification logic can be easily bypassed if the above features are used. $admin is not initially defined as an array type, so when we submit phpsyp.php?admin=1abc with a string, PHP will take the first bit of the string 1xxx, successfully bypassing the if conditional judgment.
The above code is a code fragment, and the following code is a complete logical code, which comes from question 5 in php4fun, which is quite interesting.
<?php
# GOAL: overwrite password for admin (id=1)
# Try to login as admin
# $yourInfo=array( //this is your user data in the db
# 'id' => 8,
# 'name' => 'jimbo18714',
# 'pass' => 'MAYBECHANGED',
# 'level' => 1
# );
require 'db.inc.php';
function mres($str)
{
return mysql_real_escape_string($str);
}
$userInfo = @unserialize($_GET['userInfo']);
$query = 'SELECT * FROM users WHERE id = \'' . mres($userInfo['id']) . '\' AND pass = \'' . mres($userInfo['pass']) . '\';';
$result = mysql_query($query);
if (!$result || mysql_num_rows($result) < 1) {
die('Invalid password!');
}
$row = mysql_fetch_assoc($result);
foreach ($row as $key => $value) {
$userInfo[$key] = $value;
}
$oldPass = @$_GET['oldPass'];
$newPass = @$_GET['newPass'];
if ($oldPass == $userInfo['pass']) {
$userInfo['pass'] = $newPass;
$query = 'UPDATE users SET pass = \'' . mres($newPass) . '\' WHERE id = \'' . mres($userInfo['id']) . '\';';
mysql_query($query);
echo 'Password Changed.';
} else {
echo 'Invalid old password entered.';
}The Internet only gives a final answer to this question, and the principles are not explained or not explained in detail. In fact, the principle is the character characteristics of PHP mentioned above.
The question requirement is very simple: change the password of admin, and the id of admin is 1. We need to think about the following questions:
How to change the id to 1 when updating
$userInfo['pass'] = $newPass; What is the function of this line of code? Why does this kind of code exist in the if judgment statement?
After figuring out these two problems, the final solution is also available. Change the password of the user with ID 8 to 8, then pass in a userInfo string '8' to break through the query protection, and finally use $userInfo['pass'] = $newPass to change the ID to 1.
The final payload is;
First submission, index.php?userInfo=a:2:{s:2:"id";i:8 ;s:4:"pass";s:12:"MAYBECHANGED";}&oldPass=MAYBECHANGED&newPass=8, the purpose is to change the password of the user with id 8 to 8
Second submission , index.php?userInfo=s:1:"8";&oldPass=8&newPass=1, in this way, the serialized $userInfo will get the string '8', that is, $userInfo = '8', so the database query verification can pass . The subsequent if verification can also pass, through this line of code $userInfo['pass'] = $newPass;, since the value of $newpass is 1, then the above code becomes $userInfo['pass'] = 1;, $userInfo Due to a string type, the final result is $userInfo='1', and finally the password of the user with id 1 can be updated.
Repair method
The method of repairing this kind of vulnerability is also very simple. Define the data type in advance and when using it, it is best to check whether the data type used is consistent with the expected one. Otherwise, the above-mentioned bypass problems will occur. At the same time, input must be controlled, and the input data must be checked and not used casually.
Related recommendations:
Instance analysis of offset and uniform motion in JS
Sql optimization of excessive offset when paging mysql Example sharing
Detailed explanation of the difference between style.width and offsetWidth in js
The above is the detailed content of Solution to bypass vulnerability caused by offset feature in php. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
