Detailed explanation of PHP weak types

Recently, when doing ctf questions, I often encounter PHP weak types questions. This article mainly shares with you a summary of PHP weak types, hoping to help everyone.

Knowledge introduction:

There are two comparison symbols in php == and ===

<?php$a = $b ;$a===$b ;
?>

=== When making comparisons , it will first determine whether the types of the two strings are equal, and then compare
== When comparing, it will first convert the string types to the same, and then compare

If comparing one When comparing numbers and strings or strings involving numeric content, the string will be converted into a numerical value and the comparison will be performed based on the numerical value

php will not strictly check the type of the incoming variable, and it can Convert variables freely.

For example, in the comparison of $a == $b

$a = null; $b = false; //为真  
$a = ''; $b = 0; //同样为真

In addition, if a numerical value is compared with a string, the string will be converted into a numerical value

<?phpvar_dump("admin"==0);  //truevar_dump("1admin"==1); //truevar_dump("admin1"==1) //falsevar_dump("admin1"==0) //truevar_dump("0e123456"=="0e4456789"); //true ?>

1. Observe the above code. When "admin"==0 is compared, admin will be converted into a numerical value and forced conversion. Since admin is a string, the conversion result is 0, which is naturally equal to 0.

2. When "1admin"==1 is compared, 1admin will be converted into a numerical value, and the result is 1, but "admin1"==1 is equal to an error, that is, "admin1" is converted into 0.

3 、"0e123456"=="0e456789"相互比较的时候，会将0e这类字符串识别为科学技术法的数字，0的无论多少次方都是零，所以相等。
应当注意的是： 当一个字符串欸当作一个数值来取值，其结果和类型如下:如果该字符串没有包含 '.' ，'e' ， 'E'，并且其数值值在整形的范围之内 该字符串被当作int来取值，其他所有情况下都被作为float来取值，该字符串的开始部分决定了它的值，如果该字符串以合法的数值开始，则使用该数值，否则其值为0。

绕过类型：
md5绕过(Hash比较缺陷)

<?php  if (isset($_GET[&#39;Username&#39;]) && isset($_GET[&#39;password&#39;])) {      $logined = true;      $Username = $_GET[&#39;Username&#39;];      $password = $_GET[&#39;password&#39;];
  
       if (!ctype_alpha($Username)) {$logined = false;}
       if (!is_numeric($password) ) {$logined = false;}
       if (md5($Username) != md5($password)) {$logined = false;}
       if ($logined){
     echo "successful";
       }else{
            echo "login failed!";
         }
     }
 ?>

题目大意是要输入一个字符串和数字类型，并且他们的md5值相等，就可以成功执行下一步语句

介绍一批md5开头是0e的字符串 上文提到过，0e在比较的时候会将其视作为科学计数法，所以无论0e后面是什么，0的多少次方还是0。md5('240610708') == md5('QNKCDZO')成功绕过!
==南邮ctf bypass again==
打开后看到代码：

if (isset($_GET['a']) and isset($_GET['b'])) {if ($_GET['a'] != $_GET['b'])if (md5($_GET['a']) == md5($_GET['b']))die('Flag: '.$flag);elseprint 'Wrong.';
}

源码要求提交两个不相等的值使他们的md5值严格相等。md5()函数要求接收一个字符串，若传递进去一个数组，则会返回null，即var_dump(md5(array(2))===null);值为bool(true)

可以向$_GET数组传入两个名为a、b的不相等的数组，从而导致md5()均返回空，于是得到flag。 构造url：http://chinalover.sinaapp.com/web17/index.php?a[]=0&b[]=1 json绕过

<?phpif (isset($_POST[&#39;message&#39;])) {    $message = json_decode($_POST[&#39;message&#39;]);    $key ="*********";
    if ($message->key == $key) {
        echo "flag";
    } 
    else {
        echo "fail";
    }
 } else{
     echo "~~~~";
 }
?>

输入一个json类型的字符串，json_decode函数解密成一个数组，判断数组中key的值是否等于 $key的值，但是$key的值我们不知道，但是可以利用0=="admin"这种形式绕过

最终payload message={"key":0}。

strcmp漏洞绕过

<?php
     $password="***************"
      if(isset($_POST[&#39;password&#39;])){ 
         if (strcmp($_POST[&#39;password&#39;], $password) == 0) {             echo "Right!!!login success";n             exit();
         } else {             echo "Wrong password..";
         } ?>

strcmp是比较两个字符串，如果str10 如果两者相等 返回0

我们是不知道$password的值的，题目要求strcmp判断的接受的值和$password必需相等，strcmp传入的期望类型是字符串类型，如果传入的是个数组会怎么样呢

我们传入 password[]=xxx 可以绕过 是因为函数接受到了不符合的类型，将发生错误，但是还是判断其相等

payload: password[]=xxx

相关推荐：

php弱类型语言中关于类型判断的实例分析

PHP弱类型安全问题总结

PHP弱类型变量是如何实现的

The above is the detailed content of Detailed explanation of PHP weak types. For more information, please follow other related articles on the PHP Chinese website!