ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSE
Sharing a collection of vulnerabilities in PHP functions
This article mainly shares with you a collection of vulnerabilities in PHP functions, hoping to help everyone.
1. Weak type comparison
##2.MD5 compare vulnerability
When PHP processes hash strings, if you use "!=" or "==" to compare hash values, it will interpret every hash value starting with "0x" as scientific notation 0 to the power (0), so if two different passwords are hashed and their hash values start with "0e", then PHP will think that they are the same.Common payloads include
0x01 md5(str)
QNKCDZO
240610708
s878926199a
s155964671a
s214587387a
s214587387a
0x02 sha1(str)
sha1('aaroZmOk')
sha1('aaK1STfY')
sha1('aaO8zKZF')
sha1('aa3OFF9m')if(@md5($_GET['a']) == @md5($_GET['b']))
{
echo "yes";
}
//http://127.0.0.1/1.php?a[]=1&b[]=23.ereg function vulnerability: 00 truncation ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSECopy after login
String comparison analysis ereg ("^[a-zA-Z0-9]+$", $_GET['password']) === FALSEHere if $_GET['password'] is an array, the return value is NULL
If it is 123 || asd || 12as || 123%00&&&* *, the return value is true
The rest is false
4.What is $key?
Don’t forget that the program can extract the key of the variable itself as a variable and give it to the function for processing.<?php
print_r(@$_GET);
foreach ($_GET AS $key => $value)
{ print $key."\n";
}?>5. Variable coverage
The main function involved is the extract function. Let’s look at an example<?php
$auth = '0';
// 这里可以覆盖$auth的变量值
print_r($_GET); echo "</br>";
extract($_GET);
if($auth == 1){
echo "private!";
} else{
echo "public!";
}
?>
<?php
$a='hi'; foreach($_GET as $key => $value) { echo $key."</br>".$value; $$key = $value;
} print "</br>".$a;?>http://127.0.0.1:8080/test.php?a=12 can achieve the purpose.
6.strcmp如果 str1 小于 str2 返回 < 0; 如果 str1 大于 str2 返回 > 0;如果两者相等,返回 0。
先将两个参数先转换成string类型。
当比较数组和字符串的时候,返回是0。
如果参数不是string类型,直接return
Copy after login<?php
$password=$_GET['password']; if (strcmp('xd',$password)) { echo 'NO!';
} else{ echo 'YES!';
}?>Copy after login
Construction如果 str1 小于 str2 返回 < 0; 如果 str1 大于 str2 返回 > 0;如果两者相等,返回 0。 先将两个参数先转换成string类型。 当比较数组和字符串的时候,返回是0。 如果参数不是string类型,直接return
<?php
$password=$_GET['password']; if (strcmp('xd',$password)) { echo 'NO!';
} else{ echo 'YES!';
}?>http://127.0.0.1:8080/test.php?password[]=
7.is_numeric
Needless to say:<?phpecho is_numeric(233333); # 1echo is_numeric('233333'); # 1echo is_numeric(0x233333); # 1echo is_numeric('0x233333'); # 1echo is_numeric('233333abc'); # 0?>
8.preg_match
If in progress When matching regular expressions, if there are no restrictions on the beginning and end of the string (^ and $), there may be bypass problems
<?php$ip = 'asd 1.1.1.1 abcd'; // 可以绕过if(!preg_match("/(\d+)\.(\d+)\.(\d+)\.(\d+)/",$ip)) { die('error');
} else { echo('key...');
}?>9.parse_str
Similar functions to parse_str() are mb_parse_str(). parse_str parses the string into multiple variables. If the parameter str is the query string passed in by the URL, parse it into a variable and set it. to the current scope.A type of time variable coverage
<?php
$var='init';
print $var."</br>";
parse_str($_SERVER['QUERY_STRING']);
echo $_SERVER['QUERY_STRING']."</br>"; print $var;?>10. String comparison<?php
echo 0 == 'a' ;// a 转换为数字为 0 重点注意
// 0x 开头会被当成16进制54975581388的16进制为 0xccccccccc
// 十六进制与整数,被转换为同一进制比较
'0xccccccccc' == '54975581388' ; // 字符串在与数字比较前会自动转换为数字,如果不能转换为数字会变成0
1 == '1'; 1 == '01'; 10 == '1e1'; '100' == '1e2' ;
// 十六进制数与带空格十六进制数,被转换为十六进制整数
'0xABCdef' == ' 0xABCdef'; echo '0010e2' == '1e3'; // 0e 开头会被当成数字,又是等于 0*10^xxx=0
// 如果 md5 是以 0e 开头,在做比较的时候,可以用这种方法绕过
'0e509367213418206700842008763514' == '0e481036490867661113260034900752'; '0e481036490867661113260034900752' == '0' ;
var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));?>Copy after login
<?php
echo 0 == 'a' ;// a 转换为数字为 0 重点注意
// 0x 开头会被当成16进制54975581388的16进制为 0xccccccccc
// 十六进制与整数,被转换为同一进制比较
'0xccccccccc' == '54975581388' ; // 字符串在与数字比较前会自动转换为数字,如果不能转换为数字会变成0
1 == '1'; 1 == '01'; 10 == '1e1'; '100' == '1e2' ;
// 十六进制数与带空格十六进制数,被转换为十六进制整数
'0xABCdef' == ' 0xABCdef'; echo '0010e2' == '1e3'; // 0e 开头会被当成数字,又是等于 0*10^xxx=0
// 如果 md5 是以 0e 开头,在做比较的时候,可以用这种方法绕过
'0e509367213418206700842008763514' == '0e481036490867661113260034900752'; '0e481036490867661113260034900752' == '0' ;
var_dump(md5('240610708') == md5('QNKCDZO'));
var_dump(md5('aabg7XSs') == md5('aabC9RqS'));
var_dump(sha1('aaroZmOk') == sha1('aaK1STfY'));
var_dump(sha1('aaO8zKZF') == sha1('aa3OFF9m'));?>11.unset
unset (bar); is used to destroy the specified variable. If the variable bar is included in the request parameters, some variables may be destroyed to bypass the program logic.<?php $_CONFIG['extraSecure'] = true;foreach(array('_GET','_POST') as $method) { foreach($$method as $key=>$value) { // $key == _CONFIG
// $$key == $_CONFIG
// 这个函数会把 $_CONFIG 变量销毁
unset($$key);
}
}if ($_CONFIG['extraSecure'] == false) { echo 'flag {****}';
}?>12.intval()
int to string:$var = 5; 方式1:$item = (string)$var; 方式2:$item = strval($var);
var_dump(intval('2')) //2 var_dump(intval('3abcd')) //3 var_dump(intval('abcd')) //0 可以使用字符串-0转换,来自于wechall的方法
By the way, intval can be truncated by %00
if($req['number']!=strval(intval($req['number']))){ $info = "number must be equal to it's integer!! ";
}13.switch()
If switch is a case of numeric type, switch will convert the parameters into int type. The effect is equivalent to the intval function. As follows:<?php
$i ="abc";
switch ($i) {
case 0:
case 1:
case 2:
echo "i is less than 3 but not negative";
break;
case 3:
echo "i is 3";
}
?>14.in_array()$array=[0,1,2,'3'];
var_dump(in_array('abc', $array)); //true var_dump(in_array('1bc', $array)); //true
Copy after login
Entering a string in any place where PHP considers it to be an int will be forced to convert$array=[0,1,2,'3']; var_dump(in_array('abc', $array)); //true var_dump(in_array('1bc', $array)); //true
15.serialize and unserialize vulnerabilities这里我们先简单介绍一下php中的魔术方法(这里如果对于类、对象、方法不熟的先去学学吧),即Magic方法,php类可能会包含一些特殊的函数叫magic函数,magic函数命名是以符号__开头的,比如 __construct, __destruct,__toString,__sleep,__wakeup等等。这些函数都会在某些特殊时候被自动调用。
例如__construct()方法会在一个对象被创建时自动调用,对应的__destruct则会在一个对象被销毁时调用等等。
这里有两个比较特别的Magic方法,__sleep 方法会在一个对象被序列化的时候调用。 __wakeup方法会在一个对象被反序列化的时候调用。
Copy after login<?phpclass test{
public $username = ''; public $password = ''; public $file = ''; public function out(){
echo "username: ".$this->username."<br>"."password: ".$this->password ;
} public function __toString() {
return file_get_contents($this->file);
}
}$a = new test();$a->file = 'C:\Users\YZ\Desktop\plan.txt';echo serialize($a);?>//tostring方法会在输出实例的时候执行,如果实例路径是隐秘文件就可以读取了Copy after login
echo unserialize triggers the __tostring function, and the C:\Users\YZ\Desktop\plan.txt file can be read below这里我们先简单介绍一下php中的魔术方法(这里如果对于类、对象、方法不熟的先去学学吧),即Magic方法,php类可能会包含一些特殊的函数叫magic函数,magic函数命名是以符号__开头的,比如 __construct, __destruct,__toString,__sleep,__wakeup等等。这些函数都会在某些特殊时候被自动调用。 例如__construct()方法会在一个对象被创建时自动调用,对应的__destruct则会在一个对象被销毁时调用等等。 这里有两个比较特别的Magic方法,__sleep 方法会在一个对象被序列化的时候调用。 __wakeup方法会在一个对象被反序列化的时候调用。
<?phpclass test{
public $username = ''; public $password = ''; public $file = ''; public function out(){
echo "username: ".$this->username."<br>"."password: ".$this->password ;
} public function __toString() {
return file_get_contents($this->file);
}
}$a = new test();$a->file = 'C:\Users\YZ\Desktop\plan.txt';echo serialize($a);?>//tostring方法会在输出实例的时候执行,如果实例路径是隐秘文件就可以读取了<?phpclass test{
public $username = ''; public $password = ''; public $file = ''; public function out(){
echo "username: ".$this->username."<br>"."password: ".$this->password ;
} public function __toString() {
return file_get_contents($this->file);
}
}$a = 'O:4:"test":3:{s:8:"username";s:0:"";s:8:"password";s:0:"";s:4:"file";s:28:"C:\Users\YZ\Desktop\plan.txt";}';echo unserialize($a);?>16.session deserialization vulnerability
The main reason isini_set('session.serialize_handler', 'php_serialize');
ini_set('session.serialize_handler' , 'php');
The two handle sessions differently
\Users\YZ\Desktop\plan.txt";}';echo unserialize($a);?>
16.session deserialization vulnerability
The main reason isini_set('session.serialize_handler', 'php_serialize');
ini_set(' session.serialize_handler', 'php');
The two methods of handling sessions are different
Related recommendations:
Some common security vulnerabilities in php websites and corresponding preventive measures
phpAbout deserialization object injection vulnerability
Recommended 9 articles about file vulnerabilities
The above is the detailed content of Sharing a collection of vulnerabilities in PHP functions. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1392
52
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
