php substr_replace replaces characters at specified positions and memory corruption vulnerability_PHP tutorial

WBOY
Release: 2016-07-20 11:02:25
Original
1399 people have browsed it

php tutorial substr_replace replaces characters at specified positions and memory corruption vulnerability

Tips and Notes
Note: If start is negative and length is less than or equal to start, length is 0.

$username = "zongzi";
echo substr_replace($username,'**','1','2');

Definition and usage
The substr_replace() function replaces part of a string with another string.

Grammar
substr_replace(string,replacement,start,length) parameter description
string required. Specifies the string to check.
replacement required. Specifies the string to be inserted.
start is required. Specifies where in the string to begin replacement.

Positive number - start replacing
at offset start Negative numbers - replace
starting at start offset from the end of the string 0 - Start replacing
at the first character in the string
charlist Optional. Specifies how many characters to replace.

Positive number - the length of the string to be replaced
Negative number - the number of characters to be replaced starting from the end of the string
0 - insert instead of replace

The function is the same as php’s substr_replace()

'Parameters: replaced content, replacement content, starting bit, replacement length

function substr_replace(sourcecon,repcon,startx,lenx)
dim reped
reped = mid(sourcecon,startx,lenx) 'Extract the original content of the same length
dim scleftx,scleft
scleftx = startx-1
If scleftx<1 then
scleft = ""
else
scleft = left(sourcecon,scleftx)
end if
Substr_replace = replace(sourcecon,reped,repcon,startx,1)
substr_replace = scleft&substr_replace
end function

() Interrupt Memory Corruption Vulnerability
bugraq id:
cve id:cve-2010-2190
cncve id:cncve-20102190

Vulnerability release time: 2010-05-31
Vulnerability update time: 2010-06-28

Cause of vulnerability
Design error
Hazard level
Low

Influence system
php 5.2 <= 5.2.13
php 5.3 <= 5.3.2

No system impact

Hazard
A remote attacker could exploit the vulnerability to leak sensitive information.

Required conditions for attack
An attacker would have to gain access to an application that uses the substr_replace() function.

Vulnerability information
PHP is a popular web programming language.
There is an information leakage problem in PHP's substr_replace() function:

php_function(substr_replace)
{
    ...
    if (zend_parse_parameters(zend_num_args() tsrmls_cc, "zzz|z", &str, &repl, &from, &len) == failure) {
        return;
    }
   
    if (z_type_pp(str) != is_array) {
        convert_to_string_ex(str);
    }
    if (z_type_pp(repl) != is_array) {
        convert_to_string_ex(repl);
    }
    if (z_type_pp(from) != is_array) {
        convert_to_long_ex(from);
    }
    if (argc > 3) {
        separate_zval(len);
        if (z_type_pp(len) != is_array) {
            convert_to_long_ex(len);
            l = z_lval_pp(len);
        }
    } else {
        if (z_type_pp(str) != is_array) {
            l = z_strlen_pp(str);
        }
    }
    if (z_type_pp(str) == is_string) {
        if (
            (argc == 3 && z_type_pp(from) == is_array) ||
            (argc == 4 && z_type_pp(from) != z_type_pp(len))
        ) {
            php_error_docref(null tsrmls_cc, e_warning, "'from' and 'len' should be of same type - numerical or array ");
            return_stringl(z_strval_pp(str), z_strlen_pp(str), 1);     
        }

使用不同类型的‘from’和'len'参数调用substr_replace()函数,会触发e_warning错误。如果php没有删除调用时通过引用传递功能,用户空间错误处理器会使用这个中断更改'str'参数类型。如果'str'类型更改为整数类型可导致泄漏任意内存,如果'str'更改为数组,允许泄漏使用重要内存偏移的哈希表。


www.bkjia.comtruehttp://www.bkjia.com/PHPjc/445368.htmlTechArticlephp教程 substr_replace替换指定位置字符与内存破坏漏洞 提示和注释 注释:如果 start 是负数且 length 小于等于 start,则 length 为 0。 $username =...
source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template