当前位置:网站首页>[PHP features - variable coverage] improper use, improper configuration and code logic vulnerability of the function
[PHP features - variable coverage] improper use, improper configuration and code logic vulnerability of the function
2022-07-05 03:47:00 【Black zone (rise)】
Catalog
3、 ... and 、parse_str function
Four 、import_request_variables function
5、 ... and 、 Improper configuration
6、 ... and 、 Code logic vulnerability
$$ The resulting variable overrides
One 、 executive summary
Find the way :
Code audit
The reasons causing :
Improper use of functions 、 Improper configuration 、 Code logic vulnerability
utilize :
Overwrite local variables or global variables in the program through the value passed in from the front end , So as to achieve variable coverage
Use scenarios :
$$ Improper use
extract() 、parse_str() Improper use of functions
import_request_variables() Improper use , Global variable registration is enabled (PHP 4 >= 4.1.0, PHP 5 < 5.4.0)
……
Two 、extract function
grammar :
extract(array,extract_rules,prefix)
Parameters describe array It's necessary . Specify the array to use . extract_rules Optional .extract() The function checks that each key name is a valid variable name , It also checks whether it conflicts with the existing variable names in the symbol table . Handling illegal and conflicting key names will be determined by this parameter .
Possible value :
- EXTR_OVERWRITE - Default . If there is a conflict , Overwrite existing variables .
- EXTR_SKIP - If there is a conflict , Do not overwrite existing variables .
- EXTR_PREFIX_SAME - If there is a conflict , Prefix variable names prefix.
- EXTR_PREFIX_ALL - Prefix all variable names prefix.
- EXTR_PREFIX_INVALID - Prefix only illegal or numeric variable names prefix.
- EXTR_IF_EXISTS - Only when a variable with the same name already exists in the current symbol table , Override their values . Nothing else .
- EXTR_PREFIX_IF_EXISTS - Only when a variable with the same name already exists in the current symbol table , Create variable names with prefixes attached , Nothing else .
- EXTR_REFS - Extract variables as references . The imported variable still references the value of the array parameter .
prefix Optional . Please note that prefix Only in extract_type The value of is EXTR_PREFIX_SAME,EXTR_PREFIX_ALL,EXTR_PREFIX_INVALID or EXTR_PREFIX_IF_EXISTS The need when . If the result after prefixing is not a legal variable name , Will not be imported into the symbol table .
An underscore is automatically added between the prefix and the array key name .
Example :
<?php
$a = false;
extract($_GET);
if ($a) {
echo "flag{...}";
} else {
echo "……";
}
?>extract Function will GET The incoming data is converted into variable name and value
Input ?a=1 Can be $a The value of a true-----> get flag
3、 ... and 、parse_str function
grammar :
parse_str(string,array)
Parameters describe string It's necessary . Specify the string to parse . array Optional . Specifies the name of the array where the variables are stored . This parameter indicates that the variable will be stored in the array . Not set array Parameters , The variable set by this function will overwrite the existing variable with the same name
parse_str The() function parses a string and registers it as a variable
The existence of the current variable will not be verified before registering the variable , Directly overwrite the existing variables
That is to change the input string into a variable
Example :
<?php
$a = false;
parse_str($_SERVER['QUERY_STRING']);
if ($a) {
echo "flag{...}";
} else {
echo "……";
}
?>Input ?a=1
Four 、import_request_variables function
grammar :
bool import_request_variables ( string $types [, string $prefix ] )
Parameters describe $types Specify the variables to import , It can be used Letter G、P and C respectively GET、POST and Cookie, These letters are case insensitive , So you can use g 、 p and c Any combination of .POST It includes passing through POST Method to upload file information . Notice the order of the letters , When using gp when ,POST Variables will be overridden with the same name GET Variable . whatever GPC Letters other than will be ignored $prefix Prefix of variable name , Before all variables that are imported into the global scope . So if you have one called userid Of GET Variable , It also provides pref_ As a prefix , Then you will get a name $pref_userid Global variable of . although prefix Parameters are optional , But if you don't specify a prefix , Or specify an empty string as the prefix , You will get a E_NOTICE Level error PHP 4 >= 4.1.0, PHP 5 < 5.4.0
Example :
<?php
$a = false;
import_request_variables('G');
if ($a) {
echo "flag{...}";
} else {
echo "……";
}
?>The first character will overwrite the value of the parameter passed in by the last character , if “GP”, And GET and POST It's also passed in a Parameters , be POST Incoming a Will be ignored
5、 ... and 、 Improper configuration
Premise :
When PHP To configure register_globals=ON when , utilize register_globals Characteristics of , Duplicate global variable coverage vulnerability
Example :
<?php
if ($a) {
echo "flag{...}";
} else {
echo "……";
}
?>Parameters passed in by the user auth=1 You can enter if Sentence block
If in if Initialization before statement $a Variable , It won't trigger
6、 ... and 、 Code logic vulnerability
$$ The resulting variable overrides
$$( Volatile variables )
The variable name of a variable can be set and used dynamically
This variable gets the value of a common variable as the variable name of this variable
<?php
$a="hello";// assignment
$$a="everybody";
// send a The value of the variable is used as the variable name
echo "$a ${$a}";
// Output :hello everybody
echo "$a $hello";
// The same output :hello everybody
?>Example :
<?php
$a = false;
foreach($_GET as $key => $value){
$$key = $value;
}
if ($a) {
echo "flag{...}";
} else {
echo "……";
}
?>adopt foreach Loop through groups ( Such as ,$_GET、$_POST etc. ), There will be GET The passed in parameters are registered as variables , User input “?auth=1” Successfully bypassed the judgment , To obtain the flag
边栏推荐
猜你喜欢
About MySQL database connection exceptions
![[learning notes] month end operation -gr/ir reorganization](/img/4e/9585b7c62527beaa30a74060cb0e94.jpg)
[learning notes] month end operation -gr/ir reorganization
Zero foundation uses paddlepaddle to build lenet-5 network
Jd.com 2: how to prevent oversold in the deduction process of commodity inventory?
UI自动化测试从此告别手动下载浏览器驱动
Ubantu disk expansion (VMware)
The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
![[software reverse analysis tool] disassembly and decompilation tool](/img/3e/d1ec8f8193c4fb2c790e7e467b4502.png)
[software reverse analysis tool] disassembly and decompilation tool
Redis之Jedis如何使用
![[an Xun cup 2019] not file upload](/img/f1/736eb5fe51c299e3152ca87895ee99.png)
[an Xun cup 2019] not file upload
随机推荐
It took two nights to get Wu Enda's machine learning course certificate from Stanford University
Talk about the SQL server version of DTM sub transaction barrier function
The latest blind box mall, which has been repaired very popular these days, has complete open source operation source code
Huawei MPLS experiment
Necessary fonts for designers
In MySQL Association query, the foreign key is null. What if the data cannot be found?
[software reverse analysis tool] disassembly and decompilation tool
Why is there a reincarnation of 60 years instead of 120 years in the tiangan dizhi chronology
PlasticSCM 企业版Crack
程序员的视力怎么样? | 每日趣闻
Multimedia query
UI自动化测试从此告别手动下载浏览器驱动
The perfect car for successful people: BMW X7! Superior performance, excellent comfort and safety
Logstash、Fluentd、Fluent Bit、Vector? How to choose the appropriate open source log collector
De debugging (set the main thread as hidden debugging to destroy the debugging Channel & debugger detection)
Delphi free memory
How rem is used
SQL performance optimization skills
花了2晚,拿到了吴恩达@斯坦福大学的机器学习课程证书
线程基础知识