Code audit (several types) (2)
Whitespace problem
is_numeric () white space skip problem
In the is_numeric () function, there is a blank character skip problem. The
effect is as follows.
What can be added here are "", "\ r", "\ n", "\ t", "\ v", "\ f"
trim()
Here, this function will remove "", "\ t", "\ n", "\ r", "\ 0", "\ x0B"
above to bypass the first condition to determine whether it is a value.
Below, we continue to look at the following if else, what we want to understand is intval () and strval ()
intval ()
It returns the int value of var when it succeeds, and 0 if it fails. An empty array returns 0, and a non-empty array returns 1. Most importantly, the maximum value of intval depends on the operating system. The maximum signed integer range for 32-bit systems is -2147483648 to 2147483647. On 64-bit systems, the maximum signed integer value is 9223372036854775807.
The final payload:? Number = 0.00% 00 or? Number = 0.00% 00 or? Number = 9223372036854775807% 00 The% 00
behind can also be changed to% 20.
I did not reproduce it successfully, I do n’t know what the reason is. . . But the idea is like this.
Pseudo-random number
mt_rand
mt_srand
There will be a security problem here. For example, after we use the mt_srand () function to sow seeds, the random numbers generated are the same. In this way, the value of another random number can be obtained by inverting the seed of the mt_rand () function. The recommended tool here is php_mt_seed, which is available on github, so I will not put the link. Generally, it can be done in accordance with the file inclusion. For details, please click
Operator
A very simple logic, here we give the operator priority table
and then carefully look at the contents of the table, you can see that the payload is constructed, payload:? A = 1
Parse_url
Intimate post syntax
Note the return value, null can be used in weak types
Looking at the example,
we can see that the first, second, and third if judgments restrict us to input _, 0, numbers, letters, etc. Let us look at the following if judgments, it is obvious that there can be no numbers , So we can only bypass it by assigning null to the variable url. payload: _ = d or. = d