Code audit (several types) (2)

Others 2020-04-15 21:21:19 views: null

Code audit (several types) (2)

Whitespace problem

Insert picture description here

is_numeric () white space skip problem

In the is_numeric () function, there is a blank character skip problem. The Insert picture description here
effect is as follows.
Insert picture description here
What can be added here are "", "\ r", "\ n", "\ t", "\ v", "\ f"

trim()

Insert picture description here
Here, this function will remove "", "\ t", "\ n", "\ r", "\ 0", "\ x0B"
above to bypass the first condition to determine whether it is a value.

Below, we continue to look at the following if else, what we want to understand is intval () and strval ()

intval ()

Insert picture description here
It returns the int value of var when it succeeds, and 0 if it fails. An empty array returns 0, and a non-empty array returns 1. Most importantly, the maximum value of intval depends on the operating system. The maximum signed integer range for 32-bit systems is -2147483648 to 2147483647. On 64-bit systems, the maximum signed integer value is 9223372036854775807.

The final payload:? Number = 0.00% 00 or? Number = 0.00% 00 or? Number = 9223372036854775807% 00 The% 00
behind can also be changed to% 20.
I did not reproduce it successfully, I do n’t know what the reason is. . . But the idea is like this.

Pseudo-random number

mt_rand

Insert picture description here

mt_srand

Insert picture description here
There will be a security problem here. For example, after we use the mt_srand () function to sow seeds, the random numbers generated are the same. In this way, the value of another random number can be obtained by inverting the seed of the mt_rand () function. The recommended tool here is php_mt_seed, which is available on github, so I will not put the link. Generally, it can be done in accordance with the file inclusion. For details, please click

Operator

Insert picture description here
A very simple logic, here we give the operator priority table
Insert picture description here
and then carefully look at the contents of the table, you can see that the payload is constructed, payload:? A = 1

Parse_url

Intimate post syntax
Insert picture description here
Note the return value, null can be used in weak types

Insert picture description here
Looking at the example,
Insert picture description here
we can see that the first, second, and third if judgments restrict us to input _, 0, numbers, letters, etc. Let us look at the following if judgments, it is obvious that there can be no numbers , So we can only bypass it by assigning null to the variable url. payload: _ = d or. = d

YYK [17 | 6]
Published 25 original articles · Liked 14 · Visits 5445
Private letter concerns

Guess you like

Origin blog.csdn.net/qq_40568770/article/details/102966856
Recommended
The number of MaxKB GitHub Stars, an open source knowledge base question and answer system based on large language models, exceeded 5,000!
Ranking
Getting the basic concepts of ROS + catkin Profile
Spring Learning (2) --- Assembling Beans in the IoC Container
js to get the src attribute of the image regularly
STM32 is based on CubeIDE and HAL library basics entry study notes: Bluetooth WIFI STM32 connects to Alibaba Cloud
Short video learning - 3, pandas simple use of pivot_table
Print directory of project configuration log, output log
Understand the difference between vi and vim in Linux in 3 minutes
1 + x certificate Web front-end development HTML5 special exercises
mangodb save and insert the difference
7-1 Family tree processing (50 points) (binary tree solution)
Daily
More
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)

Code World

© 2018 codetd.com