Article Directory
Understanding of PHP string parsing vulnerabilities
This is what others understand about PHP string parsing vulnerabilities.
We know that PHP converts query strings (in URL or body) into internal GET or associative array _POST. For example: /?foo=bar becomes Array([foo] => "bar"). It is worth noting that certain characters will be deleted or replaced with underscores during the parsing of the query string. For example, /?%20news[id%00=42 will be converted to Array([news_id] => 42). If there is a rule in an IDS/IPS or WAF to block when the value of the news_id parameter is a non-digital value, then we can bypass it with the following statement:
/news.php?%20news[id%00=42" +AND+1=0-
The value of the parameter %20news[id%00 of the above PHP statement will be stored in $_GET["news_id"].
PHP needs to convert all parameters into valid variable names, so when parsing the query string, it will do two things:
1. Remove white space
2. Convert some characters to underscores (including spaces)
scandir
parameter
directory: The directory
to be browsed
sorting_order: The
default sorting order is in ascending alphabetical order. If the optional parameter sorting_order (set to 1) is used, the sort order is in descending alphabetical order.
context:
Refer to the Streams API chapter of the manual for the description of the context parameter.
Return value: If
successful, it returns an array containing the file name, if it fails, it returns false. If directory is not a directory, the boolean value false is returned and an E_WARNING level error is generated.
file_get_contents
