The PHP features in this article are all encountered by bloggers in CTF topics and infiltration actual combat. There may be omissions or mistakes. I hope you can point out a lot, thank you!

1、intval()：

Format: intval (var, base)

base: optional, decimal if none
If base is 0, the used base is determined by detecting the format of the var parameter (octal at the beginning of 0, hexadecimal at the beginning of 0x)

Some features:

1. Get the integer value of the variable

For example, 4.2 takes 4

2. When there are letters in the incoming string, only the numbers in front of the letters will be taken

For example, 6e123 takes 6

3. There is an operation formula in the function, which will correctly recognize e as a scientific notation symbol and perform operations

For example intval(1e1+1) = 11

4. When there is no calculation formula, only the number before e will be taken, and e will not be regarded as a scientific notation symbol

Reference 2

5. When the parameter passed in is not a numeric character, it will always return 0

For example:

intval('a')==0 intval('.')==0intval('/')==0

The return value of weak comparison between 0 and string is true, please refer to the loose comparison table below for details

6. A non-empty array returns 1, and an empty array returns 0

2、__wakeup() ：

Called immediately after deserialization

Change the number of variables to be greater than the real number of variables to bypass

3、strcmp() ：

Format: strcmp(str1, str2)

The function return value:

0 - if the two strings are equal
<0 - if string1 is less than string2
>0 - if string1 is greater than string2

strcmp compares the string type. If other types of parameters are forcibly passed in, an error will occur. After the error, the return value is 0. It is precisely this point that is used to bypass

For example: incoming array type str1[]=666

Only PHP5.3 has this vulnerability

4、assert():

The read string will be executed as PHP, without quotation marks at the end

5、eval()：

The read string will be executed as PHP, with quotation marks at the end

6、include()：

The file contains a vulnerability, and the read PHP source code will be executed

Feature: Include object files are correctly performed even if the header directory in the path does not exist

For example: hint.php? /../../../flag.php

hint.php? This directory does not exist, but you can still jump up to the 4th level directory to include flag.php

Common file inclusion functions are:

include_once( )

The function is the same as Include(), the difference is that when the same file is called repeatedly, the program is called only once

require( )

The difference between require() and include() is that if an error occurs during require() execution, the function will output

error message and terminate the script.

require_once( )

The function is the same as require(), the difference is that when the same file is called repeatedly, the program is called only once.

7、readfile()：

Read a file and write to the output buffer

Feature: object files are correctly read even if the header directory in the path does not exist

For example: hint.php?/../../../flag.php

Similar to include

8、call_user_func()：

Callback function, call_user_func(a,b,...) a is the name of the function to be executed, and the rest are the parameters of a, which can be omitted

The return value is the execution result of bringing the parameters into the a function

But the function can also accept an array to call a static method in the class

例如：
call_user_func($array);
调用classname这个类里的sya_hello方法

array[0]=$classname  类名
array[1]=say_hello   say_hello()静态方法

9、trim():

This function removes the

"\0" - NULL
"\t" - tab character
"\n" - new line
"\x0B" - vertical tab
"\r" - carriage return
" " - space

But it will not remove the \f form feed character, the ASCII value is 12 and the url encoding is %0c

10、is_number():

Determine whether the variable is a pure number, but non-printing characters (such as \f \n) at the beginning of the variable will still be recognized as numbers

11、extract()：

Convert the key and key value in the array variable into a variable name and variable, if there is a conflict, overwrite the existing variable

例子：
<?php
$a = "Original";
$my_array = array("a" => "Cat","b" => "Dog", "c" => "Horse");
extract($my_array);
echo "\$a = $a; \$b = $b; \$c = $c";
?>
// $a=Cat;$b=Dog;$c=Horse

12、parse_str():

The function parses the query string (such as this: name=Peter&age=43 ) into variables

Format: parse_str(string,array)

array is optional (specifies the name of the array storing the variable, this parameter indicates that the variable is stored in the array)

If the array parameter is not set, the variable with the same name will be overwritten

例如：
<?php
parse_str("name=Peter&age=43");
echo $name."<br>";
echo $age;
?>
// Peter
   43

13、get_defined_vars()：

returns an array of all defined variables

Can be used with var_dump

14、gettext():

The working principle of the gettext() function is that before translation, you need to use the gettext() function to mark the text string to be translated as a translatable string, and then output the translation of the corresponding language according to the language in the environment. This function can be used to make up the number

_() is an extension function of gettext(). After enabling related settings, _("666") is equivalent to gettext("666")

<?php
echo gettext(666);   //输出 666
echo "\n";
echo _("666");        //输出 666
?>

15. Anonymous function (create_function):

The default namespace in php is \ , and all native functions and classes are in this namespace

Calling this function needs to be preceded by a slash /create_function()

The internal structure of the function is similar to

function fT(,$a) {
  echo "test".$a;
}

This function does not require a first parameter, and can add a second parameter, which can be used to construct a closure

This function has been deprecated since PHP 7.2

16、$_SERVER['argv']:

$_SERVER['argv']：

1、cli模式（命令行）下

    第一个参数$_SERVER['argv'][0]是脚本名，其余的是传递给脚本的参数

2、web网页模式下

    在web页模式下必须在php.ini开启register_argc_argv配置项
    
    设置register_argc_argv = On(默认是Off)，重启服务，$_SERVER[‘argv’]才会有效果

    这时候的$_SERVER[‘argv’][0] = $_SERVER[‘QUERY_STRING’]   此变量为URL问号后面的所有值

    $argv,$argc在web模式下不适用

17. Hash function:

Hash functions (sha1, md5, etc.) cannot handle arrays. If processed, NULL will be returned, which can be used for === strong comparison

18. Command execution function:

There is an echo:

system()

passthru()

No echo:

exec()

shell_exec() or `` backticks

No echo function needs to add echo output exec only returns the last line of content , shell_exec() returns the complete content

If there is no echo in the title, you need to use curl to realize the take-out of flag.php

19. Global variables:

All defined variables of $GLOBALS are stored in this variable array

var_dump($GLOBALS) can view all variable information

20. Auto increment bypass:

payload：

code=$=(/.);$=$[''!=''];$%ff=%2b%2b$;$%ff=%2b%2b$.$%ff;$%2b%2b;$%2b%2b;$%ff.=%2b%2b$;$%ff.=%2b%2b$;$=.$%ff;$$_;&=system&__=cat /flag

21. Violation variable name:

The PHP variable name is composed of numbers, letters and underscores. The variable name passed in by GET or POST will automatically convert spaces + . [ into _

There is a special case, when passing parameters in GET or POST mode, [ in the variable name will also be replaced with _ , but the subsequent characters will not be replaced

Such as CTF[SHOW.COM = CTF_SHOW.COM

22. Functions that cannot handle arrays:

md5() 返回NULL

sha1() 返回NULL

preg_match() 返回false

intval() 非空数组返回1，空数组返回0

stripos() 返回NULL

strcmp() 返回0

23. Command operation:

Numbers and commands in php can be calculated without affecting the running results

And you can also use the bitwise operator |, or the ternary operator

24. Addition, subtraction, multiplication and division operators:

<?php
$v1=1;
$v2=3;
$v3=-phpinfo();+  (url编码)
    $code =  eval("return $v1$v3$v2;");
    echo "$v1$v3$v2 = ".$code;
?>

25. Bitwise operators:

<?php
$v1=1;
$v2=3;
$v3=|phpinfo();| (url编码)
    $code =  eval("return $v1$v3$v2;");
    echo "$v1$v3$v2 = ".$code;
?>

26. Ternary operator:

<?php
$v1=1;
$v2=?phpinfo():;
$v3=1;
eval("return $v1$v2$v3;'");
>

27. PHP code representation:

1. Normal writing in xml format

<?php
echo '1111';
?>

2. Short tags

<?
echo '1111';
?>

<?=  //相当于<? echo
?>

It is only available after the command short_open_tag in the php.ini configuration file is turned on, or the --enable-short-tags option is added when compiling PHP. Since PHP5.4, the short form echo tag <?= is always recognized and valid, regardless of the short_open_tag setting

3. ASP style writing

<%
echo '1111';
%>

(Note: This way of writing is closed by default in the php configuration. If you want to output normally, you need to configure the php.ini file. Find asp_tags=off in the configuration file and change off to on. After changing the configuration file, you need to restart apache. ) but was removed after php7

4. Long label style

<script language="php">



</script>

在php7之后被移除了

Common features of PHP (bugs)

Foreword: