[CTF/Network Security] Analysis of simple_php problem solving in the offensive and defensive world
Title description: Xiao Ning heard that php is the best language, so she wrote a few lines of php code after a simple study.
code interpretation
$a=@$_GET['a']; Get a variable named a from the HTTP GET request parameter, and assign it to variable a. The @ symbol is used to suppress error output, and if there is no parameter a, the variable a will be set to NULL.
$b=@$_GET['b']; Get a variable named b from the HTTP GET request parameters and assign it to variable b.
if($a==0 and $a){ echo $flag1; } If the variable a is equal to 0 and a exists, output the value of the variable flag1. But since a cannot be 0 and exist at the same time, this if statement will not be executed.
if(is_numeric($b)){ exit(); } If the variable b is a number, execution of the program is terminated.
if($b>1234){ echo $flag2; } If the value of variable b is greater than 1234, output the value of variable flag2.
PHP weak language features
In PHP, there are two comparison operators used to compare whether two values are equal, they are ==and ===, and their differences are as follows:
==A comparison operator is a loose comparison that only compares the values of variables without regard to the data types of the variables. When comparing two variables, returns true if their values are equal.
For example: 0 == "0"return true.
===The identity comparison operator is a strict comparison that not only compares the values of variables, but also compares the data types and memory addresses of variables. When comparing two variables using the identity comparison operator, returns true if their values and data types are both equal.
For example: 0 === "0"return false.
Because the == operator only compares values, when comparing strings, PHP will try to convert the string to a number for comparison
Specifically, PHP will perform the following steps in order:
-
If one of the operands is a boolean (true or false), convert it to 1 (true) or 0 (false).
-
If one of the operands is null, convert it to the integer 0.
-
If one of the operands is an array, convert it to an Array of strings.
-
If any of the operands is an object, it is converted to the string Object.
-
For the case where both operands are strings, PHP will remove the non-numeric characters in the two strings, and then convert the remaining numeric strings into corresponding numbers for comparison.
-
If none of the above applies, convert the string to a number for comparison.
For example, when comparing the string "0123"and the integer 123, it returns true; when comparing the string "12xxx"and the integer 12, it returns true, because PHP converts the string to a number before comparing.
posture
Parameter a limit bypass
Since a is equal to 0 and a exists, the string a GET with the initial value 0 can be constructed :a=0qiu
Parameter b limit bypass
Since b cannot be a number and the value of b is greater than 1234, you can construct a string b
GET whose initial value is greater than 1234:b=1235qiu
The echo is as follows:
Summarize
This question combines GET传参姿势考察PHP代码的解读and PHP弱语言特性.
I am Qiu said , see you next time.