West  Ann  do   test tube  infants and children   can  to  selected  of  do not  it ?  test tube  package  students  male  child  fee  with  little more than 

Others 2019-05-28 03:58:16 views: null

Micro Signal █ █ 138 ★ 2605 ★ 7771 ██ █ donor egg IVF IVF selected from three generations of the tube packet of birth Sex █ ██ ██ surrogate a surrogate boy born packet ███ ████ sex surrogate selected from IVF surrogate boy █ ██ donor egg IVF surrogacy ██

After some time ago to do a network attack and defense platforms above the Nanjing University of Posts and topics, he wrote a writeup, there is a need to summarize. As do the types of questions are web, all topics are using PHP to write, so many questions and no visit to the traditional such as SQL injection, type of XSS vulnerabilities, many of which are native PHP syntax problem. Given the current PHP is the world's best language, PHP problem itself can also be counted as one aspect of web security. Characteristics in PHP is weakly typed, and built-in functions for handling the arguments passed loosely. This article mainly record I was doing PHP function encountered offensive and defensive platform above problems, and the problems of weakly typed PHP brings.

Weak type PHP Introduction

In PHP, what operations can be performed.

$param = 1;
$param = array();
$param = "stringg";

Weakly typed language does not limit the data type of a variable, you can be assigned to any other type of variable to variable at any time, but variables can also be converted into any other type of data.

Type conversion

Type conversion is inevitable problems. For example, GET or POST necessary parameters to type int, or when two variables do not match, PHP variables will be automatically converted. But PHP is a weakly typed language, resulting in during type conversion when there will be a lot of unexpected problems.

Comparison operators

Type Conversion

In Comparative $ a == $ b in

$a=null;$b=flase ; //true
$a='';$b=null;		//true

There are many such examples, such comparisons are equal.

Comparative operator when there is a problem of the type of conversion, as follows:

0=='0'		//true
0 == 'abcdefg'	//true 0 === 'abcdefg' //false 1 == '1abcdef' //true

When different types of variables when comparing variable conversion will be a problem, there may be an issue after conversion.

Hash Compare

In addition to the above hash making in this way it will be compared when there is a problem. as follows:

"0e132456789"=="0e7124511451155" //true
"0e123456abc"=="0e1dddada"	//false "0e1abc"=="0" //true

During comparison operation, if encountered 0e \ d + such a character string, this string will be parsed as scientific notation. Therefore, the number of values in the above example 2 are equal to 0 and thus the. If not 0e \ d + This model will not be equal. The subject in attack and defense platforms md5 collision will have to test.

Hex conversion

There is also a problem when more than a hexadecimal string comparison operation. Examples are as follows:

"0x1e240"=="123456"		//true
"0x1e240"==123456		//true "0x1e240"=="1e240" //false

Wherein when a string beginning with 0x, PHP parse this string will then be compared decimal, 0 × 1240 is 123456 decimal become resolved, the string type int and type of comparison is equal to 123,456. Offensive and defensive platform from the name of sad to say this feature is examined.

Type Conversion

Int main common conversion is converted to a string, string converted to int.

int turn string:

var = $ . 5; 
mode 1: $ item = (string) $ var; 
mode 2: $ item = strval ($ var);

string transfer int: intval () function.

For this function, you can look at two examples.

var_dump (intval ( '2'))	 // 2 
var_dump (intval ( '3abcd'))	 // 3  var_dump (intval ( 'ABCD')) // 0

Description intval () conversion when the conversion will know encounters a non-numeric characters from the beginning of the string. Even if the string can not be converted appears, intval () does not return an error but 0.

intval () of this feature in attack and defense platforms MYSQL question head in there to test.

Meanwhile, programmers when programming should not use this code as follows:

if(intval($a)>1000) {
    mysql_query("select * from news where id=".$a)
}

$ A value at this time may be the 1002 union ... ..

Loose parameters of built-in functions

Built-in loose, it said function is a function of the type parameter passed to the function can not be accepted when calling functions. Explain a bit hard to pronounce, or directly through practical examples to illustrate the problem, the following will highlight several of these functions.

md5()

$array1[] = array(
    "foo" => "bar",
    "bar" => "foo",
);
$array2 = array("foo", "bar", "hello", "world"); var_dump(md5($array1)==var_dump($array2)); //true

Description md5 PHP manual () function is string md5 ( string $str [, bool $raw_output = false ] ), md5 required () is a string parameter type. But when you pass an array, md5 () does not complain, knowledge will not accurately calculate the md5 value of the array, which would lead to md5 values of any two of the array will be equal. Characteristics of this md5 () in attack and defense platforms bypass again also have to test.

strcmp()

strcmp () function is described in the official PHP manual is int strcmp ( string $str1 , string $str2 )required to strcmp () string type passed 2 parameters. If less than str2 str1, -1, equal returns 0 otherwise 1. Essence string comparison strcmp function is to convert ASCII two variables, and then the subtraction, then the return value is determined based on the calculation result.

If the incoming parameter gives strcmp () is the figure?

Array = $ [ . 1, 2, . 3]; 
var_dump (strcmp (Array $, '123')); // null, null is equivalent in a sense false.

strcmp this feature in attack and defense platforms pass check has to test.

switch()

If the switch is judged when the number of types of case, switch the parameter which will be converted to type int. as follows:

$i ="2abc";
switch ($i) {
case 0:
case 1: case 2: echo "i is less than 3 but not negative"; break; case 3: echo "i is 3"; }

This time the program is output i is less than 3 but not negative, because switch () function will be $ i type conversion, the conversion result is 2.

in_array()

In the PHP manual, explaining in_array () function is that bool in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] ), if the strict parameter is not provided, then the in_array will be used to determine relatively loose if $ needle in the $ haystack. When strince value true, in_array () compares needls haystack type and the type is the same.

$array=[0,1,2,'3'];
var_dump(in_array('abc', $array));  //true var_dump(in_array('1bc', $array)); //true

Can be seen that the above case is returned true, as 'abc' is converted to 0, '1bc' is converted to 1.

array_search () and in_array () is the same problem.

Guess you like

Origin www.cnblogs.com/SGYE518/p/10934619.html
Recommended
Ranking
A quick primer on numpy basics
Two sister tease python project
Java | Multiple keywords in the replacement content are returned to the front end in red style
C ++: references
The string leetcood 1018 is a binary prefix divisible by 5
Flutter 布局组件
Java combat spingboot-redis
PMP pre-exam sprint and wrong questions sorting
ActiveMq C# Message Features: Delayed and Timed Message Delivery
DSP28377S_ copy a program from the RAM to FLASH portion DETAILS
Daily
More
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)

Code World

© 2018 codetd.com