[PHP-related]
Basics trap
php is a weakly typed language, it supported types are:
boolean,integer,float,string,array,object,callable,resource,NULL
Convert some interesting things can happen between types, summarized as follows:
Converted to boolean
"" (An empty string), "0" (null string), 0 (zero integer), 0.0 (floating point zero), array () (empty array), NULL, $ a (variable has not yet been assigned) It will be considered false.
Any resources, NAN, -1, are considered to be true.
String into a Number
If the string does not contain '.', 'E' or 'E' and its digital integer value in the range of (is defined by PHP_INT_MAX), the string will be as to integer values, in all other cases They are to value as a float.
The string start portion determines its value. If the string starts with valid value, the value is used. Otherwise its value is 0 (zero). Followed by one or more legal value number (decimal point may be) by the optional sign, the back, and then followed by the optional index portion. Exponent part by the 'e' or 'E' followed by one or more of a number.
- - - -
"===" and "! ==" that strict comparison operators, only equal if the same type.
"==" and "! =" I.e. non-strict comparison operator. If the comparison of the two different types, type conversion will be carried out after comparison: the string is automatically converted to digital before digital comparing; comparing two strings, if both are in digital form, is compared simultaneously converted into digital .
<?php
var_dump(0 == "a"); // 0 == 0 -> true
var_dump("1" == "01"); // 1 == 1 -> true
var_dump("10" == "1e1"); // 10 == 10 -> true
var_dump(100 == "1e2"); // 100 == 100 -> true
var_dump("0e123456789012345678901234567890"==="0"); //false
var_dump("0e123456789012345678901234567890"=="0"); //true
?>php official website gives some examples of comparison "=="
- - - -
There is also need further study
Php application of the dummy protocol ctf
Some protocol is supported only in php, so called pseudo-protocol.
Two php.ini settings associated with: allow_url_fopen and allow_url_include
- allow_url_fopen: Default is ON, to allow access url in encapsulation protocol file
- allow_url_include: Default is OFF, allowed to contain in the url encapsulation protocol file contains
php://filter
Commonly used to read any file you can use dual OFF.
Format:php://filter/[read/write]=string.[rot13/strip_tags/…..]/resource=xxx
php://input
- - - -
- - - -
strcmp()
In return, when two strings are equal 0, the function can not handle an array, the array if the incoming parameter returns NULL.
The previous comparison type, if the comparison used strcmp(a,b) == 0, then the (NULL == 0) is true, so the incoming array function can be bypassed.
=== defense is to use a strict comparison.
- - - -
00% cut
php version 5.2.9 and magic_quotes_gpc or less closed, two conditions must be met in order to cut off.
Function affected
- include,include_once,require,require_once
- file_exists
- ereg, eregi (regular expression matching)
- file_get_contents
Function do not handle truncated
strlen
- - - -md5()
Pre-knowledge: php variable type
- Can not handle an array, md5 (array) returns null
<?php
$a[]=1;
echo md5($a);
?> Warning: md5() expects parameter 1 to be string, array given in /tmp/45044302eb92d3bb0c8d1bed302358f3989559700dc1a118facbc80ef7f155a1/main.php on line 7
- 0e beginning of the collision: the defect according to the comparison mechanism, so that values are beginning 0e md5 be bypassed md5 ($ a) == md5 ($ b) determining a condition
0eeeb26bc5f6ba1cae0c5885c8f82dc9 aaaab6
0e08a88f2f1bad773e9baf987510c4c1 baaacU
0ef2db375cda51db88635099373077f6 caaaff
0e72bf9b806143116a4fda738b4fe6ef daaaeL
0e253b99812c188ec8358a29f601277e eaaagQ
0ebd40c0cd91aabcc7b321cd6b7e8c4d faaaaf
0ea081906fea694a27c77d902b0930bc gaaaaG
0e662ef3889bd06088261009539d0b98 haaatL
0e3ad9d5bfcf96fbf68d32f8d8020791 iaaadW
0e3121f7efc12a4c8a0b19419c08183c jaaagn
0e33d9ed1175b71a0c36c8092207aa2e kaaaiX
0e5b513ff48c0c38e9c80614e40e583f laaaaR
0eb4ff471d1daaad0abf3d0f25890f6a maaafG
0e8615bd2dad98219fe995f3f34fef20 naaagy
0ee7e45c8b49a711cfbf711a2ab8f362 oaaakE
0e45f47006f1ae77af97a2a66e63ca8b paaafB
0ed564aef50820bd0d19aeb0c54dafea qaaagb
0eb09dfaf39ac27929e40d7d040fad06 raaabY
0eaa701a96dd3c7eaf8db8b5dd14d871 saaadK
0ef8bbd0fd3a354d0c58968ba7a88347 taaac4
0e7f13153ac56df8cd77e2af28d62fe2 uaaaax
0e5d6c8a222b1b19657ed52e6463c0fc vaaaiK
0e2b644762da6a8c5ed726316ccfc8b5 waaacI
0e44238a7664e6316501f2d589dc8631 xaaadE
0ee4bf6dcf69bced96b0af0ffc8fc542 yaaabl
0e4ab7c28649f4690011ce5fd14e8eb6 zaaatC0ee1abcce5648ea8b4a8d265f09b24e6 Aaaact
0ec8c912ef997ac3e8ceb23d24c9e8f9 Baaaa9
0e421d02abfd0c8eae7e18451b8a6a08 CaaadI
0e3d90d73011c2551feba94e2cc8a3cc Daaack
0e4d796e0c13cc03edbb16a5a41fe04a EaaalV
0e34068055d34f3415ae5062c3363c32 FaaaoA
0e74a38eda13d433c42f125fe8d5ab83 GaaabG
0ecca6beb91b292fe3f80903f3686ab1 HaaaaN
0e6a5d1c5785cf7d16235e1a539c352b Iaaaal
0e072722ff0b52b4d8efce5838280fda JaaacP
0e7f073b9701f3db27e83312b41a562c Kaaakn
0ec8c8fd26aa23c5b5933148795c3b3d LaaatJ
0e47adc73495a965a5114d5e16b70c78 MaaaaM
0edf7fe4e0148a52401b1951e529ae41 Naaaea
0e94f0f84773bbd691dec8b61c0c4f67 Oaaae2
0e79b18f75647ff7d3559beeac04c857 Paaaa8
0e91e2497a84c108b9dd3f58c62e17cf Qaaadr
0e312e1d7354272a0f7af98e3f12beee Raaaa4
0e57201859c078cebf65fc4da841b7b0 Saaaea
0e7faba6001cb0b8a930b128cea1bd28 TaaaaH
0eaeb5168e0c16442a83dd2059bd77ae Uaaaif
0efea2555a6bdb087a88d32b7b620cfe Vaaagr
0ecac74e8afde8bbf370baca232400d2 Waaabo
0ef74044fa1a333241bd00751a8d5c6b Xaaaan
0e6d0acea3fb18c498b09ad3d04bdd0c Yaaab4
0ed7f23534604153a96387f90cef213f ZaaabC
0ec92f8847011379ce0c1c95d3d52677 0aaaga0e644c2d05e6d81ff04194145d497c74 1aaabw
0e93fcef5a44bbc455bb54011b8c6b2f 2aaady
0edfb3f3a9ab8d5ae227861e9a44b3e7 3aaacO
0eabd2eeb3b01d5b516a4e5bc51d6a43 4aaaci
0e1e066173172fd0eb55ac92ee4d9254 5aaabd
0e98a9e89b8bf419701c85ec8183247c 6aaabp
0e17990dcefa714d524be3fcab79491c 7aaaad
0e5a9f50d8369a2bbbab1797752111f1 8aaalf
0e2eb438bed241fdb0f6fa0d93ac86c5 9aaaaE