PHP常见函数绕过

# intval

11

intval(mixed $value, int $base = 10)

第二个进制参数为空时,会根据第一个参数自适应调整转换

注意:

  • 如果 base 是 0,通过检测 value 的格式来决定使用的进制:

  • 如果字符串包括了 "0x" (或 "0X") 的前缀,使用 16 进制 (hex);否则,

  • 如果字符串以 "0b" (或 "0B") 开头,使用 2 进制 (binary);否则,

  • 如果字符串以 "0" 开始,使用 8 进制(octal);否则, 将使用 10 进制 (decimal)。

13

几个主要特性:

  • 处理数字开头的字符串,返回开头的数字,否则返回0
  • 处理浮点数,直接返回截取整数部分,而非四舍五入
  • 0,0x开头的数字自动识别为8进制,16进制,返回10进制数
  • 可以处理科学计数法。使len($a)<=3&&intval($a)>1000000这种条件成为了可能
  • 处理数组时,根据数组是否为空,返回0或1
<?php
highlight_file(__FILE__);
echo "<br>";
var_dump(intval('123abc'));
echo "<br>";
var_dump(intval('abc123'));
echo "<br>";
var_dump(intval(12.6));
echo "<br>";
var_dump(intval(010));
echo "<br>";
var_dump(intval(0x10));
echo "<br>";
var_dump(intval(1e9));
1
2
3
4
5
6
7
8
9
10
11
12
13
14

12

# strcmp

1

strcmp(string $string1, string $string2)

接收两个字符串参数,如果两个字符串相等返回 0,如果 string1 小于 string2 返回 -1,反之返回 1

原理:

这个函数需要传入的参数是字符串类型,当传入其它类型的的时候比如数组,函数返回0,导致绕过

<?php
highlight_file(__FILE__);
    $password="123456";
     if(isset($_POST['password'])){

        if (strcmp($_POST['password'], $password) == 0) {
            echo "Right!!!login success";
            exit();
        } 
        echo "Wrong password..";
}
1
2
3
4
5
6
7
8
9
10
11

传入一个数组类型即可绕过,如password[]=1

2

# md5

3

md5(string $string, bool $binary = false)

第二个参数经常省略,因此大多时候只需要一个字符串参数。当传入数组时,返回的是NULL,导致绕过,类似于strcmp,但绕过方式不止这一种,一一举例

# 方法一 数组

原理:

不管是弱比较还是强比较,都可以使用数组绕过,md5函数处理数组时返回NULL,传入两个数组,变成了NULL==NULL,返回true

<?php
highlight_file(__FILE__);
$a = $_GET[a];
$b = $_GET[b];
var_dump(md5($a)==md5($b));
var_dump(md5($a)===md5($b));
1
2
3
4
5
6

4

# 弱比较

原理:

在处理hash字符串时,PHP会将每一个以 0E开头的哈希值解释为0,那么只要传入的不同字符串经过哈希以后是以 0E开头的,那么PHP会认为它们相同

<?php
highlight_file(__FILE__);
$a = $_GET[a];
$b = $_GET[b];
echo md5($a)."<br>".md5($b)."<br>";
var_dump(md5($a)==md5($b));
1
2
3
4
5
6

5

常见md5值0e开头字符串

点击查看
s878926199a
0e545993274517709034328855841020
s155964671a
0e342768416822451524974117254469
s214587387a
0e848240448830537924465865611904
s214587387a
0e848240448830537924465865611904
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s1885207154a
0e509367213418206700842008763514
s1502113478a
0e861580163291561247404381396064
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s155964671a
0e342768416822451524974117254469
s1184209335a
0e072485820392773389523109082030
s1665632922a
0e731198061491163073197128363787
s1502113478a
0e861580163291561247404381396064
s1836677006a
0e481036490867661113260034900752
s1091221200a
0e940624217856561557816327384675
s155964671a
0e342768416822451524974117254469
s1502113478a
0e861580163291561247404381396064
s155964671a
0e342768416822451524974117254469
s1665632922a
0e731198061491163073197128363787
s155964671a
0e342768416822451524974117254469
s1091221200a
0e940624217856561557816327384675
s1836677006a
0e481036490867661113260034900752
s1885207154a
0e509367213418206700842008763514
s532378020a
0e220463095855511507588041205815
s878926199a
0e545993274517709034328855841020
s1091221200a
0e940624217856561557816327384675
s214587387a
0e848240448830537924465865611904
s1502113478a
0e861580163291561247404381396064
s1091221200a
0e940624217856561557816327384675
s1665632922a
0e731198061491163073197128363787
s1885207154a
0e509367213418206700842008763514
s1836677006a
0e481036490867661113260034900752
s1665632922a
0e731198061491163073197128363787
s878926199a
0e545993274517709034328855841020
240610708 
0e462097431906509019562988736854
314282422 
0e990995504821699494520356953734
571579406 
0e972379832854295224118025748221
903251147 
0e174510503823932942361353209384
1110242161 
0e435874558488625891324861198103
1320830526 
0e912095958985483346995414060832
1586264293 
0e622743671155995737639662718498
2302756269 
0e250566888497473798724426794462
2427435592 
0e067696952328669732475498472343
2653531602 
0e877487522341544758028810610885
3293867441 
0e471001201303602543921144570260
3295421201 
0e703870333002232681239618856220
3465814713 
0e258631645650999664521705537122
3524854780 
0e507419062489887827087815735195
3908336290 
0e807624498959190415881248245271
4011627063 
0e485805687034439905938362701775
4775635065 
0e998212089946640967599450361168
4790555361 
0e643442214660994430134492464512
5432453531 
0e512318699085881630861890526097
5579679820 
0e877622011730221803461740184915
5585393579 
0e664357355382305805992765337023
6376552501 
0e165886706997482187870215578015
7124129977 
0e500007361044747804682122060876
7197546197 
0e915188576072469101457315675502
7656486157 
0e451569119711843337267091732412
QLTHNDT 
0e405967825401955372549139051580
QNKCDZO 
0e830400451993494058024219903391
EEIZDOI 
0e782601363539291779881938479162
TUFEPMC 
0e839407194569345277863905212547
UTIPEZQ 
0e382098788231234954670291303879
UYXFLOI 
0e552539585246568817348686838809
IHKFRNS 
0e256160682445802696926137988570
PJNPDWY 
0e291529052894702774557631701704
ABJIHVY 
0e755264355178451322893275696586
DQWRASX 
0e742373665639232907775599582643
DYAXWCA 
0e424759758842488633464374063001
GEGHBXL 
0e248776895502908863709684713578
GGHMVOE 
0e362766013028313274586933780773
GZECLQZ 
0e537612333747236407713628225676
NWWKITQ 
0e763082070976038347657360817689
NOOPCJF 
0e818888003657176127862245791911
MAUXXQC 
0e478478466848439040434801845361
MMHUWUV 
0e701732711630150438129209816536
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156

# 强比较

原理:

强比较如果不用数组绕过,真的需要找到md5值相同的字符串了,好在有工具,比如md5碰撞工具,可以生成一组字符串,md5值相同的字符串

下面直接给出一些可以直接用的字符串

<?php
$s1 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab";
$s2 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%6d%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%27%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%66%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%96%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%b3%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%ef%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%5f%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%f3%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%e9%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%13%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%a8%1b%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%39%05%39%95%ab";
$s3 = "%af%13%76%70%82%a0%a6%58%cb%3e%23%38%c4%c6%db%8b%60%2c%bb%90%68%a0%2d%e9%47%aa%78%49%6e%0a%c0%c0%31%d3%fb%cb%82%25%92%0d%cf%61%67%64%e8%cd%7d%47%ba%0e%5d%1b%9c%1c%5c%cd%07%2d%f7%a8%2d%1d%bc%5e%2c%06%46%3a%0f%2d%4b%e9%20%1d%29%66%a4%e1%8b%7d%0c%f5%ef%97%b6%ee%48%dd%0e%09%aa%e5%4d%6a%5d%6d%75%77%72%cf%47%16%a2%06%72%71%c9%a1%8f%00%f6%9d%ee%54%27%71%be%c8%c3%8f%93%e3%52%73%73%53%a0%5f%69%ef%c3%3b%ea%ee%70%71%ae%2a%21%c8%44%d7%22%87%9f%be%79%ed%c4%61%a4%08%57%02%82%2a%ef%36%95%da%ee%13%bc%fb%7e%a3%59%45%ef%25%67%3c%e0%a7%69%2b%95%77%b8%cd%dc%4f%de%73%24%e8%ab%e6%74%d2%8c%68%06%80%0c%dd%74%ae%31%05%d1%15%7d%c4%5e%bc%0b%0f%21%23%a4%16%7c%17%12%d1%2b%b3%10%b7%37%60%68%d7%cb%35%5a%54%97%08%0d%54%78%49%d0%93%c3%33%fd%1f%0b%35%11%9d%96%1d%ba%64%e0%86%ad%6f%52%98%2d%84%12%77%bb%ab%e8%64%da%a3%65%55%5d%d5%76%55%57%46%6c%89%c9%df%b2%3c%85%97%1e%f6%38%66%c9%17%22%e7%ea%c9%f5%d2%e0%14%d8%35%4f%0a%5c%34%d3%73%a5%98%f7%66%72%aa%43%e3%bd%a2%cd%62%fd%69%1d%34%30%57%52%ab%41%b1%91%65%f2%30%7f%cf%c6%a1%8c%fb%dc%c4%8f%61%a5%93%40%1a%13%d1%09%c5%e0%f7%87%5f%48%e7%d7%b3%62%04%a7%c4%cb%fd%f4%ff%cf%3b%74%28%1c%96%8e%09%73%3a%9b%a6%2f%ed%b7%99%d5%b9%05%39%95%ab";
var_dump(md5(urldecode($s1)));
var_dump(md5(urldecode($s2)));
var_dump(md5(urldecode($s3)));
1
2
3
4
5
6
7

6

除此之外,还可以使用工具生成fastcoll (opens new window),如何使用,这里不赘述了。

对于更多的生成相同md5值文件,字符串,md5长度扩展工具可以参考往期文章md5相关绕过 (opens new window)

# preg_match

preg_match(string $pattern, string $subject) 执行匹配正则表达式

根据函数定义,可以看到需要两个字符串参数,第一个是正则表达式,第二个是待匹配的字符串,如果匹配成功,返回1,否则返回0。

# 数组绕过

原理:

preg_match只能处理字符串,当传入的subject是数组时会返回false

<?php
highlight_file(__FILE__);
$a = $_GET[a];
if(preg_match("/[a-z0-9]/",$a))
	echo "game over";

echo "success";
1
2
3
4
5
6
7

7

# PCRE回溯次数限制

原理:

PHP为了防止正则表达式的拒绝服务攻击(reDOS),给pcre设定了一个回溯次数上限pcre.backtrack_limit。我们可以通过var_dump(ini_get('pcre.backtrack_limit'));的方式查看当前环境下的上限:

8

通过发送超长字符串的方式,使正则执行失败,最后绕过正则对目标的检查限制

非贪婪匹配

<?php
highlight_file(__FILE__);
$a = $_POST[a];
if(preg_match("/.+?phpinfo/",$a))
	echo "game over";

echo "success";
1
2
3
4
5
6
7

使用python生成1000000个a,最后放phpinfo,使正则回溯次数超过限制

9

# 换行绕过

原理:

特殊字符.在正则里来表示除了新行之外的所有字符,利用.不能处理换行绕过正则

<?php
highlight_file(__FILE__);
$a = $_GET[a];
if(preg_match("/.phpinfo/",$a))
	echo "game over";
else
	eval($_GET[a]);
1
2
3
4
5
6
7

10

参考:

最后一次更新于: 2024/10/11, 23:00:23