Table of contents
15. Anonymous function (create_function):
18. Command execution function:
22. Functions that cannot handle arrays:
24. Addition, subtraction, multiplication and division operators:
1. Normal writing in xml format
Foreword:
The PHP features in this article are all encountered by bloggers in CTF topics and infiltration actual combat. There may be omissions or mistakes. I hope you can point out a lot, thank you!
1、intval():
Format: intval (var, base)
- base: optional, decimal if none
- If base is 0, the used base is determined by detecting the format of the var parameter (octal at the beginning of 0, hexadecimal at the beginning of 0x)
Some features:
1. Get the integer value of the variable
For example, 4.2 takes 4
2. When there are letters in the incoming string, only the numbers in front of the letters will be taken
For example, 6e123 takes 6
3. There is an operation formula in the function, which will correctly recognize e as a scientific notation symbol and perform operations
For example intval(1e1+1) = 11
4. When there is no calculation formula, only the number before e will be taken, and e will not be regarded as a scientific notation symbol
Reference 2
5. When the parameter passed in is not a numeric character, it will always return 0
For example:
intval('a')==0 intval('.')==0intval('/')==0
The return value of weak comparison between 0 and string is true, please refer to the loose comparison table below for details
6. A non-empty array returns 1, and an empty array returns 0
2、__wakeup() :
Called immediately after deserialization
Change the number of variables to be greater than the real number of variables to bypass
3、strcmp() :
Format: strcmp(str1, str2)
The function return value:
- 0 - if the two strings are equal
- <0 - if string1 is less than string2
- >0 - if string1 is greater than string2
strcmp compares the string type. If other types of parameters are forcibly passed in, an error will occur. After the error, the return value is 0. It is precisely this point that is used to bypass
For example: incoming array type str1[]=666
Only PHP5.3 has this vulnerability
4、assert():
The read string will be executed as PHP, without quotation marks at the end
5、eval():
The read string will be executed as PHP, with quotation marks at the end
6、include():
The file contains a vulnerability, and the read PHP source code will be executed
Feature: Include object files are correctly performed even if the header directory in the path does not exist
For example: hint.php? /../../../flag.php
hint.php? This directory does not exist, but you can still jump up to the 4th level directory to include flag.php
Common file inclusion functions are:
include_once( )
The function is the same as Include(), the difference is that when the same file is called repeatedly, the program is called only once
require( )
The difference between require() and include() is that if an error occurs during require() execution, the function will output
error message and terminate the script.
require_once( )
The function is the same as require(), the difference is that when the same file is called repeatedly, the program is called only once.
7、readfile():
Read a file and write to the output buffer
Feature: object files are correctly read even if the header directory in the path does not exist
For example: hint.php?/../../../flag.php
Similar to include
8、call_user_func():
Callback function, call_user_func(a,b,...) a is the name of the function to be executed, and the rest are the parameters of a, which can be omitted
The return value is the execution result of bringing the parameters into the a function
But the function can also accept an array to call a static method in the class
例如:
call_user_func($array);
调用classname这个类里的sya_hello方法
array[0]=$classname 类名
array[1]=say_hello say_hello()静态方法
9、trim():
This function removes the
- "\0" - NULL
- "\t" - tab character
- "\n" - new line
- "\x0B" - vertical tab
- "\r" - carriage return
- " " - space
But it will not remove the \f form feed character, the ASCII value is 12 and the url encoding is %0c
10、is_number():
Determine whether the variable is a pure number, but non-printing characters (such as \f \n) at the beginning of the variable will still be recognized as numbers
11、extract():
Convert the key and key value in the array variable into a variable name and variable, if there is a conflict, overwrite the existing variable
例子:
<?php
$a = "Original";
$my_array = array("a" => "Cat","b" => "Dog", "c" => "Horse");
extract($my_array);
echo "\$a = $a; \$b = $b; \$c = $c";
?>
// $a=Cat;$b=Dog;$c=Horse
12、parse_str():
The function parses the query string (such as this: name=Peter&age=43 ) into variables
Format: parse_str(string,array)
array is optional (specifies the name of the array storing the variable, this parameter indicates that the variable is stored in the array)
If the array parameter is not set, the variable with the same name will be overwritten
例如:
<?php
parse_str("name=Peter&age=43");
echo $name."<br>";
echo $age;
?>
// Peter
43
13、get_defined_vars():
returns an array of all defined variables
Can be used with var_dump
14、gettext():
The working principle of the gettext() function is that before translation, you need to use the gettext() function to mark the text string to be translated as a translatable string, and then output the translation of the corresponding language according to the language in the environment. This function can be used to make up the number
_() is an extension function of gettext(). After enabling related settings, _("666") is equivalent to gettext("666")
<?php
echo gettext(666); //输出 666
echo "\n";
echo _("666"); //输出 666
?>
15. Anonymous function (create_function):
The default namespace in php is \ , and all native functions and classes are in this namespace
Calling this function needs to be preceded by a slash /create_function()
The internal structure of the function is similar to
function fT(,$a) {
echo "test".$a;
}
This function does not require a first parameter, and can add a second parameter, which can be used to construct a closure
This function has been deprecated since PHP 7.2
16、$_SERVER['argv']:
$_SERVER['argv']:
1、cli模式(命令行)下
第一个参数$_SERVER['argv'][0]是脚本名,其余的是传递给脚本的参数
2、web网页模式下
在web页模式下必须在php.ini开启register_argc_argv配置项
设置register_argc_argv = On(默认是Off),重启服务,$_SERVER[‘argv’]才会有效果
这时候的$_SERVER[‘argv’][0] = $_SERVER[‘QUERY_STRING’] 此变量为URL问号后面的所有值
$argv,$argc在web模式下不适用
17. Hash function:
Hash functions (sha1, md5, etc.) cannot handle arrays. If processed, NULL will be returned, which can be used for === strong comparison
18. Command execution function:
There is an echo:
system()
passthru()
No echo:
exec()
shell_exec() or `` backticks
No echo function needs to add echo output exec only returns the last line of content , shell_exec() returns the complete content
If there is no echo in the title, you need to use curl to realize the take-out of flag.php
19. Global variables:
All defined variables of $GLOBALS are stored in this variable array
var_dump($GLOBALS) can view all variable information
20. Auto increment bypass:
payload:
code=$=(/.);$=$[''!=''];$%ff=%2b%2b$;$%ff=%2b%2b$.$%ff;$%2b%2b;$%2b%2b;$%ff.=%2b%2b$;$%ff.=%2b%2b$;$=.$%ff;$$_;&=system&__=cat /flag
21. Violation variable name:
The PHP variable name is composed of numbers, letters and underscores. The variable name passed in by GET or POST will automatically convert spaces + . [ into _
There is a special case, when passing parameters in GET or POST mode, [ in the variable name will also be replaced with _ , but the subsequent characters will not be replaced
Such as CTF[SHOW.COM = CTF_SHOW.COM
22. Functions that cannot handle arrays:
md5() 返回NULL
sha1() 返回NULL
preg_match() 返回false
intval() 非空数组返回1,空数组返回0
stripos() 返回NULL
strcmp() 返回0
23. Command operation:
Numbers and commands in php can be calculated without affecting the running results
And you can also use the bitwise operator |, or the ternary operator
24. Addition, subtraction, multiplication and division operators:
<?php
$v1=1;
$v2=3;
$v3=-phpinfo();+ (url编码)
$code = eval("return $v1$v3$v2;");
echo "$v1$v3$v2 = ".$code;
?>
25. Bitwise operators:
<?php
$v1=1;
$v2=3;
$v3=|phpinfo();| (url编码)
$code = eval("return $v1$v3$v2;");
echo "$v1$v3$v2 = ".$code;
?>
26. Ternary operator:
<?php
$v1=1;
$v2=?phpinfo():;
$v3=1;
eval("return $v1$v2$v3;'");
>
27. PHP code representation:
1. Normal writing in xml format
<?php
echo '1111';
?>
2. Short tags
<?
echo '1111';
?>
<?= //相当于<? echo
?>
It is only available after the command short_open_tag in the php.ini configuration file is turned on, or the --enable-short-tags option is added when compiling PHP. Since PHP5.4, the short form echo tag <?= is always recognized and valid, regardless of the short_open_tag setting
3. ASP style writing
<%
echo '1111';
%>
(Note: This way of writing is closed by default in the php configuration. If you want to output normally, you need to configure the php.ini file. Find asp_tags=off in the configuration file and change off to on. After changing the configuration file, you need to restart apache. ) but was removed after php7
4. Long label style
<script language="php">
</script>
在php7之后被移除了
28. Loose comparison: