PHP弱类型漏洞学习

欧成文 發表於 2020-2-23 12:29:00

<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">简介
PHP在使用双等号(==)判断的时候，不会严格检验传入的变量类型,同时在执行过程中可以将变量自由地进行转换类型。由于弱数据类型的特点，在使用双等号和一些函数时，会造成一定的安全隐患
eg:
<div class="cnblogs_code">
<pre><?php
var_dump("admin"==0);//true
var_dump("1admin"==1); //true
var_dump("admin1"==1); //false
var_dump("admin1"==0); //true
var_dump("0e123456"=="0e4456789"); //true 
?></pre>
</div>
== 在进行比较的时候，会先将字符串类型转化成相同，再比较
=== 在进行比较的时候，会先判断两种字符串的类型是否相等，再比较
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">Hash比较缺陷
研发人员在对比Hash2字符串的时候常常用到等于、不等于(!=)进行比较。如果Hash值以0e开头，后面都是数字，当与数字进行比较时，就会被解析成0x10n,会被判与0相等，攻击者可以绕过某些系统逻辑
PHP在处理哈希字符串时，会利用”!=”或”==”来对哈希值进行比较，它把每一个以”0E”开头的哈希值都解释为0，所以如果两个不同的密码经过哈希以后，其哈希值都是以”0E”开头的，那么PHP将会认为他们相同，都是0。
攻击者可以利用这一漏洞，通过输入一个经过哈希后以”0E”开头的字符串，即会被PHP解释为0，如果数据库中存在这种哈希值以”0E”开头的密码的话，他就可以以这个用户的身份登录进去，尽管并没有真正的密码。
<div class="cnblogs_code">
<pre><?php
var_dump("0e123456789012345678901234567890"==="0"); //false
var_dump("0e123456789012345678901234567890"=="0"); //true
?></pre>
</div>
加密后为0E的字符
<div class="cnblogs_code"><img id="code_img_closed_bceba16b-a22c-4f83-a2ff-1adbcc76c78f" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_bceba16b-a22c-4f83-a2ff-1adbcc76c78f" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_bceba16b-a22c-4f83-a2ff-1adbcc76c78f" class="cnblogs_code_hide">
<pre>QNKCDZO
0e830400451993494058024219903391

s878926199a
0e545993274517709034328855841020

s155964671a
0e342768416822451524974117254469

s214587387a
0e848240448830537924465865611904

s214587387a
0e848240448830537924465865611904

s878926199a
0e545993274517709034328855841020

s1091221200a
0e940624217856561557816327384675

s1885207154a
0e509367213418206700842008763514

s1502113478a
0e861580163291561247404381396064

s1885207154a
0e509367213418206700842008763514

s1836677006a
0e481036490867661113260034900752

s155964671a
0e342768416822451524974117254469

s1184209335a
0e072485820392773389523109082030

s1665632922a
0e731198061491163073197128363787

s1502113478a
0e861580163291561247404381396064

s1836677006a
0e481036490867661113260034900752

s1091221200a
0e940624217856561557816327384675

s155964671a
0e342768416822451524974117254469

s1502113478a
0e861580163291561247404381396064

s155964671a
0e342768416822451524974117254469

s1665632922a
0e731198061491163073197128363787

s155964671a
0e342768416822451524974117254469</pre>
</div>
View Code</div>
 CTF例题
<div class="cnblogs_code">
<pre><?php
$pass=$_GET['password'];
$password='0e342768416822451524974117254469';

if (md5($pass)==$password) {
echo "flag{xx-xx-xxxx-xiaohua}";
}else{
echo "error";
}

?></pre>
</div>
payload:
<div class="cnblogs_code">
<pre>http://127.0.0.1/index.php?password=s1885207154a</pre>
</div>
<img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200225142248163-2044994914.png" alt="" width="247" height="144">
预防方案 :
PHP5.6以上使用hash_equals()函数比较Hash值，可以避免对比恶意绕过
低于5.6可用可以实现的函数解决
参考学习:https://www.freebuf.com/news/67007.html
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">bool比较缺陷
在使用json_decode()函数或使用unserialize()函数时，部分结构被解释成bool类型，也会造成缺陷。
json_decode漏洞代码:
<div class="cnblogs_code"><img id="code_img_closed_7537f317-41b2-4ff6-88cb-99ebcfaab4c1" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_7537f317-41b2-4ff6-88cb-99ebcfaab4c1" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_7537f317-41b2-4ff6-88cb-99ebcfaab4c1" class="cnblogs_code_hide">
<pre><?php
$str='{"user":true,"pass":true}';
$data=json_decode($str,true);

if($data['user']=='root' && $data['pass']=='myPass'){
print_r('登陆成功获得flag{xx-ssss-xiaohua}');
}else{
print_r('登陆失败！');
}</pre>
</div>
View Code</div>
<img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200225144029323-1907404339.png" alt="" width="494" height="295">
unserialize漏洞代码:
<div class="cnblogs_code"><img id="code_img_closed_d43211d0-139e-4910-aaa9-7086a88aebf6" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_d43211d0-139e-4910-aaa9-7086a88aebf6" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_d43211d0-139e-4910-aaa9-7086a88aebf6" class="cnblogs_code_hide">
<pre><?php
$str='a:2:{s:4:"user";b:1;s:4:"pass";b:1;}';
$data=unserialize($str);

if($data['user']=='root' && $data['pass']=='myPass'){
print_r('登陆成功获得flag{xx-ssss-xiaohua}');
}else{
print_r('登陆失败！');
}
?></pre>
</div>
View Code</div>
<img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200225144343876-1638637953.png" alt="" width="507" height="313">
 避免bool比较可以使用三个等号作比较即可。
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">数字转换比较缺陷
当赋值给PHP变量的整型超过PHP的最大值PHP_INT_MAX时，PHP将无法计算出正确的结果，攻击者可能会利用其跳过某些校验逻辑，如密码校验、账号充值校验等
<div class="cnblogs_code"><img id="code_img_closed_64930d9c-0359-49cb-864f-bc7f224cb5d0" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_64930d9c-0359-49cb-864f-bc7f224cb5d0" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_64930d9c-0359-49cb-864f-bc7f224cb5d0" class="cnblogs_code_hide">
<pre><?php
$a=98869694308861098395599991222222222222;
$b=98869694308861098395599992999999999999;

var_dump($a===$b);

?></pre>
</div>
View Code</div>
<img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200225151047413-1233475376.png" alt="" width="357" height="215">
 再实际的业务逻辑中，一定要对最大值进行限制，避免数据越界而导致错误的执行结果。
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">switch比较缺陷
当再switch中使用case判断数字时，switch会将其中的参数转换为int类型进行计算
<div class="cnblogs_code"><img id="code_img_closed_0921fb60-bc0a-40ab-83b4-01aae07fd190" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_0921fb60-bc0a-40ab-83b4-01aae07fd190" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_0921fb60-bc0a-40ab-83b4-01aae07fd190" class="cnblogs_code_hide">
<pre><?php
$num='2xiaohua';
switch($num){
case 0:echo '000000';
break;
case 1:echo '1111';
break;
case 2:echo '2222222';
break;
case 3:echo '333333';
}

?>

　　</pre>
</div>
View Code</div>
 
<img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200225152526465-1781218476.png" alt="" width="349" height="310">
 最终输出2222  
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">数组比较缺陷
当使用in_array()或array_search()函数时，如果$strict参数吗有设置为true，则in_array()或array_search()将使用松散来判断$needle是否存在$haystack中
<div class="cnblogs_code">
<pre>bool in_array ( mixed $needle , array $haystack [, bool $strict = FALSE ] )//strict默认为false
miixedarray_search( mixed $needle , array $haystack [, bool $strict = FALSE ] )//strict默认为false</pre>
</div>
漏洞代码:
<div class="cnblogs_code"><img id="code_img_closed_ba5db4e1-efc5-4496-81ca-88549d41fb8b" class="code_img_closed" src="https://images.cnblogs.com/OutliningIndicators/ContractedBlock.gif" alt=""><img id="code_img_opened_ba5db4e1-efc5-4496-81ca-88549d41fb8b" class="code_img_opened" style="display: none" src="https://images.cnblogs.com/OutliningIndicators/ExpandedBlockStart.gif" alt="">
<div id="cnblogs_code_open_ba5db4e1-efc5-4496-81ca-88549d41fb8b" class="cnblogs_code_hide">
<pre><?php
$array=;
var_dump(in_array('abc',$array));
var_dump(array_search('abc',$array));

?></pre>
</div>
View Code</div>
 
<img src="https://img2018.cnblogs.com/i-beta/967964/202002/967964-20200225153819628-1009649966.png" alt="" width="434" height="277">
 
 
 
<p style="font-weight: bold; color: rgba(255, 255, 255, 1); font-family: 微软雅黑, 宋体, 黑体, Arial; min-height: 25px; line-height: 25px; opacity: 0.8; background: rgba(0, 221, 221, 1); border-radius: 6px; padding: 8px; border: 1px dashed rgba(0, 221, 221, 1); margin: 18px 5px !important">2222
参考学习:《php安全之道》 
来源：https://www.cnblogs.com/xhds/p/12349189.html

頁: [1]

琼殿技术论坛's Archiver

PHP弱类型漏洞学习