CTF_ Variable coverage in web:php

0x00 Preface

Recently, I have been sorting out the basic test sites in what aspects , There may be a total of 10 Item bar , I'm also learning , First finish learning the test sites you can think of , Take these common questions and learn again php Basic function of , Then continue to practice 3 Points above , Lay a solid foundation , No matter what you encounter, you can have your own way of analysis , Not just copy wp┭┮﹏┭┮.

0x01 What is variable override

Variable coverage basically comes from various functions （parse_str()、extract()、import_request_variables() etc. ） Problems when taking values for user input , When the user assigns values to existing variables through various functions again , Will trigger variable override , Modify the previously defined value , Such problems require a strict definition of what users can enter , Or avoid using functions with such problems .

0x02 parse_str() function

The rookie tutorial introduces him to ：

Definition and Usage
parse_str() Function to parse a query string into a variable .
notes ： If not set array Parameters , The variable set by this function will overwrite the existing variable with the same name .
notes ：php.ini In the document magic_quotes_gpc Settings affect the output of the function . If enabled , So in parse_str() Before parsing , Variables will be addslashes() transformation .
grammar
parse_str(string,array)

<?php
parse_str("name=Peter&age=43");
echo $name."<br>";//Peter
echo $age;//43
?>

It seems that we can do the work we want , But what if the user doesn't input according to the regulations ? This is a xman-2017 One to one topic ：

<meta charset="utf-8">
<?php
error_reporting(0);
if (empty($_GET['b'])) {
    show_source(__FILE__);
    die();
}else{
    $flag = "ook";
$a = "www.XMAN.com";
$b = $_GET['b'];
parse_str($b);
echo $b,"<br/>";
var_dump($a);
echo "<br/>";
if ($a[0] != 'QNKCDZO' && md5($a[0]) == md5('QNKCDZO')) {
    echo $flag;
}else{
exit(' Your answer is wrong 0.0');
}
}
?>

As can be seen from the source code , Request input b after a[] The value of is changed , You can see b Is worth parse_str($b); analysis , Then compare loosely md5, The latter part has been studied in our last article , Details can see CTF_Web：php Weak types bypass and md5 Collision .
We focus on how to make people not accept a Value in case of change a Value , Use here ?b=a[]=240610708, Bypass .
Output :

a[]=240610708
array(1) { [0]=> string(9) "240610708" }
ook

It can be seen that we entered b The value is parsed as a[0]=240610708,a It is also overwritten and changed to an array .

0x03 extract() function

The rookie tutorial introduces him to ：

Definition and Usage
extract() Function to import variables from an array into the current symbol table .
This function uses the array key name as the variable name , Use array key value as variable value . For each element in the array , A corresponding variable will be created in the current symbol table .
This function returns the number of variables successfully set .
grammar
extract(array,extract_rules,prefix)
The first parameter is the specified array , The second is the rule for creating variables , The third is the prefix that needs to be added .

1.array	 It's necessary . Specify the array to use .
2.extract_rules	   Optional .extract()  The function checks that each key name is a valid variable name , It also checks whether it conflicts with the existing variable names in the symbol table . Handling illegal and conflicting key names will be determined by this parameter .
 Possible value ：
EXTR_OVERWRITE -  Default . If there is a conflict , Overwrite existing variables .
EXTR_SKIP -  If there is a conflict , Do not overwrite existing variables .
EXTR_PREFIX_SAME -  If there is a conflict , Prefix variable names  prefix.
EXTR_PREFIX_ALL -  Prefix all variable names  prefix.
EXTR_PREFIX_INVALID -  Prefix only illegal or numeric variable names  prefix.
EXTR_IF_EXISTS -  Only when a variable with the same name already exists in the current symbol table , Override their values . Nothing else .
EXTR_PREFIX_IF_EXISTS -  Only when a variable with the same name already exists in the current symbol table , Create variable names with prefixes attached , Nothing else .
EXTR_REFS -  Extract variables as references . The imported variable still references the value of the array parameter .
3.prefix	   Optional . If  extract_rules  The value of the parameter is  EXTR_PREFIX_SAME、EXTR_PREFIX_ALL、 EXTR_PREFIX_INVALID  or  EXTR_PREFIX_IF_EXISTS, be  prefix  It's necessary . This parameter specifies the prefix . An underscore is automatically added between the prefix and the array key name .

That is to say, when extract When assigning an existing variable to a function , Will be handled according to the rules , for example

<?php
$a = "Original";
$my_array = array("a" => "Cat", "b" => "Dog", "c" => "Horse");
extract($my_array, EXTR_PREFIX_SAME, "dup");
echo "\$a = $a; \$b = $b; \$c = $c; \$dup_a = $dup_a";
?>
//$a = Original; $b = Dog; $c = Horse; $dup_a = Cat    Here, the conflicting variables are prefixed after the conflict dup And the underline .

After seeing this, you can guess that the variable coverage vulnerability actually comes from

EXTR_OVERWRITE - Default . If there is a conflict , Overwrite existing variables .

Variable overrides occur when no rules are specified .

<?php
$flag="ook!";
extract($_GET);  
echo $flag;
if($key==$flag)
{
    echo $flag;
}
else
{
    echo'Oh.no';
}
?>

Because first flag assignment , after extract 了 GET Value , So the existing ones will be overwritten , If the order is reversed , Can not be controlled by the user .

0x04 import_request_variables() function

The rookie tutorial explained to him as ：

import_request_variables() Function will GET／POST／Cookie Variables are imported into the global scope . This function is in the latest version of PHP China no longer supports .
import_request_variables() Function will GET／POST／Cookie Variables are imported into the global scope . If you prohibit register_globals, But I want to use some global variables , Then this function is very useful .
Version for ：PHP 4 >= 4.1.0, PHP 5 < 5.4.0
grammar
bool import_request_variables ( string $types [, string $prefix ] ) return bool Type result .

$types： Specify the variables to import , You can use letters  G、P  and  C  respectively  GET、POST  and  Cookie, These letters are case insensitive , So you can use  g 、 p  and  c  Any combination of .POST  It includes passing through  POST  Method to upload file information . Notice the order of the letters , When using  gp  when ,POST  Variables will be overridden with the same name  GET  Variable . whatever  GPC  Letters other than will be ignored .
$prefix：  Prefix of variable name , Before all variables that are imported into the global scope . So if you have one called  userid  Of  GET  Variable , It also provides  pref_  As a prefix , Then you will get a name  $pref_userid  Global variable of . although  prefix  Parameters are optional , But if you don't specify a prefix , Or specify an empty string as the prefix , You will get a  E_NOTICE  Level error .

<?php
//  Here you will import  GET  and  POST  Variable 
$a= "abc";
import_request_variables("gP");  // Not using a prefix will overwrite .
echo $a;
?>

Pass in ?a=1 The defined a Value override .