PHP GET 变量数组注入
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/1885979/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
PHP GET variable array injection
提问by dave
I've recently learned that it's possible to inject arrays into PHP GET variables to perform code execution?
我最近了解到可以将数组注入 PHP GET 变量以执行代码?
.php?a[]=asd&a[]=asdasd&b[]=$a
.php?a[]=asd&a[]=asdasd&b[]=$a
That was the example I was given. I have no idea how it works and was wondering if this is even possible?
这就是我得到的例子。我不知道它是如何工作的,想知道这是否可能?
回答by Pascal MARTIN
PHP will parse the query string, and inject those values in the $_GETsuper-global array (same for $_POSTif this was done in a form using POST, btw).
PHP 将解析查询字符串,并将这些值注入到$_GET超级全局数组中(对于$_POST使用 POST 以表单完成的操作也是如此,顺便说一句)。
In your case, the $_GETarray will contain this :
在您的情况下,该$_GET数组将包含以下内容:
array
'a' =>
array
0 => string 'asd' (length=3)
1 => string 'asdasd' (length=6)
'b' =>
array
0 => string '$a' (length=2)
Each value passed in the query string will be put by PHP in the $_GETarray, creating sub-arrays if necessary, when there are []used in the query string.
查询字符串中传递的每个值都将由 PHP 放入$_GET数组中,如果需要,[]在查询字符串中使用时创建子数组。
But this doesn't cause any kind of "code execution" : as long as you deal with input properly (i.e. don't trust the input and use evalon it, or any kind of bad idea like this), there is no risk of code-injection.
但这不会导致任何类型的“代码执行”:只要您正确处理输入(即不信任输入并eval在其上使用,或任何类似的坏主意),就没有风险代码注入。
回答by Sarfraz
If you are not sure how to get secure, the least you can do is to filter the $_GET array. Here is the function:
如果您不确定如何确保安全,您至少可以过滤 $_GET 数组。这是函数:
function filter_url($url)
{
if (is_array($url))
{
foreach ($url as $key => $value)
{
// recurssion
$url[$key] = filter_url($value);
}
return $url;
}
else
{
// remove everything except for a-zA-Z0-9_.-&=
$url = preg_replace('/[^a-zA-Z0-9_\.\-&=]/', '', $url);
return $url;
}
}
Now you can filter the $_GET like this:
现在你可以像这样过滤 $_GET :
$_GET = filter_url($_GET);
This will essentially clean up your $_GET array from suspicious characters such as [ ].
这将从本质上清除 $_GET 数组中的可疑字符,例如 []。
Thanks
谢谢
回答by Mike
I think he is talking about something evaluating differently when passed an array
我认为他在谈论传递数组时评估不同的东西
strcasecmp( $_GET['password'], $password ) == 0 ){echo($secret);}`
If you pass an empty array into strcasecmp it will evaluate to true for whatever reason.
strcasecmp( $_GET['password'], $password ) == 0 ){echo($secret);}` 如果您将一个空数组传递给 strcasecmp,无论出于何种原因,它都会评估为 true。
IE: index.php?password=[]
IE: index.php?password=[]
回答by Jani Hartikainen
The above does not strictly allow code execution, but it may alter the control flow of your existing code if it does not take into account the fact the data may be an array.
以上并没有严格允许代码执行,但如果不考虑数据可能是数组的事实,它可能会改变现有代码的控制流。
The reason the above works is because PHP interprets variables ending in [] as arrays. So if you provide multiple GET variables with same name ending in [], PHP creates an array containing all the values.
上述工作的原因是因为 PHP 将以 [] 结尾的变量解释为数组。因此,如果您提供多个以 [] 结尾的相同名称的 GET 变量,PHP 将创建一个包含所有值的数组。
回答by Josh Davis
Long story short: no code execution. Otherwise, don't you think somebody would have hacked Facebook already? :)
长话短说:没有代码执行。否则,你不认为有人已经入侵了 Facebook 吗?:)
I think the person who told you that was confused about some other bugs that used deep array nesting to trigger a buffer overflow/double free/some other hack vector, that could theorically be used to execute some code. Those are software bugs as you can see everyday in many popular software. They usually get patched quickly.
我认为告诉你的人对使用深度数组嵌套触发缓冲区溢出/双释放/其他一些黑客向量的其他一些错误感到困惑,理论上可以用来执行一些代码。这些是您在许多流行软件中每天都能看到的软件错误。他们通常会很快得到修补。
You might find more info at http://www.suspekt.org/
您可能会在http://www.suspekt.org/ 上找到更多信息
回答by Ben Rowe
echo $_GET['a'][0]; //prints "asd"
echo $_GET['a'][1]; //prints "asdasd"
echo $_GET['b'][0]; //prints "$a"
回答by Joel L
It seems like you misunderstood something.
你好像误会了什么。
The above example simply creates an array like
上面的例子只是简单地创建了一个数组
Array (
[a] => Array (
[0] => asd
[1] => asdasd
)
[b] => Array ( [0] => $a )
)
This is documented and works exactly as intended.
这是记录在案的,并且完全按预期工作。
回答by user229321
Someone lied to you, you won't execute anything with that, you'll just send an array instead of a plain variable.
有人骗你,你不会用它执行任何事情,你只会发送一个数组而不是一个普通的变量。
try this code
试试这个代码
<?php
$x = $_GET['x'];
var_dump($x);
?>
and access it using ?x=1 and then ?x[a]=1&x[b]=2 it's expected behavior, not injection and you can't run any code with it.
并使用 ?x=1 访问它,然后使用 ?x[a]=1&x[b]=2 这是预期的行为,而不是注入,你不能用它运行任何代码。
回答by Alupotha
your url want to be like that
你的网址想要这样
www.mysite.com/page.php?name=john
www.mysite.com/page.php?姓名=约翰
but you want to prevent insert something like this
但你想防止插入这样的东西
www.mysite.com/page.php?name[]=john
www.mysite.com/page.php?姓名[]=约翰
solution:
解决方案:
<?php
$myname = is_array($_GET['name'])? "invalid" : $_GET['name'] ;
echo $myname;
?>
