php intval()函数漏洞,is_numeric() 漏洞,绕过回文判断

Intval函数获取变量整数数值

Intval最大的值取决于操作系统。
32 位系统最大带符号的 integer 范围是 -2147483648 到 2147483647。
32位系统上, intval(‘1000000000000’) 会返回 2147483647。
64 位系统上,最大带符号的 integer 值是 9223372036854775807。

所以如果参数为2147483647,那么当它反过来(就是字面意思),由于超出了限制,所以依然等于2147483647,即为回文。

is_numeric() 判断变量是否为数字或数字字符串,不仅检查10进制,16进制是可以

is_numeric函数对于空字符%00,无论是%00放在前后都可以判断为非数值,而%20空格字符只能放在数值后。

所以,查看函数发现该函数对对于第一个空格字符会跳过空格字符判断,接着后面的判断!

该函数还可能造成sql注入,例如将’1 or 1’转换为16进制形式2731206f72203127,再传参,就可以造成sql注入。

intval( r e q [ " n u m b e r " ] ) = i n t v a l ( s t r r e v ( req["number"])=intval(strrev( req["number"])=intval(strrev(req[“number”]))
如果要求不是回文,但又要满足这个条件,
可以用科学计数法构造0=0:
number=0e-0%00

已标记关键词 清除标记
<div class="post-text" itemprop="text"> <p>I am currently looking for a pass (not blind) high level of category sql injection application dvwa.</p> <p>Can not find the solution even if there are some ideas and tools that make life easier.</p> <p>source code form is as follows for the fans:</p> <hr> <pre><code>if (isset($_GET['Submit'])) { // Retrieve data $id = $_GET['id']; $id = stripslashes($id); $id = mysql_real_escape_string($id); if (is_numeric($id)){ $getid = "SELECT first_name, last_name FROM users WHERE user_id = '$id'"; $result = mysql_query($getid) or die('<pre>' . mysql_error() . '</pre>' ); $num = mysql_numrows($result); $i=0; while ($i < $num) { $first = mysql_result($result,$i,"first_name"); $last = mysql_result($result,$i,"last_name"); echo '<pre>'; echo 'ID: ' . $id . '<br>First name: ' . $first . '<br>Surname: ' . $last; echo '</pre>'; $i++; } } } </code></pre> <hr> <p>and mission and retrieve the values ​​that are in the users table dvwa db which has this structure:</p> <pre><code>+------------+-------------+------+-----+---------+ | Field | Type | Null | Key | Default | +------------+-------------+------+-----+---------+ | user_id | int(6) | NO | PRI | 0 | | first_name | varchar(15) | YES | | NULL | | last_name | varchar(15) | YES | | NULL | | user | varchar(15) | YES | | NULL | | password | varchar(32) | YES | | NULL | | avatar | varchar(70) | YES | | NULL | +------------+-------------+------+-----+---------+ 6 rows in set (0.00 sec) </code></pre> <hr> <p>Then of course you will say (as I have seen everywhere on the net) to be encoded characters. That I understand, yes, we have more character set, which can write emails differently (eg multi-byte). But I just can not even find you. I understand the php form code above like this:</p> <p>Already first have to bypass mysql_real_escape_string () so my research has focused to there first time. Using a game big5 character eg means we bypass it ... again yes maybe everything I saw Tenai the road but I have not actually tested. Why?</p> <p>Suppose I bypass mysql_real_escape_string (), if we continue to read the next step performed by the php code, we can read the function:</p> <pre><code>if(is_numeric($id))... </code></pre> <p>checks the type of the variable. (and besides, I do not know if I use the exact term but good). This means that if I want to insert a quote here, it must be in forcemment numérique.Donc size I leaned on the famous php function and I realized that we could enter the same binary or hexadecimal values ​​(but in all cases it will function for converting the output after me and now I really do not know ....). So my input in the first idea was to get 0x27 to insert a quote, but of course this value is interpreted as integer and not string type output, so how to interpret my quote ... I think the issue is on this side but I largues dint of thinking ... If you have nothing but a track (except to tell me to look in google, something I've been doing for four days now ^ ^), I'm interested. So guys (or girls for that matter), that Will is nicknamed Master Sqli?? Thank you for your time ... (sorry for google translation)</p> </div>
©️2020 CSDN 皮肤主题: 酷酷鲨 设计师:CSDN官方博客 返回首页