开发者

PHP GET variable array injection

I've recently learned that it's possible to inject arrays into PHP GET variables to per开发者_开发知识库form code execution?

.php?a[]=asd&a[]=asdasd&b[]=$a

That was the example I was given. I have no idea how it works and was wondering if this is even possible?


PHP will parse the query string, and inject those values in the $_GET super-global array (same for $_POST if this was done in a form using POST, btw).

In your case, the $_GET array will contain this :

array
  'a' => 
    array
      0 => string 'asd' (length=3)
      1 => string 'asdasd' (length=6)
  'b' => 
    array
      0 => string '$a' (length=2)

Each value passed in the query string will be put by PHP in the $_GET array, creating sub-arrays if necessary, when there are [] used in the query string.

But this doesn't cause any kind of "code execution" : as long as you deal with input properly (i.e. don't trust the input and use eval on it, or any kind of bad idea like this), there is no risk of code-injection.


If you are not sure how to get secure, the least you can do is to filter the $_GET array. Here is the function:

function filter_url($url)
{
  if (is_array($url))
  {
    foreach ($url as $key => $value)
    {
      // recurssion
      $url[$key] = filter_url($value);
    }
    return $url;
  }
  else
  {
    // remove everything except for a-zA-Z0-9_.-&=
    $url = preg_replace('/[^a-zA-Z0-9_\.\-&=]/', '', $url);
    return $url;
  }
}

Now you can filter the $_GET like this:

$_GET = filter_url($_GET);

This will essentially clean up your $_GET array from suspicious characters such as [ ].

Thanks


The above does not strictly allow code execution, but it may alter the control flow of your existing code if it does not take into account the fact the data may be an array.

The reason the above works is because PHP interprets variables ending in [] as arrays. So if you provide multiple GET variables with same name ending in [], PHP creates an array containing all the values.


Long story short: no code execution. Otherwise, don't you think somebody would have hacked Facebook already? :)

I think the person who told you that was confused about some other bugs that used deep array nesting to trigger a buffer overflow/double free/some other hack vector, that could theorically be used to execute some code. Those are software bugs as you can see everyday in many popular software. They usually get patched quickly.

You might find more info at http://www.suspekt.org/


echo $_GET['a'][0]; //prints "asd"
echo $_GET['a'][1]; //prints "asdasd"
echo $_GET['b'][0]; //prints "$a"


I think he is talking about something evaluating differently when passed an array

strcasecmp( $_GET['password'], $password ) == 0 ) { echo($secret); } ` If you pass an empty array into strcasecmp it will evaluate to true for whatever reason.

IE: index.php?password=[]


It seems like you misunderstood something.

The above example simply creates an array like

Array (
  [a] => Array (
    [0] => asd
    [1] => asdasd
  )
  [b] => Array ( [0] => $a )
)

This is documented and works exactly as intended.


Someone lied to you, you won't execute anything with that, you'll just send an array instead of a plain variable.

try this code

<?php
    $x = $_GET['x'];
    var_dump($x);
?>

and access it using ?x=1 and then ?x[a]=1&x[b]=2 it's expected behavior, not injection and you can't run any code with it.


your url want to be like that

www.mysite.com/page.php?name=john

but you want to prevent insert something like this

www.mysite.com/page.php?name[]=john

solution:

<?php
 $myname = is_array($_GET['name'])? "invalid" : $_GET['name'] ;
 echo $myname;
?>
0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜