Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Welcome To Ask or Share your Answers For Others

Categories

0 votes
491 views
in Technique[技术] by (71.8m points)

php - How to demonstrate an exploit of extract($_POST)?

I am not a PHP developer but I'm assessing the security of a PHP5 application.

The author relied on extract($_POST) and extract($_GET) in some places, outside of functions.

My suggestion is to call extract($_POST, EXTR_PREFIX_ALL, 'form') and change the code accordingly, but his stance is that any variable is being redefined inside subsequent includes anyway.

I can easily change the superglobals by providing, for instance, _ENV=something inside the post values, but superglobals are arrays and I'm turning them into strings, I'm not sure it can have evil effects.

I could have a look at the several isset() uses and go backwards from there.. but I imagine there are attacks of this kind that don't require knowledge or divination of the source.

Is there some interesting variable to be set/changed, maybe in the innards of PHP?

Thanks

See Question&Answers more detail:os

与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
Welcome To Ask or Share your Answers For Others

1 Reply

0 votes
by (71.8m points)

For assessing "might" try this:

File:htdocs/mix/extraction.php

<?php
extract($_GET);
var_dump($_SERVER);//after extract
?>

and call it like that:

http://localhost/mix/extraction.php?_SERVER=test

After the extract on my Xampp the output looks something like that:

string(4) "test"

If any one knows anything about your variable naming and you use extract on $_POST or $_GET globals, then you have a serious problem. With a bit of time and work it would be possible to find out some namings by try and error.

Without knowing your source an intruder could try to hijack any global variabl like $_SESSION (but here it will only take any effect if you do the session_start(); before the extract($_GET), $_COOKIE or $_SERVER and even set specific values for them like that:

//localhost/mix/extraction.php?_SERVER[HTTP_USER_AGENT]=Iphone

If you use extract like that:

extract($var,EXTR_SKIP);

extract($var,EXTR_PREFIX_SAME,'prefix');

extract($var,EXTR_PREFIX_ALL,'prefix');

then you will be perfectly safe.


与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
OGeek|极客中国-欢迎来到极客的世界,一个免费开放的程序员编程交流平台!开放,进步,分享!让技术改变生活,让极客改变未来! Welcome to OGeek Q&A Community for programmer and developer-Open, Learning and Share
Click Here to Ask a Question

...