share your technology and add some temperature for safety

Posted by deaguero at 2020-04-12

0x00 background

Recently, we are studying the problem of learning variable coverage vulnerability, so we will combine the previous study and the recent CTF topics related to variable coverage to further study. In general, the case that the original variable value can be replaced by a user-defined parameter value is called variable coverage vulnerability. The scenarios that often lead to variable coverage vulnerabilities include: improper use of $$function, improper use of extract() function, improper use of parse ﹐ str() function, improper use of import ﹐ request ﹐ variables(), opening of global variable registration, etc. This article collects several CTF topics as examples to summarize the problems of $$, extract(), parse_str().

0x01 variable override problem caused by $$

Variable coverage problems caused by $$often appear in foreach in CTF code audit topics, such as the following example code. Foreach is used to traverse the values in the array, and then the array key name obtained is used as a variable, and the key value in the array is used as the value of the variable. As a result, a variable coverage vulnerability is created. Request? Name = test to override the value of $name to test.

1.<? PHP


3.//output:string(4) "name"string(4) "test" string(4) "test" test


5.foreach($_GET as $key => $value)

6.    $$key = $value;

7.    var_dump($key);

8.   var_dump($value);

9.   var_dump($$key);


11.? >

Example 1 of variable coverage problem caused by $$in CTF: source code:

1.<? PHP

2.include "flag.php";

3.$_403 = "Access Denied";

4.$_200 = "Welcome Admin";


6.    die("BugsBunnyCTFis here :p...");

7.if ( !isset($_POST["flag"]) )

8.    die($_403);

9.foreach ($_GET as $key => $value)

10.    $$key = $$value;

11.foreach ($_POST as $key => $value)

12.    $$key = $value;

13.if ( $_POST["flag"] !== $flag )

14.    die($_403);

15.echo "Thisis your flag : ". $flag . "\n";


17.? >

Topic analysis: the source code contains the flag.php file, and it needs to meet the conditions in three if's to get the flag. In the topic, two foreach's are used and $$. The handling of $$key in the two foreach's is different. When the conditions are met, the value in $flag will be printed out, so $flag is in the flag.php file. However, since the code between lines 7, 11 and 14 will overwrite the value of $flag, you need to assign the value of $flag to $_200or $_403variables first, and then use die ($_200) or die ($_403) to print out the flag.

Solution: since the code between lines 7, 11-14 will overwrite the value of $flag, you can only use the first foreach to assign the value of $flag to $_200, and then use die ($_200) to print out the original value of flag.

Final payload: local reproduction, so the flag is different from the original question

GET DATA:?_200=flag POST DATA:flag=aaaaaaaaaaaaaaaaaaaaa

Variable coverage problem caused by 0x02 extract() function

Syntax: extract (array, extract_rules, prefix)

Example 1 of variable coverage problem caused by extract() in CTF: source code:

1.<? PHP

2.$flag = 'xxx';


4.if (isset($gift)) {

5.    $content = trim(file_get_contents($flag));

6.    if ($gift == $content) {

7.        echo 'hctf{...}';

8.    } else {

9.        echo 'Oh..';



12.? >

Topic analysis: the topic uses extract ($_get) to receive the data in the get request, and converts the key name and value to the variable name and value, and then judges the two if conditions. Therefore, you can use get to submit parameters and values, and extract () to overwrite variables, so as to meet each condition.

Solution: get request? Flag = & Gift =, extract() will overwrite the value of $flag and $gift. Setting the value of variable to null or nonexistent file will satisfy $gift = = $content.

Final payload: get data:? Flag = & Gift=

Example 2 of variable coverage problem caused by extract() in CTF: source code:

1.<?php if ($_SERVER["REQUEST_METHOD"] == "POST") { ?>

2.      <?php

3.        extract($_POST);

4.        if ($pass ==$thepassword_123) { ?>

5.            <div class="alertalert-success">

6.                <code><?php echo $theflag;?></code>

7.            </div>

8.        <?php } ?>

9.    <?php } ?>

Topic analysis:

The topic requires post to submit data. Extract ($_post) will convert the key name and value in post data to the corresponding variable name and value, and use this to override the value of $pass and $thepassword {variables, so as to meet the condition of $pass = = $thepassword {.

Solution: submit the pass = & thepassword {, and extract() will overwrite the received data with the values of $pass and $thepassword {variables to be null, so the condition is satisfied.

Finally, payload: post data: pass = & the password{=

Variable coverage caused by 0x03 parse ﹣ STR function

The parse_str() function is used to parse the query string into a variable. If there is no array parameter, the variable set by the function will overwrite the existing variable with the same name. Syntax: parse_str (string, array)

Example 1 of variable coverage problem caused by parse ENU str() in CTF: source code:

1.<? PHP


3.if (empty($_GET['id'])) {

4.    show_source(__FILE__);

5.    die();

6.} else {

7.    include ('flag.php');

8.    $a = "";

9.    $id = $_GET['id'];

10.    @parse_str($id);

11.    if ($a[0] != 'QNKCDZO' && md5($a[0])== md5('QNKCDZO')) {

12.        echo$flag;

13.    } else {

14. Exit ('It's very simple, but it's not difficult! ).



17.? >

Topic analysis: first, you need to use get to submit the ID parameter, then parse_str ($ID) to process the ID parameter data, and then use it to judge whether the result of $a [0]! ='qnkcdzo '& & MD5 ($a [0]) = = MD5 ('qnkcdzo') is true. If it is true, the result of MD5 ('qnkcdzo ') is 0e830400451993494058024219003391. Because this time you want to meet $a [0]! ='qnkcdzo' & & MD5 ($a [0])== MD5 ('qnkcdzo ') so to take advantage of PHP's weak language features, 0e123 will be used as a scientific counter, 0 * 10 x 123. So you need to find a string MD5, and the result is that the beginning of 0e is followed by numbers. For example, 240610708, s878926199a PHP handles the MD5 hash string defect of 0e beginning / bug reference:

Solution: use get request id = a [0] = 240610708, which will cover the value of a [] to 240610708. After MD5, we get the result 0e462097431906509019562988736854 and MD5 ('qnkcdzo '). The result 0e830400451993494058024219003391 is 0, so it is equal. If the condition is met, we need to flag.

Final payload: get data:? Id = a [0] = s878926199a or? Id = a [0] = 240610708

0x04 summary

Variable coverage vulnerability exists in a more obscure way in PHP code audit, so you need to read the source code more carefully to find out the vulnerability points. In CTF, it is often displayed in a more direct way, so you can learn various variable coverage topics of CTF first, and then audit CMS after mastering it, so you can understand and mine the variable coverage vulnerability more thoroughly.