PHP代码审计：strpos使用不当引发的安全漏洞分析<\/h1>

1. 漏洞背景<\/h2>
本文分析PHP代码审计中因`strpos()<\/code>函数使用不当导致的安全漏洞，并结合实际案例（DeDecms V5.7SP2）展示类似逻辑缺陷引发的安全问题。<\/p>`

2. 示例漏洞分析<\/h2>
2.1 原始漏洞代码<\/h3>
\/\/ 示例代码片段
<\/span><\/span><\/span><\/span>class<\/span> Login<\/span> {
<\/span><\/span>    public<\/span> function<\/span> __construct($user, $pass) {
<\/span><\/span>        $this-><\/span>loginViaXml<\/span>($user, $pass);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> loginViaXml<\/span>($user, $pass) {
<\/span><\/span>        if<\/span> (strpos<\/span>($user, '<'<\/span>) !==<\/span> false<\/span> ||<\/span> strpos<\/span>($pass, '<'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>            die<\/span>('非法字符'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        if<\/span> (strpos<\/span>($user, '>'<\/span>) !==<\/span> false<\/span> ||<\/span> strpos<\/span>($pass, '>'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>            die<\/span>('非法字符'<\/span>);
<\/span><\/span>        }
<\/span><\/span>        
<\/span><\/span>        $format =<\/span> '<user><username>%s<\/username><password>%s<\/password><\/user>'<\/span>;
<\/span><\/span>        $xml =<\/span> sprintf<\/span>($format, $user, $pass);
<\/span><\/span>        \/\/ 使用XML进行登录验证...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>new<\/span> Login<\/span>($_POST['user'<\/span>], $_POST['pass'<\/span>]);
<\/span><\/span><\/code><\/pre>2.2 漏洞原理<\/h3>


strpos函数特性<\/strong>：<\/p>

返回匹配子字符串的位置（0表示开头匹配）<\/li>
未找到时返回false<\/li>
false == 0<\/code>在PHP中为true<\/li>
<\/ul>
<\/li>

错误防护逻辑<\/strong>：<\/p>
if<\/span> (strpos<\/span>($user, '<'<\/span>) !==<\/span> false<\/span>) \/\/ 正确写法
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>strpos<\/span>($user, '<'<\/span>))         \/\/ 错误写法（漏洞点）
<\/span><\/span><\/span><\/code><\/pre><\/li>

漏洞利用<\/strong>：<\/p>

当输入以<<\/code>开头时，strpos()<\/code>返回0<\/li>
!0<\/code>在PHP中等于true，导致防护被绕过<\/li>
可构造XML注入payload：
user=<"><injected-tag%20property="&pass=<injected-tag>
<\/code><\/pre>
<\/li>
<\/ul>
<\/li>
<\/ol>
3. 实际案例分析：DeDecms V5.7SP2密码重置漏洞<\/h2>
3.1 漏洞位置<\/h3>
member\/resetpassword.php<\/code>文件中的安全问答验证逻辑<\/p>
3.2 漏洞代码<\/h3>
\/\/ 安全问答验证
<\/span><\/span><\/span><\/span>if<\/span>($dopost ==<\/span> "safequestion"<\/span>) {
<\/span><\/span>    $row =<\/span> $db-><\/span>GetOne<\/span>("SELECT safequestion,safeanswer,userid,email FROM #@__member WHERE mid = '<\/span>$mid<\/span>'"<\/span>);
<\/span><\/span>    if<\/span>(empty<\/span>($safequestion)) $safequestion =<\/span> ''<\/span>;
<\/span><\/span>    if<\/span>(empty<\/span>($safeanswer)) $safeanswer =<\/span> ''<\/span>;
<\/span><\/span>    
<\/span><\/span>    \/\/ 漏洞点：使用弱类型比较
<\/span><\/span><\/span><\/span>    if<\/span>($row['safequestion'<\/span>] ==<\/span> $safequestion &&<\/span> $row['safeanswer'<\/span>] ==<\/span> $safeanswer) {
<\/span><\/span>        sn<\/span>($mid, $row['userid'<\/span>], $row['email'<\/span>], 'N'<\/span>);
<\/span><\/span>        exit<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.3 漏洞原理<\/h3>


弱类型比较问题<\/strong>：<\/p>

未设置安全问答时，数据库值为$row['safequestion']="0"<\/code>，$row['safeanswer']=null<\/code><\/li>
使用==<\/code>比较时：

"0" == ""<\/code> → false<\/li>
null == ""<\/code> → true<\/li>
<\/ul>
<\/li>
可绕过payload：0.0<\/code>、0.<\/code>、0e1<\/code><\/li>
<\/ul>
<\/li>

利用链<\/strong>：<\/p>
1. 访问resetpassword.php?dopost=safequestion&safequestion=0.0&safeanswer=&id=[目标ID]
2. 获取返回的key值
3. 访问修改密码链接：resetpassword.php?dopost=getpasswd&id=[目标ID]&key=[获取的key]
<\/code><\/pre>
<\/li>
<\/ol>
3.4 漏洞修复<\/h3>
将弱类型比较==<\/code>改为严格比较===<\/code>：<\/p>
if<\/span>($row['safequestion'<\/span>] ===<\/span> $safequestion &&<\/span> $row['safeanswer'<\/span>] ===<\/span> $safeanswer)
<\/span><\/span><\/code><\/pre>4. 防御建议<\/h2>


strpos正确用法<\/strong>：<\/p>
\/\/ 正确方式
<\/span><\/span><\/span><\/span>if<\/span> (strpos<\/span>($input, '<'<\/span>) !==<\/span> false<\/span>) {
<\/span><\/span>    \/\/ 包含<字符
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 错误方式（易被绕过）
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>strpos<\/span>($input, '<'<\/span>)) {
<\/span><\/span>    \/\/ 误判0为false
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

类型安全比较<\/strong>：<\/p>

始终使用===<\/code>和!==<\/code>进行严格比较<\/li>
特别注意：0<\/code>、"0"<\/code>、""<\/code>、null<\/code>、false<\/code>的区别<\/li>
<\/ul>
<\/li>

输入过滤<\/strong>：<\/p>

对XML\/HTML\/SQL等特殊上下文使用专用过滤函数<\/li>
如htmlspecialchars()<\/code>、mysqli_real_escape_string()<\/code>等<\/li>
<\/ul>
<\/li>

安全编码实践<\/strong>：<\/p>

使用白名单而非黑名单验证<\/li>
对边界条件进行全面测试（如空值、0值、特殊字符等）<\/li>
<\/ul>
<\/li>
<\/ol>
5. 总结<\/h2>

PHP的弱类型系统和特定函数行为可能引入安全隐患<\/li>
strpos()<\/code>等函数需注意返回值0与false的区别<\/li>
比较操作应优先使用严格模式(===<\/code>\/!==<\/code>)<\/li>
安全验证逻辑需要覆盖所有可能的输入情况<\/li>
实际漏洞常由多个小问题组合触发，需全面审计<\/li>
<\/ol>
6. 扩展学习<\/h2>


PHP类型比较表：<\/p>



值1<\/th>
值2<\/th>
==<\/th>
===<\/th>
<\/tr>
<\/thead>


0<\/td>
""<\/td>
true<\/td>
false<\/td>
<\/tr>

0<\/td>
"0"<\/td>
true<\/td>
false<\/td>
<\/tr>

null<\/td>
""<\/td>
true<\/td>
false<\/td>
<\/tr>

false<\/td>
""<\/td>
true<\/td>
false<\/td>
<\/tr>
<\/tbody>
<\/table>
<\/li>

相关函数注意事项：<\/p>

stripos()<\/code>：不区分大小写版本，有相同问题<\/li>
strstr()<\/code>\/stristr()<\/code>：返回子字符串或false<\/li>
preg_match()<\/code>：返回匹配次数（0或1），需用===1<\/code>判断<\/li>
<\/ul>
<\/li>

推荐审计工具：<\/p>

PHPStan<\/li>
Psalm<\/li>
RIPS静态分析工具<\/li>
<\/ul>
<\/li>
<\/ol>

值1<\/th>	值2<\/th>	==<\/th>	===<\/th> <\/tr> <\/thead>
0<\/td>	""<\/td>	true<\/td>	false<\/td> <\/tr>
0<\/td>	"0"<\/td>	true<\/td>	false<\/td> <\/tr>
null<\/td>	""<\/td>	true<\/td>	false<\/td> <\/tr>
false<\/td>	""<\/td>	true<\/td>	false<\/td> <\/tr> <\/tbody> <\/table> <\/li> 相关函数注意事项：<\/p> `stripos()<\/code>：不区分大小写版本，有相同问题<\/li>` `strstr()<\/code>\/stristr()<\/code>：返回子字符串或false<\/li>` `preg_match()<\/code>：返回匹配次数（0或1），需用===1<\/code>判断<\/li> <\/ul> <\/li>` `推荐审计工具：<\/p> PHPStan<\/li> Psalm<\/li> RIPS静态分析工具<\/li> <\/ul> <\/li> <\/ol>`

PHP代码审计：strpos使用不当引发的安全漏洞分析<\/h1>

1. 漏洞背景<\/h2> 本文分析PHP代码审计中因strpos()<\/code>函数使用不当导致的安全漏洞，并结合实际案例（DeDecms V5.7SP2）展示类似逻辑缺陷引发的安全问题。<\/p>

3. 实际案例分析：DeDecms V5.7SP2密码重置漏洞<\/h2>

3.1 漏洞位置<\/h3> member\/resetpassword.php<\/code>文件中的安全问答验证逻辑<\/p>

1. 漏洞背景<\/h2>
本文分析PHP代码审计中因`strpos()<\/code>函数使用不当导致的安全漏洞，并结合实际案例（DeDecms V5.7SP2）展示类似逻辑缺陷引发的安全问题。<\/p>`

3.1 漏洞位置<\/h3>
`member\/resetpassword.php<\/code>文件中的安全问答验证逻辑<\/p>`