PHP代码审计关键点详解<\/h1>

文件操作函数路径处理差异<\/h2>

问题描述<\/h3>
PHP中文件读写操作(`file_put_contents<\/code>, copy<\/code>, file_get_contents<\/code>等)与文件删除\/判断操作(unlink<\/code>, file_exists<\/code>等)对路径处理存在差异，可能导致安全绕过。<\/p>`

技术原理<\/h3>

读写操作：调用php_stream_open_wrapper_ex<\/code>，最终使用tsrm_realpath<\/code>标准化路径<\/li>
删除\/判断操作：不进行路径标准化处理<\/li>
<\/ul>
绕过方法<\/h3>

Linux系统：

xxxxx\/..\/test.php<\/code><\/li>
test.php\/.<\/code><\/li>
<\/ul>
<\/li>
Windows系统：

test.php:test<\/code><\/li>
test.ph<<\/code><\/li>
<\/ul>
<\/li>
伪协议：

php:\/\/filter\/resource=1.php<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
示例代码<\/h3>
$filename =<\/span> __DIR__<\/span> .<\/span> '\/tmp\/'<\/span> .<\/span> $user['name'<\/span>];
<\/span><\/span>$data =<\/span> $user['info'<\/span>];
<\/span><\/span>file_put_contents<\/span>($filename, $data);
<\/span><\/span>if<\/span>(file_exists<\/span>($filename)) {
<\/span><\/span>    unlink<\/span>($filename);  \/\/ 可被绕过
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>变量覆盖漏洞<\/h2>
extract()函数<\/h3>
extract<\/span>($_GET);  \/\/ 危险：直接覆盖现有变量
<\/span><\/span><\/span><\/span>extract<\/span>($_GET, EXTR_SKIP<\/span>);  \/\/ 安全：跳过已有变量
<\/span><\/span><\/span><\/span>extract<\/span>($_GET, EXTR_PREFIX_SAME<\/span>, "prefix"<\/span>);  \/\/ 安全：添加前缀
<\/span><\/span><\/span><\/code><\/pre>parse_str()函数<\/h3>
parse_str<\/span>("name=Bill&age=60"<\/span>);  \/\/ 危险：直接创建变量
<\/span><\/span><\/span><\/span>parse_str<\/span>("name=Bill&age=60"<\/span>, $output);  \/\/ 安全：使用数组接收
<\/span><\/span><\/span><\/code><\/pre>数值处理问题<\/h2>
intval()函数特性<\/h3>

32位系统最大带符号范围：-2147483648到2147483647<\/li>
64位系统最大带符号范围：9223372036854775807<\/li>
截断取整（非四舍五入）：intval(10.99999)<\/code> → 10<\/li>
转换规则：遇到数字或正负号开始，遇到非数字或\0<\/code>结束<\/li>
<\/ul>
浮点数精度问题<\/h3>
var_dump<\/span>(1.000000000000000<\/span> ==<\/span> 1<\/span>);   \/\/ TRUE
<\/span><\/span><\/span><\/span>var_dump<\/span>(1.0000000000000001<\/span> ==<\/span> 1<\/span>);  \/\/ TRUE
<\/span><\/span><\/span><\/code><\/pre>is_numeric()与intval()差异<\/h3>
is_numeric<\/span>("<\/span>\r\n\t<\/span> 0.1e2"<\/span>);  \/\/ TRUE
<\/span><\/span><\/span><\/span>intval<\/span>("<\/span>\r\n\t<\/span> 12"<\/span>);         \/\/ 12
<\/span><\/span><\/span><\/code><\/pre>函数比较绕过<\/h2>
strcmp()数组绕过<\/h3>
if<\/span>(strcmp<\/span>($_GET['a'<\/span>], $_GET['b'<\/span>]) ==<\/span> 0<\/span>)  \/\/ 传入数组可绕过
<\/span><\/span><\/span><\/code><\/pre>sha1()\/md5()数组绕过<\/h3>
if<\/span>(sha1<\/span>($_GET['a'<\/span>]) ===<\/span> sha1<\/span>($_GET['b'<\/span>]))  \/\/ 传入数组可绕过
<\/span><\/span><\/span><\/code><\/pre>弱类型比较问题<\/h2>
常见绕过示例<\/h3>
md5<\/span>('240610708'<\/span>) ==<\/span> md5<\/span>('QNKCDZO'<\/span>);  \/\/ TRUE (0e...)
<\/span><\/span><\/span><\/span>sha1<\/span>('aaroZmOk'<\/span>) ==<\/span> sha1<\/span>('aaK1STfY'<\/span>); \/\/ TRUE
<\/span><\/span><\/span><\/span>'0010e2'<\/span> ==<\/span> '1e3'<\/span>;  \/\/ TRUE
<\/span><\/span><\/span><\/span>'0x1234Ab'<\/span> ==<\/span> ' 1193131 '<\/span>;  \/\/ TRUE
<\/span><\/span><\/span><\/code><\/pre>布尔转换规则<\/h3>
FALSE情况：FALSE<\/code>, 0<\/code>, 0.0<\/code>, ""<\/code>, "0"<\/code>, array()<\/code>, NULL<\/code><\/p>
字符串转数值规则<\/h3>

开头有数字：转为数字并省略后面非数字字符<\/li>
开头无数字：转为0<\/li>
<\/ul>
1<\/span> +<\/span> "bob-1.3e3"<\/span>  \/\/ 1
<\/span><\/span><\/span><\/span>1<\/span> +<\/span> "10 Small Pigs"<\/span>  \/\/ 11
<\/span><\/span><\/span><\/code><\/pre>其他关键点<\/h2>
eregi()匹配绕过<\/h3>

传入数组可绕过<\/li>
使用%00<\/code>截断<\/li>
<\/ul>
变量名转换规则<\/h3>
点号和空格会被转为下划线：<\/p>
parse_str<\/span>("na.me=admin&pass wd=123"<\/span>, $test);
<\/span><\/span>\/\/ 结果：["na_me"]=>"admin", ["pass_wd"]=>"123"
<\/span><\/span><\/span><\/code><\/pre>in_array()松散比较<\/h3>
in_array<\/span>("1asd"<\/span>, array<\/span>(1<\/span>,2<\/span>,3<\/span>,4<\/span>));       \/\/ TRUE
<\/span><\/span><\/span><\/span>in_array<\/span>("1asd"<\/span>, array<\/span>(1<\/span>,2<\/span>,3<\/span>,4<\/span>), TRUE<\/span>); \/\/ FALSE
<\/span><\/span><\/span><\/code><\/pre>htmlspecialchars()转义问题<\/h3>
默认不转义单引号，需使用ENT_QUOTES<\/code>参数：<\/p>
htmlspecialchars<\/span>($input);          \/\/ 仅转义双引号
<\/span><\/span><\/span><\/span>htmlspecialchars<\/span>($input, ENT_QUOTES<\/span>); \/\/ 转义双引号和单引号
<\/span><\/span><\/span><\/code><\/pre>sprintf()格式化漏洞<\/h3>
可以吃掉转义后的单引号：<\/p>
$sql =<\/span> "select * from user where username = '%\' and 1=1#'"<\/span>;
<\/span><\/span>sprintf<\/span>($sql, "admin"<\/span>);  \/\/ 结果：username = '' and 1=1#'
<\/span><\/span><\/span><\/code><\/pre>赋值运算符优先级<\/h3>
=<\/code>优先级高于and<\/code>：<\/p>
$c =<\/span> is_numeric<\/span>($a) and<\/span> is_numeric<\/span>($b);  \/\/ 可能绕过$b检查
<\/span><\/span><\/span><\/code><\/pre>URL解析差异<\/h2>
parse_url与libcurl差异<\/h3>

user@eval.com:80@baidu.com<\/code>：

PHP解析host：baidu.com<\/code><\/li>
libcurl解析host：eval.com<\/code><\/li>
<\/ul>
<\/li>
<\/ul>
filter_var()绕过<\/h3>
filter_var<\/span>("0:\/\/evil.com:80;google.com:80\/"<\/span>, FILTER_VALIDATE_URL<\/span>);  \/\/ TRUE
<\/span><\/span><\/span><\/code><\/pre>通过file_get_contents的XSS<\/h3>
$url =<\/span> "data:\/\/baidu.com\/plain;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pgo="<\/span>;
<\/span><\/span>file_get_contents<\/span>($url);  \/\/ 返回<script>alert(1)<\/script>
<\/span><\/span><\/span><\/code><\/pre>防御建议<\/h2>

对所有文件操作使用绝对路径并进行标准化处理<\/li>
使用EXTR_SKIP<\/code>或EXTR_PREFIX_SAME<\/code>参数处理extract()<\/code><\/li>
对数值比较使用严格比较===<\/code><\/li>
对strcmp()<\/code>等函数添加类型检查<\/li>
使用htmlspecialchars($input, ENT_QUOTES)<\/code>完全转义<\/li>
对URL验证使用多重检查机制<\/li>
避免直接使用用户输入拼接SQL语句<\/li>
对重要比较使用严格模式（如in_array<\/code>的第三个参数）<\/li>
<\/ol>

PHP代码审计关键点详解<\/h1>

文件操作函数路径处理差异<\/h2>

问题描述<\/h3> PHP中文件读写操作(file_put_contents<\/code>, copy<\/code>, file_get_contents<\/code>等)与文件删除\/判断操作(unlink<\/code>, file_exists<\/code>等)对路径处理存在差异，可能导致安全绕过。<\/p>

变量覆盖漏洞<\/h2>

数值处理问题<\/h2>

函数比较绕过<\/h2>

弱类型比较问题<\/h2>

布尔转换规则<\/h3> FALSE情况：FALSE<\/code>, 0<\/code>, 0.0<\/code>, ""<\/code>, "0"<\/code>, array()<\/code>, NULL<\/code><\/p>

其他关键点<\/h2>

URL解析差异<\/h2>

问题描述<\/h3>
PHP中文件读写操作(`file_put_contents<\/code>, copy<\/code>, file_get_contents<\/code>等)与文件删除\/判断操作(unlink<\/code>, file_exists<\/code>等)对路径处理存在差异，可能导致安全绕过。<\/p>`

布尔转换规则<\/h3>
FALSE情况：`FALSE<\/code>, 0<\/code>, 0.0<\/code>, ""<\/code>, "0"<\/code>, array()<\/code>, NULL<\/code><\/p>`