PHP代码审计之函数缺陷全面解析<\/h1>

一、in_array函数缺陷<\/h2>

1. 基础缺陷分析<\/h3>
class<\/span> Challenge<\/span> {
<\/span><\/span>    const<\/span> UPLOAD_DIRECTORY<\/span> =<\/span> '.\/solutions\/'<\/span>;
<\/span><\/span>    private<\/span> $file;
<\/span><\/span>    private<\/span> $whitelist;
<\/span><\/span>
<\/span><\/span>    public<\/span> function<\/span> __construct($file) {
<\/span><\/span>        $this-><\/span>file<\/span> =<\/span> $file;
<\/span><\/span>        $this-><\/span>whitelist<\/span> =<\/span> range<\/span>(1<\/span>, 24<\/span>);
<\/span><\/span>    }
<\/span><\/span>
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        if<\/span> (in_array<\/span>($this-><\/span>file<\/span>['name'<\/span>], $this-><\/span>whitelist<\/span>)) {
<\/span><\/span>            move_uploaded_file<\/span>(
<\/span><\/span>                $this-><\/span>file<\/span>['tmp_name'<\/span>], 
<\/span><\/span>                self<\/span>::<\/span>UPLOAD_DIRECTORY<\/span> .<\/span> $this-><\/span>file<\/span>['name'<\/span>]
<\/span><\/span>            );
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>漏洞原理<\/strong>：<\/p>

in_array()<\/code>函数在未设置第三个参数为true<\/code>时使用松散比较<\/li>
PHP弱类型比较时，"6php"<\/code>会被转换为6<\/code><\/li>
6在1-24范围内，导致可以上传非预期文件<\/li>
<\/ul>
防御方法<\/strong>：<\/p>
\/\/ 严格模式检查
<\/span><\/span><\/span><\/span>if<\/span> (in_array<\/span>($this-><\/span>file<\/span>['name'<\/span>], $this-><\/span>whitelist<\/span>, true<\/span>)) {
<\/span><\/span>    \/\/ 安全代码
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 实际案例：Piwigo 2.7.1<\/h3>
\/\/ include\/functions_rate.inc.php
<\/span><\/span><\/span><\/span>if<\/span> (!<\/span>in_array<\/span>($rate, $conf['rate_items'<\/span>])) {
<\/span><\/span>    \/\/ 过滤逻辑
<\/span><\/span><\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 攻击者可构造
<\/span><\/span><\/span><\/span>$rate =<\/span> array<\/span>(0<\/span>,1<\/span>,2<\/span>,3<\/span>,4<\/span>,5<\/span>); \/\/ 绕过检查
<\/span><\/span><\/span><\/code><\/pre>二、filter_var函数缺陷<\/h2>
1. URL验证问题<\/h3>
class<\/span> Template<\/span> {
<\/span><\/span>    public<\/span> function<\/span> getNexSlideUrl<\/span>() {
<\/span><\/span>        $nextSlide =<\/span> $_GET['nextSlide'<\/span>];
<\/span><\/span>        return<\/span> filter_var<\/span>($nextSlide, FILTER_VALIDATE_URL<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：<\/p>
javascript:\/\/comment%250aalert(1)
<\/code><\/pre>
2. 实际案例：Anchor CMS<\/h3>
\/\/ system\/uri.php
<\/span><\/span><\/span><\/span>if<\/span>($uri =<\/span> filter_var<\/span>($uri, FILTER_SANITIZE_URL<\/span>)) {
<\/span><\/span>    \/\/ 处理逻辑
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击载荷<\/strong>：<\/p>
http:\/\/example.com\/%3Cscript%3Ealert(1)%3C\/script%3E
<\/code><\/pre>
三、escapeshellarg与escapeshellcmd组合问题<\/h2>
1. 漏洞原理<\/h3>
$param =<\/span> "127.0.0.1' -v -d a=1"<\/span>;
<\/span><\/span>$a =<\/span> escapeshellcmd<\/span>($param);      \/\/ 127.0.0.1\' -v -d a=1
<\/span><\/span><\/span><\/span>$b =<\/span> escapeshellarg<\/span>($a);          \/\/ '127.0.0.1\\'\'' -v -d a=1\'
<\/span><\/span><\/span><\/span>$cmd =<\/span> "curl "<\/span>.<\/span>$b;                \/\/ 最终命令可注入
<\/span><\/span><\/span><\/code><\/pre>2. 实际案例：Postcard应用<\/h3>
class<\/span> Mailer<\/span> {
<\/span><\/span>    private<\/span> function<\/span> sanitize<\/span>($email) {
<\/span><\/span>        return<\/span> escapeshellarg<\/span>($email);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> send<\/span>($data) {
<\/span><\/span>        mail<\/span>($data['to'<\/span>], $data['subject'<\/span>], $data['message'<\/span>], ''<\/span>, "-f"<\/span>.<\/span>$data['from'<\/span>]);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：<\/p>

利用FILTER_VALIDATE_EMAIL缺陷："aaa'aaa"@example.com<\/code><\/li>
组合使用导致命令注入<\/li>
<\/ul>
四、preg_replace函数\/e模式漏洞<\/h2>
1. 代码执行漏洞<\/h3>
function<\/span> complexStrtolower<\/span>($regex, $value) {
<\/span><\/span>    return<\/span> preg_replace<\/span>(
<\/span><\/span>        '\/('<\/span> .<\/span> $regex .<\/span> ')\/ei'<\/span>,
<\/span><\/span>        'strtolower("\\1")'<\/span>,
<\/span><\/span>        $value
<\/span><\/span>    );
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 攻击载荷
<\/span><\/span><\/span><\/span>\S<\/span>*=<\/span>$<\/span>{phpinfo<\/span>()}
<\/span><\/span><\/code><\/pre>修复方案<\/strong>：<\/p>

禁用\/e修饰符<\/li>
使用preg_replace_callback()<\/code>替代<\/li>
<\/ul>
2. 实际案例：CmsEasy 5.5<\/h3>
\/\/ lib\/tool\/form.php
<\/span><\/span><\/span><\/span>if<\/span> (preg_match<\/span>('\/\{(.*)\}\/'<\/span>, $form[$name]['default'<\/span>], $matches)) {
<\/span><\/span>    eval<\/span>("<\/span>\$<\/span>form[<\/span>$name<\/span>]['default'] = <\/span>{<\/span>$matches[1<\/span>]}<\/span>;"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、str_replace过滤缺陷<\/h2>
1. 目录穿越漏洞<\/h3>
class<\/span> LanguageManager<\/span> {
<\/span><\/span>    private<\/span> function<\/span> sanitizeLanguage<\/span>($language) {
<\/span><\/span>        return<\/span> str_replace<\/span>('..\/'<\/span>, ''<\/span>, $language);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：<\/p>
....\/\/ 或 ...\/.\/
<\/code><\/pre>
2. 实际案例：Metinfo 6.0.0<\/h3>
\/\/ app\/system\/include\/module\/old_thumb.class.php
<\/span><\/span><\/span><\/span>$dir =<\/span> strstr<\/span>($dir, 'http'<\/span>) ?<\/span> $dir :<\/span> ''<\/span>;
<\/span><\/span><\/code><\/pre>攻击载荷<\/strong>：<\/p>
http:\/\/target\/include\/thumb.php?dir=http\/..\/..\/config.php
<\/code><\/pre>
六、parse_str变量覆盖<\/h2>
1. 漏洞原理<\/h3>
extract<\/span>($_POST); \/\/ 危险函数
<\/span><\/span><\/span><\/span>
<\/span><\/span>if<\/span> (!<\/span>isset<\/span>($pi) ||<\/span> !<\/span>is_numeric<\/span>($pi)) {
<\/span><\/span>    goAway<\/span>();
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 攻击者可覆盖$pi变量
<\/span><\/span><\/span><\/code><\/pre>安全做法<\/strong>：<\/p>
$allowed =<\/span> ['pi'<\/span> =><\/span> ''<\/span>];
<\/span><\/span>$options =<\/span> array_intersect_key<\/span>($_POST, $allowed);
<\/span><\/span>extract<\/span>($options);
<\/span><\/span><\/code><\/pre>2. 实际案例：DuomiCMS 3.0<\/h3>
\/\/ duomiphp\/common.php
<\/span><\/span><\/span><\/span>foreach<\/span>(Array<\/span>('_GET'<\/span>,'_POST'<\/span>,'_COOKIE'<\/span>) as<\/span> $_request) {
<\/span><\/span>    foreach<\/span>(
<\/span><\/span>$$<\/span>
<\/span><\/span>_request<\/span> as<\/span> $_k =><\/span> $_v) {
<\/span><\/span>        ${$_k} =<\/span> _RunMagicQuotes<\/span>($_v);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击方法<\/strong>：

覆盖$_SESSION<\/code>变量实现权限提升<\/p>
七、unserialize反序列化漏洞<\/h2>
1. 基础漏洞<\/h3>
class<\/span> Template<\/span> {
<\/span><\/span>    public<\/span> function<\/span> loadData<\/span>($data) {
<\/span><\/span>        if<\/span> (!<\/span>preg_match<\/span>('\/O:\d:\/'<\/span>, $data)) {
<\/span><\/span>            return<\/span> unserialize<\/span>($data);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> [];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法<\/strong>：<\/p>

使用数组包装：a:1:{i:0;O:+8:"Class"...}<\/code><\/li>
利用+<\/code>绕过数字检测<\/li>
<\/ul>
2. 实际案例：Typecho 1.1<\/h3>
\/\/ install.php
<\/span><\/span><\/span><\/span>$config =<\/span> unserialize<\/span>(base64_decode<\/span>($_COOKIE['__typecho_config'<\/span>]));
<\/span><\/span><\/code><\/pre>利用链<\/strong>：<\/p>

触发__toString()<\/code><\/li>
调用__get()<\/code><\/li>
通过call_user_func<\/code>执行代码<\/li>
<\/ol>
八、addslashes绕过技巧<\/h2>
1. 字符截断绕过<\/h3>
class<\/span> LoginManager<\/span> {
<\/span><\/span>    public<\/span> function<\/span> sanitizeInput<\/span>($input, $length =<\/span> 20<\/span>) {
<\/span><\/span>        $input =<\/span> addslashes<\/span>($input);
<\/span><\/span>        if<\/span> (strlen<\/span>($input) ><\/span> $length) {
<\/span><\/span>            $input =<\/span> substr<\/span>($input, 0<\/span>, $length);
<\/span><\/span>        }
<\/span><\/span>        return<\/span> $input;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击载荷<\/strong>：<\/p>
user=1234567890123456789'&passwd=or 1=1#
<\/code><\/pre>
2. 实际案例：苹果CMS 8.0<\/h3>
\/\/ inc\/common\/function.php
<\/span><\/span><\/span><\/span>$res =<\/span> $magicq ?<\/span> $_REQUEST[$key] :<\/span> @<\/span>addslashes<\/span>($_REQUEST[$key]);
<\/span><\/span><\/code><\/pre>双重编码绕过<\/strong>：<\/p>
wd=))||if((select%0b(select(m_name)from(mac_manager))regexp(0x5e61)),(`sleep`(3)),0)#%25%35%63
<\/code><\/pre>
九、MD5哈希注入<\/h2>
1. RAW输出问题<\/h3>
class<\/span> RealSecureLoginManager<\/span> {
<\/span><\/span>    public<\/span> function<\/span> isValid<\/span>() {
<\/span><\/span>        $pass =<\/span> md5<\/span>($this-><\/span>password<\/span>, true<\/span>);
<\/span><\/span>        $query =<\/span> "password = '<\/span>$pass<\/span>' AND user = '<\/span>$user<\/span>'"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>特殊值<\/strong>：<\/p>

ffifdyop<\/code> → 二进制包含'or'<\/code>语句<\/li>
129581926211651571912466741651878684928<\/code><\/li>
<\/ul>
十、其他重要函数缺陷<\/h2>
1. htmlentities过滤不全<\/h3>
$query =<\/span> htmlentities<\/span>($query, ENT_COMPAT<\/span>); \/\/ 不转义单引号
<\/span><\/span><\/span><\/code><\/pre>安全用法<\/strong>：<\/p>
htmlentities<\/span>($query, ENT_QUOTES<\/span>); \/\/ 转义单引号和双引号
<\/span><\/span><\/span><\/code><\/pre>2. $_SERVER['PHP_SELF']问题<\/h3>
$parts =<\/span> explode<\/span>('\/'<\/span>, $_SERVER['PHP_SELF'<\/span>]);
<\/span><\/span>$baseFile =<\/span> end<\/span>($parts);
<\/span><\/span><\/code><\/pre>XSS载荷<\/strong>：<\/p>
\/index.php\/http:%252f%252fevil.com\/script.js
<\/code><\/pre>
3. $_REQUEST数组特性<\/h3>
$_GET =<\/span> array_map<\/span>('intval'<\/span>, $_GET);
<\/span><\/span>$_POST =<\/span> array_map<\/span>('intval'<\/span>, $_POST);
<\/span><\/span>\/\/ 但$_REQUEST仍可能包含未过滤数据
<\/span><\/span><\/span><\/code><\/pre>防御建议总结<\/h2>

严格类型检查<\/strong>：始终使用===<\/code>和!==<\/code>进行比较<\/li>
安全函数使用<\/strong>：

htmlspecialchars($var, ENT_QUOTES)<\/code><\/li>
filter_var($url, FILTER_VALIDATE_URL, FILTER_FLAG_SCHEME_REQUIRED)<\/code><\/li>
<\/ul>
<\/li>
禁用危险特性<\/strong>：

禁用preg_replace<\/code>的\/e<\/code>修饰符<\/li>
禁用register_globals<\/code><\/li>
<\/ul>
<\/li>
输入验证<\/strong>：

白名单验证优于黑名单<\/li>
对文件路径使用realpath()<\/code>检查<\/li>
<\/ul>
<\/li>
安全配置<\/strong>：

open_basedir<\/code>限制文件访问<\/li>
disable_functions<\/code>禁用危险函数<\/li>
<\/ul>
<\/li>
<\/ol>
通过深入理解这些PHP函数缺陷和安全编码实践，可以有效提升Web应用的安全性，防止常见的安全漏洞被利用。<\/p>