{"id":261,"date":"2025-11-08T17:00:56","date_gmt":"2025-11-08T09:00:56","guid":{"rendered":"https:\/\/www.sanjiuctf.cn\/?p=261"},"modified":"2025-11-08T17:03:48","modified_gmt":"2025-11-08T09:03:48","slug":"%e5%8f%98%e9%87%8f%e8%a6%86%e7%9b%96%e6%bc%8f%e6%b4%9e","status":"publish","type":"post","link":"https:\/\/www.sanjiuctf.cn\/?p=261","title":{"rendered":"\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e"},"content":{"rendered":"\n

\u4ec0\u4e48\u662f\u53d8\u91cf\u8986\u76d6\uff1f<\/h2>\n\n\n\n

\u53d8\u91cf\u8986\u76d6\u6307\u7684\u662f\u53ef\u4ee5\u7528\u6211\u4eec\u7684\u4f20\u53c2\u503c\u66ff\u6362\u7a0b\u5e8f\u539f\u6709\u7684\u53d8\u91cf\u503c<\/p>\n\n\n\n

\u6bd4\u5982<\/p>\n\n\n\n

<?php\n$ a=1;\n$ a=2;\necho $a;\n?><\/code><\/pre>\n\n\n\n
\u50cf\u8fd9\u4e2a\u8f93\u51fa\u662f2\u56e0\u4e3aa=2\u8986\u76d6\u4e86a=1<\/p>\n\n\n\n
\u57fa\u672c\u6982\u5ff5<\/h3>\n\n\n\n
    \n
  • \u7a0b\u5e8f\u672a\u6b63\u786e\u9a8c\u8bc1\u7528\u6237\u8f93\u5165<\/li>\n\n\n\n
  • \u7528\u6237\u8f93\u5165\u88ab\u76f4\u63a5\u8d4b\u503c\u7ed9\u53d8\u91cf<\/li>\n\n\n\n
  • \u7f3a\u4e4f\u9002\u5f53\u7684\u8fc7\u6ee4\u548c\u9a8c\u8bc1\u673a\u5236<\/li>\n<\/ul>\n\n\n\n
    \u600e\u4e48\u53bb\u5bfb\u627e\u53d8\u91cf\u8986\u76d6\uff1f<\/h2>\n\n\n\n
    \u7ecf\u5e38\u5bfc\u81f4\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u573a\u666f\u6709\uff1a$$\u4f7f\u7528\u4e0d\u5f53\uff0cextract()\u51fd\u6570\u4f7f\u7528\u4e0d\u5f53\uff0cparse_str()\u51fd\u6570\u4f7f\u7528\u4e0d\u5f53import_request_variables()\u4f7f\u7528\u4e0d\u5f53\uff0c\u5f00\u542f\u4e86\u5168\u5c40\u53d8\u91cf\u6ce8\u518c\u7b49\uff0c\u8fd8\u662f\u8981\u591a\u591a\u4ee3\u7801\u5ba1\u8ba1<\/strong><\/p>\n\n\n\n
    \u624b\u52a8\u6d4b\u8bd5<\/h3>\n\n\n\n
      \n
    1. \u8bc6\u522b\u63a5\u6536\u7528\u6237\u8f93\u5165\u7684\u5165\u53e3\u70b9<\/li>\n\n\n\n
    2. \u5c1d\u8bd5\u8986\u76d6\u5df2\u77e5\u53d8\u91cf<\/li>\n\n\n\n
    3. \u89c2\u5bdf\u7a0b\u5e8f\u884c\u4e3a\u53d8\u5316<\/li>\n<\/ol>\n\n\n\n
      \u81ea\u52a8\u5316\u5de5\u5177<\/h3>\n\n\n\n
        \n
      • \u4f7f\u7528Burp Suite\u7b49\u5de5\u5177\u8fdb\u884c\u53c2\u6570\u6a21\u7cca\u6d4b\u8bd5<\/li>\n\n\n\n
      • \u81ea\u5b9a\u4e49\u626b\u63cf\u89c4\u5219\u68c0\u6d4b\u5371\u9669\u51fd\u6570<\/li>\n<\/ul>\n\n\n\n
        \u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u6709\u7684\u65f6\u5019\u53ef\u4ee5\u76f4\u63a5\u8ba9\u6211\u4eec\u83b7\u53d6Webshell\uff0c\u62ff\u5230\u670d\u52a1\u5668\u7684\u6743\u9650<\/p>\n\n\n\n
        \u4ec0\u4e48\u662f\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e<\/strong><\/h2>\n\n\n\n
        \u53d8\u91cf\u8986\u76d6\u6307\u7684\u662f\u7528\u6211\u4eec\u81ea\u5b9a\u4e49\u7684\u53c2\u6570\u503c\u66ff\u6362\u7a0b\u5e8f\u539f\u6709\u7684\u53d8\u91cf\u503c\uff0c\u4e00\u822c\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u9700\u8981\u7ed3\u5408\u7a0b\u5e8f\u7684\u5176\u5b83\u529f\u80fd\u6765\u5b9e\u73b0\u5b8c\u6574\u7684\u653b\u51fb\u3002\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u5927\u591a\u6570\u7531\u51fd\u6570\u4f7f\u7528\u4e0d\u5f53\u5bfc\u81f4\uff0c$$\u4f7f\u7528\u4e0d\u5f53\uff0cextract()\u51fd\u6570\u4f7f\u7528\u4e0d\u5f53\uff0cparse_str()\u51fd\u6570\u4f7f\u7528\u4e0d\u5f53\uff0cimport_request_variables()\u4f7f\u7528\u4e0d\u5f53\uff0c\u5f00\u542f\u4e86\u5168\u5c40\u53d8\u91cf\u6ce8\u518c\u7b49\u3002<\/p>\n\n\n\n
        \u5371\u5bb3<\/h2>\n\n\n\n
        \u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u7684\u5371\u5bb3\u975e\u5e38\u5e7f\u6cdb\uff0c\u56e0\u4e3a\u653b\u51fb\u8005\u80fd\u591f\u6539\u53d8\u7a0b\u5e8f\u7684\u884c\u4e3a\uff0c\u7ed5\u8fc7\u5b89\u5168\u673a\u5236\uff0c\u751a\u81f3\u83b7\u53d6\u7cfb\u7edf\u6743\u9650\u3002\u4ee5\u4e0b\u662f\u4e00\u4e9b\u4e3b\u8981\u7684\u5371\u5bb3\uff1a<\/p>\n\n\n\n
        1.\u8ba4\u8bc1\u7ed5\u8fc7\uff1a\u653b\u51fb\u8005\u53ef\u4ee5\u8986\u76d6\u7528\u4e8e\u8ba4\u8bc1\u7684\u53d8\u91cf\uff0c\u4f8b\u5982\u5c06`$is_admin`\u8986\u76d6\u4e3a`true`\uff0c\u4ece\u800c\u83b7\u5f97\u7ba1\u7406\u5458\u6743\u9650\u3002\n2.\u6743\u9650\u63d0\u5347\uff1a\u901a\u8fc7\u8986\u76d6\u89d2\u8272\u6216\u6743\u9650\u53d8\u91cf\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u63d0\u5347\u81ea\u5df1\u7684\u6743\u9650\uff0c\u6267\u884c\u672a\u6388\u6743\u7684\u64cd\u4f5c\u3002\n3.\u4e1a\u52a1\u903b\u8f91\u7ed5\u8fc7\uff1a\u4f8b\u5982\u5728\u7535\u5b50\u5546\u52a1\u7f51\u7ad9\u4e2d\uff0c\u8986\u76d6\u4ef7\u683c\u53d8\u91cf\uff0c\u4ece\u800c\u4ee5\u4f4e\u4ef7\u8d2d\u4e70\u5546\u54c1\u3002\n4.\u4fe1\u606f\u6cc4\u9732\uff1a\u901a\u8fc7\u8986\u76d6\u914d\u7f6e\u53d8\u91cf\uff0c\u5f00\u542f\u8c03\u8bd5\u6a21\u5f0f\uff0c\u4ece\u800c\u6cc4\u9732\u654f\u611f\u4fe1\u606f\uff0c\u5982\u6570\u636e\u5e93\u8fde\u63a5\u5b57\u7b26\u4e32\u3001\u7cfb\u7edf\u8def\u5f84\u7b49\u3002\n5.\u4efb\u610f\u6587\u4ef6\u8bfb\u53d6\uff1a\u8986\u76d6\u6587\u4ef6\u8def\u5f84\u53d8\u91cf\uff0c\u8bfb\u53d6\u4efb\u610f\u6587\u4ef6\uff0c\u5305\u62ec\u7cfb\u7edf\u6587\u4ef6\u3001\u914d\u7f6e\u6587\u4ef6\u7b49\u3002\n6.\u4efb\u610f\u4ee3\u7801\u6267\u884c\uff1a\u901a\u8fc7\u8986\u76d6\u53d8\u91cf\uff0c\u5bfc\u81f4\u5305\u542b\u6076\u610f\u6587\u4ef6\u6216\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002\n7.\u6570\u636e\u5e93\u64cd\u4f5c\uff1a\u8986\u76d6\u6570\u636e\u5e93\u8fde\u63a5\u53d8\u91cf\uff0c\u5bfc\u81f4\u8fde\u63a5\u653b\u51fb\u8005\u63a7\u5236\u7684\u6570\u636e\u5e93\uff0c\u6216\u8005\u8986\u76d6SQL\u67e5\u8be2\u6761\u4ef6\uff0c\u5bfc\u81f4\u6570\u636e\u6cc4\u9732\u6216\u7be1\u6539\u3002\n8.\u4f1a\u8bdd\u52ab\u6301\uff1a\u8986\u76d6\u4f1a\u8bdd\u53d8\u91cf\uff0c\u5192\u5145\u5176\u4ed6\u7528\u6237\u3002<\/code><\/pre>\n\n\n\n
        \u51fd\u6570\u89e3\u6790<\/h2>\n\n\n\n
        \u7ecf\u5e38\u5f15\u53d1\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u7684\u51fd\u6570\u6709\uff1aextract() parse_str() import_request_variables()<\/p>\n\n\n\n
        extract()\u51fd\u6570\uff08\u4f5c\u7528\uff1a\u5c06\u6570\u7ec4\u4e2d\u5c06\u53d8\u91cf\u5bfc\u5165\u5230\u5f53\u524d\u7684\u7b26\u53f7\u8868\uff09<\/p>\n\n\n\n
        PHP\u4e2d\u7684extract()\u51fd\u6570<\/h3>\n\n\n\n
        extract() \u51fd\u6570\u4ece\u6570\u7ec4\u4e2d\u5c06\u53d8\u91cf\u5bfc\u5165\u5230\u5f53\u524d\u7684\u7b26\u53f7\u8868\u3002
        \u8be5\u51fd\u6570\u4f7f\u7528\u6570\u7ec4\u952e\u540d\u4f5c\u4e3a\u53d8\u91cf\u540d\uff0c\u4f7f\u7528\u6570\u7ec4\u952e\u503c\u4f5c\u4e3a\u53d8\u91cf\u503c\u3002\u9488\u5bf9\u6570\u7ec4\u4e2d\u7684\u6bcf\u4e2a\u5143\u7d20\uff0c\u5c06\u5728\u5f53\u524d\u7b26\u53f7\u8868\u4e2d\u521b\u5efa\u5bf9\u5e94\u7684\u4e00\u4e2a\u53d8\u91cf\u3002
        \u8be5\u51fd\u6570\u8fd4\u56de\u6210\u529f\u8bbe\u7f6e\u7684\u53d8\u91cf\u6570\u76ee\u3002<\/p>\n\n\n\n
        \u5b9e\u4f8b\uff1a<\/p>\n\n\n\n
        <?php\n$a = \"1\";\n$my_array = array(\"a\" => \"Cat\",\"b\" => \"Dog\", \"c\" => \"Horse\");\nextract($my_array);\necho \"$a = $a; $b = $b; $c = $c\";\n?>\n<\/code><\/pre>\n\n\n\n
        \u8fd0\u884c\u7ed3\u679c\uff1a$a = Cat; $b = Dog; $c = Horse<\/code><\/pre>\n\n\n\n
        \/\/ \u6f0f\u6d1e\u4ee3\u7801\nextract($_GET);\nif ($is_admin) {\n    \/\/ \u6267\u884c\u7ba1\u7406\u5458\u64cd\u4f5c\n}\n\n\/\/ \u653b\u51fb\uff1a?is_admin=1<\/code><\/pre>\n\n\n\n
        extract()\u51fd\u6570\uff08\u4f5c\u7528\uff1a\u4ece\u6570\u7ec4\u4e2d\u5c06\u53d8\u91cf\u5bfc\u5165\u5230\u5f53\u524d\u7684\u7b26\u53f7\u8868\uff09 \u4e00\u9053CTF\u9898\u76ee<\/p>\n\n\n\n
        \"\"<\/div><\/figure>\n\n\n\n
        \u5206\u6790\u6e90\u7801\u6211\u4eec\u53ef\u4ee5\u77e5\u9053\uff0c\n\n1\u3001\u6587\u4ef6\u5c06get\u65b9\u6cd5\u4f20\u8f93\u8fdb\u6765\u7684\u503c\u901a\u8fc7extrace()\u51fd\u6570\u5904\u7406\u3002\n\n2\u3001\u901a\u8fc7\u4e24\u4e2aif\u8bed\u53e5\u5206\u522b\u5224\u65ad\u662f\u5426\u5b58\u5728gift\u53d8\u91cf\uff0c\u548c\u53d8\u91cfgift\u7684\u503c\u548c\u53d8\u91cfcontent\u7684\u503c\u662f\u5426\u76f8\u7b49\u3002\u53d8\u91cfcontent\u7684\u503c\u662f\u901a\u8fc7\u8bfb\u53d6\u53d8\u91cftest\u7684\u503c\u83b7\u53d6\u5230\u7684\u3002\u5982\u679c\u4e24\u4e2a\u53d8\u91cf\u76f8\u7b49\u8f93\u51faflag\u3002\u5982\u679c\u4e0d\u76f8\u7b49\uff0c\u8f93\u51fa\u9519\u8bef\u3002\n\n\u4f3c\u4e4e\u903b\u8f91\u4e0a\u6ca1\u5565\u95ee\u9898\uff0c\u4f46\u662f\u5982\u679c\u6211\u4eec\u4f20\u53c2\u4e86test\u5462\uff1f\n\n\u7b2c\u4e00\u5f00\u59cbtest\u5728php\u4e2d\u5df2\u7ecf\u5b9a\u4e49\u4e86\uff0c\u4f46\u662f\u56e0\u4e3aextrace()\u51fd\u6570\uff0c\u6211\u4f20\u53c2test\u65f6\u76f8\u5f53\u4e8e\u91cd\u65b0\u7ed9test\u8d4b\u503c\u5bf9\u4e0d\u5bf9\uff1f\u56e0\u4e3aphp\u6267\u884c\u8bed\u53e5\u662f\u81ea\u4e0a\u800c\u4e0b\uff0c\u90a3\u6211\u4f20\u7684\u53c2\u6570\u5b8c\u5168\u53ef\u4ee5\u8986\u76d6\u6389\u4e4b\u524d\u6240\u5b9a\u4e49\u7684\n\n\u90a3\u4e48\u5f53\u6211\u4f20\u53c2gift=a&test=a\uff0c\u76f8\u5f53\u4e8e$gift=a;$test=a\n\u90a3\u4e48\u8fd9\u91cc\u662f\u4e0d\u662f\u5c31\u76f4\u63a5\u8f93\u51faflag\u4e86\u5462 \uff08\u56e0\u4e3a$content\u662f\u7531$test\u51b3\u5b9a\uff0c$gift\u548c$test\u90fd\u662f\u6211\u53ef\u4ee5\u51b3\u5b9a\u7684\uff09\n<\/code><\/pre>\n\n\n\n
        parse_str()\u51fd\u6570<\/h3>\n\n\n\n
        parse_str\u51fd\u6570\u7684\u4f5c\u7528\u5c31\u662f\u89e3\u6790\u5b57\u7b26\u4e32\u5e76\u6ce8\u518c\u6210\u53d8\u91cf\uff0c\u5728\u6ce8\u518c\u53d8\u91cf\u4e4b\u524d\u4e0d\u4f1a\u9a8c\u8bc1\u5f53\u524d\u53d8\u91cf\u662f\u5426\u5b58\u5728\uff0c\u6240\u4ee5\u76f4\u63a5\u8986\u76d6\u6389\u5df2\u6709\u53d8\u91cf<\/p>\n\n\n\n
        \u6ce8\u610f\uff1a\u5982\u679c\u672a\u8bbe\u7f6e array \u53c2\u6570\uff0c\u7531\u8be5\u51fd\u6570\u8bbe\u7f6e\u7684\u53d8\u91cf\u5c06\u8986\u76d6\u5df2\u5b58\u5728\u7684\u540c\u540d\u53d8\u91cf\u3002<\/p>\n\n\n\n
        parse_str() \u5c06\u67e5\u8be2\u5b57\u7b26\u4e32\u89e3\u6790\u5230\u53d8\u91cf\u4e2d\uff1a<\/p>\n\n\n\n
        <?php\n    parse_str(\"name=zkaq&&age=60\");   \/\/ test=123&gift=123\n    echo $name.\"<br>\";\n    echo $age;\n    ?>\n<\/code><\/pre>\n\n\n\n
        \u8f93\u51fa\u4e86zkaq\u548c60 \n\u90a3\u4e48parse_str(\"name=Bill&age=60\") \u76f8\u5f53\u4e8e\u5b8c\u6210\u4e86$name ='zkaq'\u548c$age ='60'\n\n\u90a3\u4e48\u5982\u679c\u5728parse_str\u4e2d\u53ef\u4ee5\u76f4\u63a5\u4f20\u53c2\u7684\u8bdd\uff0c\u90a3\u4e48\u662f\u4e0d\u662f\u4e5f\u53ef\u4ee5\u8986\u76d6\u53d8\u91cf\u5462\u3002\n<\/code><\/pre>\n\n\n\n
        \/\/ \u6f0f\u6d1e\u4ee3\u7801\nparse_str($_SERVER['QUERY_STRING']);\nif ($authenticated) {\n    \/\/ \u8bbf\u95ee\u654f\u611f\u529f\u80fd\n}\n\n\/\/ \u653b\u51fb\uff1a?authenticated=1<\/code><\/pre>\n\n\n\n
        \u4ec0\u4e48\u662f<\/strong>$$<\/h3>\n\n\n\n
        $$\u8fd9\u79cd\u5199\u6cd5\u79f0\u4e3a\u53ef\u53d8\u53d8\u91cf\uff0c\u4e00\u4e2a\u53ef\u53d8\u53d8\u91cf\u83b7\u53d6\u4e86\u4e00\u4e2a\u666e\u901a\u53d8\u91cf\u7684\u503c\u4f5c\u4e3a\u8fd9\u4e2a\u53ef\u53d8\u53d8\u91cf\u7684\u53d8\u91cf\u540d\u3002<\/p>\n\n\n\n
        \u4e0d\u4ec5\u4ec5\u662f\u51fd\u6570\u4f1a\u5bfc\u81f4\u53d8\u91cf\u8986\u76d6\uff0c\u6709\u4e9b\u7279\u6b8a\u7b26\u53f7\u7684\u7279\u6b8a\u642d\u914d\u4e5f\u4f1a\u5f15\u8d77\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\uff0c\u6bd4\u5982$$<\/p>\n\n\n\n
        $$ \u5bfc\u81f4\u7684\u53d8\u91cf\u8986\u76d6\u95ee\u9898\u5728CTF\u4ee3\u7801\u5ba1\u8ba1\u9898\u76ee\u4e2d\u7ecf\u5e38\u5728foreach\u4e2d\u51fa\u73b0\uff0c\u5982\u4ee5\u4e0b\u7684\u793a\u4f8b\u4ee3\u7801\uff0c\u4f7f\u7528foreach\u6765\u904d\u5386\u6570\u7ec4\u4e2d\u7684\u503c\uff0c\u7136\u540e\u518d\u5c06\u83b7\u53d6\u5230\u7684\u6570\u7ec4\u952e\u540d\u4f5c\u4e3a\u53d8\u91cf\uff0c\u6570\u7ec4\u4e2d\u7684\u503c\u4f5c\u4e3a\u53d8\u91cf\u7684\u503c\u3002\u56e0\u6b64\u5c31\u4ea7\u751f\u4e86\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u3002\u8bf7\u6c42?name=test \u4f1a\u5c06$name\u7684\u503c\u8986\u76d6\uff0c\u53d8\u4e3atest\u3002<\/p>\n\n\n\n
        \u4e0a\u4e00\u4e2a\u4f8b\u9898\uff1a<\/p>\n\n\n\n
        <?php\n$a = 1;\nforeach(array('_COOKIE','_POST','_GET') as $_request) {\nforeach($_request as $_key=>$_value) \n{$_key=addslashes($_value);}}\necho $a;\n?>\n<\/code><\/pre>\n\n\n\n
        \u8fd9\u4e2a\u4ee3\u7801\u4f1a\u63a5\u53d7\u6211\u4eec\u7684GET\u63d0\u4ea4\u3001POST\u63d0\u4ea4\u3001COOKIE\u53c2\u6570\uff0c\u5c06\u8fd9\u4e2a\u63a5\u53d7\u6765\u7684\u53c2\u6570\u4f9d\u6b21\u653e\u5165$_request\n    $_key=>$_value \u8fd9\u662f\u4e2a\u6570\u7ec4\u89e3\u6790\uff0c\u5b9e\u9645\u4e0a\u5c31\u662f\u952e\u503c\u5206\u79bb\n\u6b63\u5e38\u800c\u8a00$a = 1\u662f\u4e00\u4e2a\u5b9a\u503c\uff0c\u4f46\u662f\u56e0\u4e3a$_key\u7684\u7f18\u6545,\u5f53\u6211\u4f20\u53c2a=2;\u90a3\u4e48$_key=addslashes($_value);\u5c31\u53d8\u4e3a\u4e86$a = 2 .\n<\/code><\/pre>\n\n\n\n
        \/\/ \u57fa\u672c\u52a8\u6001\u53d8\u91cf\n$var_name = \"username\";\n$var_name = \"John Doe\"; \/\/ \u521b\u5efa\u53d8\u91cf $username = \"John Doe\"\n\n\/\/ \u5728\u5faa\u73af\u4e2d\u4f7f\u7528\nforeach ($_REQUEST as $key => $value) {\n    $key = $value; \/\/ \u6781\u5ea6\u5371\u9669\uff01\n}<\/code><\/pre>\n\n\n\n
        import_request_variables()<\/h3>\n\n\n\n
        import_request_variables\u2014\u5c06 GET\uff0fPOST\uff0fCookie \u53d8\u91cf\u5bfc\u5165\u5230\u5168\u5c40\u4f5c\u7528\u57df\u4e2d
        import_request_variables()\u51fd\u6570\u5c31\u662f\u628aGET\u3001POST\u3001COOKIE\u7684\u53c2\u6570\u6ce8\u518c\u6210\u53d8\u91cf\uff0c\u7528\u5728register_globals\u88ab\u7981\u6b62\u7684\u65f6\u5019<\/p>\n\n\n\n
        \/\/ \u6f0f\u6d1e\u4ee3\u7801\uff08PHP < 5.4\uff09\nimport_request_variables('G');\nif ($admin_flag) {\n    \/\/ \u7ba1\u7406\u5458\u6743\u9650\n}<\/code><\/pre>\n\n\n\n
        \u6b64\u51fd\u6570\u5728 PHP 5.4.0 \u4e2d\u5df2\u88ab\u79fb\u9664<\/p>\n\n\n\n
        \u6f0f\u6d1e\u5206\u7c7b<\/h2>\n\n\n\n
        \u76f4\u63a5\u53d8\u91cf\u8986\u76d6<\/h3>\n\n\n\n
        \/\/ \u793a\u4f8b\u4ee3\u7801\n$is_admin = false;\nextract($_POST);\n\nif ($is_admin) {\n    \/\/ \u6267\u884c\u7ba1\u7406\u5458\u64cd\u4f5c\n}<\/code><\/pre>\n\n\n\n
        \u653b\u51fb\u8005\u53ef\u901a\u8fc7\u63d0\u4ea4 is_admin=1<\/code> \u6765\u63d0\u5347\u6743\u9650\u3002<\/p>\n\n\n\n
        \u5168\u5c40\u53d8\u91cf\u8986\u76d6<\/h3>\n\n\n\n
        \/\/ \u65e7\u7248PHP\u4e2dregister_globals\u5f00\u542f\u65f6\n\/\/ \u7528\u6237\u63d0\u4ea4 ?admin=1 \u4f1a\u81ea\u52a8\u521b\u5efa $admin \u53d8\u91cf\nif ($admin) {\n    \/\/ \u7ba1\u7406\u5458\u529f\u80fd\n}<\/code><\/pre>\n\n\n\n
        \u6570\u7ec4\u952e\u540d\u8986\u76d6<\/h3>\n\n\n\n
        $config = array(\n    'debug' => false,\n    'security_level' => 'high'\n);\n\nforeach($_GET as $key => $value) {\n    $config[$key] = $value;\n}<\/code><\/pre>\n\n\n\n
        \u6f0f\u6d1e\u5229\u7528\u6280\u672f<\/h2>\n\n\n\n
        \u57fa\u7840\u5229\u7528<\/h3>\n\n\n\n
        GET \/vulnerable.php?is_admin=1&username=attacker HTTP\/1.1<\/code><\/pre>\n\n\n\n
        \u6761\u4ef6\u7ade\u4e89\u5229\u7528<\/h3>\n\n\n\n
        \/\/ \u5b58\u5728\u6761\u4ef6\u7ade\u4e89\u7684\u573a\u666f\nif (isset($_POST['token']) && $_POST['token'] === $secret_token) {\n    $authorized = true;\n}\n\n\/\/ \u7a0d\u540e\u68c0\u67e5\nif ($authorized) {\n    \/\/ \u6267\u884c\u654f\u611f\u64cd\u4f5c\n}<\/code><\/pre>\n\n\n\n
        \u5bf9\u8c61\u5c5e\u6027\u8986\u76d6<\/h3>\n\n\n\n
        class User {\n    public $is_admin = false;\n    public $username = 'guest';\n}\n\n$user = new User();\nextract($_POST); \/\/ \u53ef\u80fd\u8986\u76d6$user\u5bf9\u8c61\u7684\u5c5e\u6027<\/code><\/pre>\n\n\n\n
        \u6848\u4f8b\u5206\u6790<\/h2>\n\n\n\n
        WordPress\u63d2\u4ef6\u6f0f\u6d1e (CVE-2018-12895)<\/h3>\n\n\n\n
        \/\/ \u6f0f\u6d1e\u4ee3\u7801\u7247\u6bb5\nextract(shortcode_atts(array(\n    'count' => 10,\n    'type' => 'post'\n), $atts));\n\n\/\/ \u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7shortcode\u5c5e\u6027\u8986\u76d6\u4efb\u610f\u53d8\u91cf\n\/\/ [shortcode count=10 type=post _wpnonce=invalid]<\/code><\/pre>\n\n\n\n
        \u77e5\u540dCMS\u914d\u7f6e\u8986\u76d6\u6f0f\u6d1e<\/h3>\n\n\n\n
        \/\/ \u5b89\u88c5\u811a\u672c\u4e2d\u7684\u6f0f\u6d1e\n$db_host = 'localhost';\n$db_user = 'root';\n$db_pass = '';\n\n\/\/ \u4ece\u914d\u7f6e\u6587\u4ef6\u8bfb\u53d6\nif (file_exists('config.php')) {\n    include 'config.php';\n}\n\n\/\/ \u653b\u51fb\u8005\u53ef\u4ee5\u5728\u5305\u542b\u524d\u8986\u76d6\u53d8\u91cf\n\/\/ \u8bf7\u6c42\uff1a?db_host=attacker-server.com&db_user=hacker<\/code><\/pre>\n\n\n\n
        \u6f0f\u6d1e\u6f14\u793a\u73af\u5883<\/h3>\n\n\n\n
        <?php\n\/\/ vulnerable_demo.php\nerror_reporting(0);\n\n$is_authenticated = false;\n$user_role = 'guest';\n\n\/\/ \u5371\u9669\u4ee3\u7801 - \u5b58\u5728\u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\nif (isset($_GET['action']) && $_GET['action'] == 'login') {\n    extract($_POST);\n\n    if ($is_authenticated && $user_role == 'admin') {\n        echo \"Welcome Admin! Flag: FLAG{sanjiu6666flag}\";\n    } else {\n        echo \"Access Denied!\";\n    }\n}\n?>\n\n<form method=\"post\" action=\"?action=login\">\n    <input type=\"text\" name=\"username\" placeholder=\"Username\">\n    <input type=\"password\" name=\"password\" placeholder=\"Password\">\n    <input type=\"submit\" value=\"Login\">\n<\/form><\/code><\/pre>\n\n\n\n
        \u4ee3\u7801\u5ba1\u8ba1<\/p>\n\n\n\n
        \u4ee3\u7801\u903b\u8f91<\/h4>\n\n\n\n
        \u521d\u59cb\u5316\u4e24\u4e2a\u53d8\u91cf\uff1a$is_authenticated<\/code> \u8bbe\u7f6e\u4e3a false<\/code>\uff0c$user_role<\/code> \u8bbe\u7f6e\u4e3a 'guest'<\/code>\u3002<\/p>\n\n\n\n
        \u68c0\u67e5GET\u53c2\u6570 action<\/code> \u662f\u5426\u4e3a login<\/code>\uff0c\u5982\u679c\u662f\uff0c\u5219\u6267\u884c\u767b\u5f55\u903b\u8f91\u3002<\/p>\n\n\n\n
        \u5728\u767b\u5f55\u903b\u8f91\u4e2d\uff0c\u4f7f\u7528 extract($_POST)<\/code> \u5c06POST\u6570\u7ec4\u4e2d\u7684\u952e\u503c\u5bf9\u8f6c\u6362\u4e3a\u53d8\u91cf\u3002\u4f8b\u5982\uff0c\u5982\u679cPOST\u6570\u636e\u4e2d\u6709 username=test<\/code>\uff0c\u90a3\u4e48\u5c31\u4f1a\u521b\u5efa\u4e00\u4e2a\u53d8\u91cf $username<\/code> \u5e76\u8d4b\u503c\u4e3a 'test'<\/code>\u3002<\/p>\n\n\n\n
        \u7136\u540e\u68c0\u67e5 $is_authenticated<\/code> \u662f\u5426\u4e3a\u771f\uff0c\u5e76\u4e14 $user_role<\/code> \u662f\u5426\u4e3a 'admin'<\/code>\u3002\u5982\u679c\u4e24\u4e2a\u6761\u4ef6\u90fd\u6ee1\u8db3\uff0c\u5c31\u8f93\u51fa\u7ba1\u7406\u5458\u6b22\u8fce\u4fe1\u606f\u548cflag\uff1b\u5426\u5219\uff0c\u8f93\u51fa\u201cAccess Denied!\u201d\u3002<\/p>\n\n\n\n
        \u6f0f\u6d1e\u4ea7\u751f\u539f\u56e0<\/h4>\n\n\n\n
        \u6f0f\u6d1e\u5728\u4e8e\u4f7f\u7528\u4e86 extract($_POST)<\/code> \u51fd\u6570\u3002\u8fd9\u4e2a\u51fd\u6570\u4f1a\u5c06POST\u8bf7\u6c42\u4e2d\u7684\u6bcf\u4e2a\u53c2\u6570\u90fd\u8f6c\u6362\u4e3a\u53d8\u91cf\uff0c\u5e76\u4e14\u5982\u679c\u5df2\u7ecf\u5b58\u5728\u540c\u540d\u7684\u53d8\u91cf\uff0c\u5219\u4f1a\u8986\u76d6\u539f\u6709\u7684\u53d8\u91cf\u3002<\/p>\n\n\n\n
        \u5728\u4ee3\u7801\u4e2d\uff0c\u539f\u672c\u5df2\u7ecf\u5b9a\u4e49\u4e86 $is_authenticated<\/code> \u548c $user_role<\/code> \u4e24\u4e2a\u53d8\u91cf\u3002\u4f46\u662f\uff0c\u901a\u8fc7 extract($_POST)<\/code>\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u901a\u8fc7POST\u8bf7\u6c42\u63d0\u4ea4\u540c\u540d\u7684\u53c2\u6570\u6765\u8986\u76d6\u8fd9\u4e24\u4e2a\u53d8\u91cf\u7684\u503c\u3002<\/p>\n\n\n\n
        \u5229\u7528\u539f\u7406<\/h4>\n\n\n\n
        \u653b\u51fb\u8005\u53ef\u4ee5\u6784\u9020\u4e00\u4e2aPOST\u8bf7\u6c42\uff0c\u5176\u4e2d\u5305\u542b\u4e24\u4e2a\u53c2\u6570\uff1ais_authenticated<\/code> \u548c user_role<\/code>\uff0c\u5e76\u5206\u522b\u8bbe\u7f6e\u503c\u4e3a 1<\/code>\uff08\u6216\u4efb\u4f55\u975e\u96f6\u503c\uff0c\u5728\u6761\u4ef6\u5224\u65ad\u4e2d\u4e3a\u771f\uff09\u548c 'admin'<\/code>\u3002\u8fd9\u6837\uff0c\u5f53\u6267\u884c extract($_POST)<\/code> \u65f6\uff0c\u539f\u672c\u7684 $is_authenticated<\/code> \u548c $user_role<\/code> \u5c31\u4f1a\u88ab\u8986\u76d6\u4e3a\u653b\u51fb\u8005\u6307\u5b9a\u7684\u503c\u3002<\/p>\n\n\n\n
        \u56e0\u6b64\uff0c\u5728\u540e\u7eed\u7684\u6761\u4ef6\u5224\u65ad\u4e2d\uff1a<\/p>\n\n\n\n
        if ($is_authenticated && $user_role == 'admin')<\/code><\/pre>\n\n\n\n
        \u6761\u4ef6\u5c31\u4f1a\u6210\u7acb\uff0c\u56e0\u4e3a\u73b0\u5728 $is_authenticated<\/code> \u4e3a\u771f\uff08\u88ab\u8986\u76d6\u4e3a1\uff09\uff0c\u5e76\u4e14 $user_role<\/code> \u4e3a 'admin'<\/code>\uff08\u88ab\u8986\u76d6\u4e3a'admin'<\/code>\uff09\u3002<\/p>\n\n\n\n
        \u6d41\u7a0b\u8be6\u89e3<\/h4>\n\n\n\n
        1\uff1aGET\u53c2\u6570\u89e6\u53d1\u6761\u4ef6<\/strong><\/p>\n\n\n\n
        GET\u53c2\u6570: ?action=login<\/code><\/pre>\n\n\n\n
        \u6ee1\u8db3\u6761\u4ef6 isset($_GET['action']) && $_GET['action'] == 'login'<\/code><\/p>\n\n\n\n
        \u8fdb\u5165if\u8bed\u53e5\u5757\uff0c\u6267\u884c extract($_POST)<\/code><\/p>\n\n\n\n
        2\uff1aextract()\u51fd\u6570\u6267\u884c<\/strong><\/p>\n\n\n\n
        extract($_POST); \/\/ \u5c06POST\u6570\u7ec4\u8f6c\u6362\u4e3a\u53d8\u91cf<\/code><\/pre>\n\n\n\n
        POST\u6570\u636e\u89e3\u6790\u4e3a\uff1a<\/p>\n\n\n\n
        $_POST = array(\n    'is_authenticated' => '1',\n    'user_role' => 'admin',\n    'username' => 'test',\n    'password' => 'test'\n);<\/code><\/pre>\n\n\n\n
        extract()\u6267\u884c\u540e\u76f8\u5f53\u4e8e\uff1a<\/p>\n\n\n\n
        $is_authenticated = '1';    \/\/ \u8986\u76d6\u4e86\u539f\u6765\u7684false\n$user_role = 'admin';       \/\/ \u8986\u76d6\u4e86\u539f\u6765\u7684'guest'\n$username = 'test';\n$password = 'test';<\/code><\/pre>\n\n\n\n
        3\uff1a\u6761\u4ef6\u68c0\u67e5<\/strong><\/p>\n\n\n\n
        if ($is_authenticated && $user_role == 'admin') {<\/code><\/pre>\n\n\n\n
        \u73b0\u5728\u53d8\u91cf\u7684\u503c\uff1a<\/p>\n\n\n\n
          \n
        • $is_authenticated = '1'<\/code> (\u5e03\u5c14\u503c\u4e3atrue)<\/li>\n\n\n\n
        • $user_role = 'admin'<\/code> (\u7b49\u4e8e’admin’)<\/li>\n<\/ul>\n\n\n\n
          \u6761\u4ef6\u5224\u65ad\uff1a<\/p>\n\n\n\n
            \n
          • $is_authenticated<\/code> \u2192 true<\/li>\n\n\n\n
          • $user_role == 'admin'<\/code> \u2192 true<\/li>\n\n\n\n
          • \u6574\u4f53\u6761\u4ef6\uff1atrue && true \u2192 true<\/li>\n<\/ul>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            Payload<\/h4>\n\n\n\n
            POST \/vulnerable_demo.php?action=login HTTP\/1.1\nContent-Type: application\/x-www-form-urlencoded\n\nis_authenticated=1&user_role=admin&username=test&password=test<\/code><\/pre>\n\n\n\n
            \"\"<\/div><\/figure>\n\n\n\n
            \u603b\u7ed3<\/h2>\n\n\n\n
            \u53d8\u91cf\u8986\u76d6\u6f0f\u6d1e\u662f\u4e00\u4e2a\u4e25\u91cd\u7684\u5b89\u5168\u5a01\u80c1\uff0c\u4e3b\u8981\u6e90\u4e8e\uff1a<\/p>\n\n\n\n
              \n
            1. \u5371\u9669\u51fd\u6570\u7684\u4e0d\u5f53\u4f7f\u7528<\/strong> – extract(), parse_str()\u7b49<\/li>\n\n\n\n
            2. \u7f3a\u4e4f\u8f93\u5165\u9a8c\u8bc1<\/strong> – \u76f4\u63a5\u4f7f\u7528\u7528\u6237\u8f93\u5165\u8d4b\u503c\u53d8\u91cf<\/li>\n\n\n\n
            3. \u52a8\u6001\u53d8\u91cf\u6ee5\u7528<\/strong> – $$var\u5f62\u5f0f\u7684\u53d8\u91cf\u64cd\u4f5c<\/li>\n\n\n\n
            4. \u914d\u7f6e\u4e0d\u5f53<\/strong> – register_globals\u7b49\u5371\u9669\u914d\u7f6e<\/li>\n<\/ol>\n\n\n\n
              \u9632\u62a4\u6838\u5fc3\u539f\u5219<\/strong>\uff1a<\/p>\n\n\n\n
                \n
              • \u907f\u514d\u4f7f\u7528\u5371\u9669\u51fd\u6570<\/strong> – \u5982extract()\u3001parse_str()\u7b49<\/li>\n\n\n\n
              • \u5b9e\u65bd\u8f93\u5165\u9a8c\u8bc1<\/strong> – \u4f7f\u7528\u767d\u540d\u5355\u673a\u5236<\/li>\n\n\n\n
              • \u660e\u786e\u53d8\u91cf\u521d\u59cb\u5316<\/strong> – \u907f\u514d\u4f7f\u7528\u672a\u521d\u59cb\u5316\u7684\u53d8\u91cf<\/li>\n\n\n\n
              • \u4ee3\u7801\u5b89\u5168\u5ba1\u67e5<\/strong> – \u5b9a\u671f\u68c0\u67e5\u4ee3\u7801\u4e2d\u7684\u5b89\u5168\u9690\u60a3<\/li>\n<\/ul>\n\n\n\n
                <\/p>\n","protected":false},"excerpt":{"rendered":"
                \u4ec0\u4e48\u662f\u53d8\u91cf\u8986\u76d6\uff1f \u53d8\u91cf\u8986\u76d6\u6307\u7684\u662f\u53ef\u4ee5\u7528\u6211\u4eec\u7684\u4f20\u53c2\u503c\u66ff\u6362\u7a0b\u5e8f\u539f\u6709\u7684\u53d8\u91cf\u503c \u6bd4\u5982 \u50cf\u8fd9\u4e2a\u8f93\u51fa\u662f2\u56e0\u4e3aa=2\u8986\u76d6\u4e86a […]<\/p>\n","protected":false},"author":1,"featured_media":266,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,7],"tags":[],"class_list":["post-261","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-web","category-7"],"_links":{"self":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/261","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=261"}],"version-history":[{"count":1,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/261\/revisions"}],"predecessor-version":[{"id":265,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/posts\/261\/revisions\/265"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=\/wp\/v2\/media\/266"}],"wp:attachment":[{"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=261"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=261"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sanjiuctf.cn\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=261"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}