覆盖变量漏洞 · PHP学习 · 看云

企业🤖AI智能体构建引擎，智能编排和调试，一键部署，支持知识库和私有化部署方案广告

# 覆盖变量漏洞变量覆盖漏洞产生的原因有两种第一种是 register\_globals 为 on 的情况，PHP4 默认开启，PHP5 以后默认关闭。第二种是人为注册成为全局变量全局变量的取值与赋值 ``` <pre class="calibre10">``` <span class="token1"><</span>form action<span class="token1">=</span><span class="token2">''</span> method<span class="token1">=</span><span class="token2">'get'</span><span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">'text'</span> name<span class="token1">=</span><span class="token2">'username'</span> value<span class="token1">=</span><span class="token2">'alex'</span> <span class="token1">></span> <span class="token1"><</span>input type<span class="token1">=</span><span class="token2">'submit'</span> name<span class="token1">=</span><span class="token2">'sub'</span> value<span class="token1">=</span><span class="token2">'sub'</span><span class="token1">></span> <span class="token1"><</span><span class="token1">/</span>form<span class="token1">></span> <span class="token1"><</span><span class="token1">?</span>php echo <span class="token2">'username::'</span><span class="token3">,</span>$username<span class="token3">;</span> echo <span class="token2">'<br>sub::'</span><span class="token3">,</span>$sub<span class="token3">;</span> echo <span class="token2">'<br>GET::'</span><span class="token3">;</span> <span class="token4">print_r</span><span class="token3">(</span>$_GET<span class="token3">)</span><span class="token3">;</span> <span class="token">//或者直接访问携带参数test.php?username=alex&sub=sub</span> ``` ``` 当register\_globals = On的时候，程序运行**提交**时输出结果为： ``` <pre class="calibre10">``` username<span class="token3">:</span><span class="token3">:</span>alex sub<span class="token3">:</span><span class="token3">:</span>sub array <span class="token3">(</span> <span class="token3">[</span>username<span class="token3">]</span> <span class="token1">=</span><span class="token1">></span> alex <span class="token3">[</span>sub<span class="token3">]</span> <span class="token1">=</span><span class="token1">></span> sub <span class="token3">)</span> ``` ``` 当register\_globals = Off的时候，程序运行提交输出结果为： ``` <pre class="calibre10">``` username<span class="token3">:</span><span class="token3">:</span> sub<span class="token3">:</span><span class="token3">:</span> array <span class="token3">(</span> <span class="token3">[</span>username<span class="token3">]</span> <span class="token1">=</span><span class="token1">></span> alex <span class="token3">[</span>sub<span class="token3">]</span> <span class="token1">=</span><span class="token1">></span> sub <span class="token3">)</span> ``` ``` 通过测试结果，显而易见：register\_globals的意思就是注册为全局变量，所以当On的时候，传递过来的值会被直接的注册为全局变量直接使用，而Off的时候，我们需要到特定的数组里去得到它。人为注册全局变量 ``` <pre class="calibre17">``` foreach <span class="token3">(</span><span class="token4">array</span><span class="token3">(</span><span class="token2">'_GET'</span><span class="token3">,</span><span class="token2">'_POST'</span><span class="token3">)</span> as $request<span class="token3">)</span><span class="token3">{</span> foreach <span class="token3">(</span>$$request as $_k<span class="token1">=</span><span class="token1">></span>$_v<span class="token3">)</span><span class="token3">{</span> $$_k<span class="token1">=</span>$_v<span class="token3">;</span> <span class="token3">}</span> <span class="token3">}</span> 注入上面的代码后，想要那个变量，请求参数携带就行了 <span class="token">//http://www.test.com/audit/test.php?moon=1</span> echo $moon<span class="token3">;</span><span class="token">//1</span> http<span class="token3">:</span><span class="token1">/</span><span class="token1">/</span>www<span class="token3">.</span>test<span class="token3">.</span>com<span class="token1">/</span>audit<span class="token1">/</span>test<span class="token3">.</span>php<span class="token1">?</span>user<span class="token1">=</span>tom echo $user<span class="token3">;</span><span class="token">//tom</span> ``` ```