5.1.12. Other¶
5.1.12.1. Low precision¶
PHP does not store floating-point numbers with high precision, but uses the IEEE 754 double-precision format, which may cause unexpected errors when comparing floating-point numbers.
For example, php -r "var_dump(0.2+0.7==0.9);"
the output of this line of code is bool(false)` not ``bool(true)
. This can be problematic in some cases.
5.1.12.2. Weak typing¶
If you use ==
to judge equality, there will be some unexpected behaviors due to type inference, such as magic hash, which means that when two md5 values are both 0e[0-9]{30}
, the two hash values will be considered equal.
In addition, when judging strings and numbers, PHP will automatically do type conversion, then 1=="1a.php"
the result will be true.
In addition, when judging some hashes, if an array is passed in, the return value will be NULL
, so when judging the hash value of the data from the network request, you need to judge the data type first.
Similarly, strcmp()
ereg()
strpos()
these functions will also exception when dealing with arrays, returning NULL.
5.1.12.3. Command execution¶
When the first parameter of preg_replace is //e, the second parameter will be executed as a command.
5.1.12.4. Truncation¶
There is a truncation behavior of PHP characters, and you can use ereg
/ %00
/ iconv
etc. to implement PHP character truncation operations, thereby triggering the vulnerability.
5.1.12.5. Variable Override¶
When using extract
/ parse_str
functions, or using php’s $$
features , if not called correctly, it may allow the user to arbitrarily modify variables.
5.1.12.6. php features¶
When php itself parses the request, if the parameter name contains the characters ” “、”.”、”[”, it will convert them to underscores
Due to historical reasons, there are certain differences
urlencode
from RFC3896. PHP also provides an implementationrawurlencode
of the RFC3896 completion standard.
5.1.12.7. /tmp temp file race¶
When phpinfo is accessible, the path to the uploaded temporary file can be seen, enabling LFI.