替换单个字符时绕过PHP str_replace（）

So, I am studying some PHP security using DVWA (http://www.dvwa.co.uk/). Right now I'm on an exercise where the author tries to teach us to execute commands on vulnerable applications. In this level, it adds a very simple blacklist which removes important characters:

$substitutions = array(
        '&&' => '',
        ';' => '',
    );

I obviously can use some other characters to still get code executed (like |, ||, &, etc.), but I wanted to know how I'd evade the substitution for the single character ";". I've seen some examples around which fools the substitution with code like "<scr<script>ipt>" and I've tried stuff like ";;;"; tried to encode in hex and base64 and such but it didn't work.

Is there a way to evade str_replace() when it is looking for a single character? This is PHP 5.5.3.

写回答
好问题 0 提建议
追加酬金
关注问题
分享
邀请回答
编辑收藏删除结题
收藏举报

2条回答默认最新

关注

码龄粉丝数原力等级 --

被采纳

被点赞

采纳率
doukuang1950 2014-01-29 18:23
关注
I'm not sure why the author is showing how to use a black-list, its too easily subverted, perhaps this idea is shredded further on in the tut. http://en.wikipedia.org/wiki/Secure_input_and_output_handling

Although the example you link to is the 'medium' level, even the 'harder' level does not use PHPs Filter FILTER_VALIDATE_IP

Even a REGEX would do a better job. See half way down the page of: http://www.regular-expressions.info/examples.html

If you are trying to protect against XSS attacks (you mention a mangled script tag) then white-listing is the way to go. Validate against what you expect to get, or abort.

EDIT

Hmmm.. now I see the site is called Damned Vulnerable Web App, perhaps the idea is to teach you all the poor examples ...

解决无用
评论打赏
分享
举报

评论

按下Enter换行，Ctrl+Enter发表内容

报告相同问题？

关注问题

将数组元素转换为单个字符串（PHP） php
2019-05-20 20:32

回答 2 已采纳 echo $aResult[0]['voornaam']; But this will only work, if you fetch just one row. (Not sure with
Python如何将重复字符替换成单个字符替换？ python
2022-03-20 07:42

回答 4 已采纳 def res_dup(text: str): new_text = sorted(set(text)) result = "".join(new_text) return
将所有重复出现的字符串替换为单个字符串 php
2018-05-15 14:13

回答 2 已采纳 You could do this: $str = '1-string-2-string-3-string-55-otherstring-66-otherstring'; print_r(imp
PHP str_replace() 函数批量替换和单个
2022-07-19 09:55

丶的博客 php替换函数一次性替换多个字符
PHP在URL中获取整个字符串而不是单个参数 php
2019-04-18 03:53

回答 2 已采纳 You just need to use str_replace() $str = "www.example.com/w/https://www.nytimes.com/2019/04/
PHP如何在单个字符串中连接多维数组和单个数组 php
2018-08-12 01:57

回答 1 已采纳 One word, Recursion function mutliImplode($glue, $pieces = ''){ if(!is_array($pieces) && is_
php将特殊字符'＆'转换为单个字符 php
2016-05-03 16:49

回答 2 已采纳 To convert from html entities back to the characters. Like from &amp to &, and &gt to >. Use ht
php批量替换函数,函数str_replace( )批量替换内容
2021-03-17 11:57

韩版豆腐花的博客正文昨天在写获取 wordpress 主题信息API的时候，为了替换 style.css 里面的英文内容，所以就用到了关于字符串替换的 str_replace() 函数，刚开始我连续用了十来个 str_replace() 函数才替换过来，后来有个大佬跟我...
将字符串转换为单个数组，PHP laravel php
2015-12-28 09:38

回答 3 已采纳 You could use the preg_match_all in conjunction with the array_combine like this: $string = "txn_
php str_getcsv打破选项卡分隔列表，没有机箱和单个双引号 nosql php
2013-11-16 18:34

回答 2 已采纳 Just to give a starting point ... You might wanna consider working with the string itself, inste
通过php curl得取淘宝单个价格和特征资料 php
2019-11-14 17:45

回答 1 已采纳 https://blog.csdn.net/m0_37683054/article/details/76101048
PHP中的字符串替换方法：str_replace
2023-09-28 06:09

艾丽丝的爱情的博客它可以用于替换字符串中的单个字符或多个字符，并且可以通过限制替换次数来控制替换的范围。在PHP中，我们可以使用str_replace函数来替换字符串中的指定部分。str_replace函数可以用于替换字符串中的所有匹配项或...
在单个字符串中打印PHP数组值 php
2013-04-17 18:58

回答 2 已采纳 $string = join(" ", array_map(function($x) {return "For $x[itemId] ==> $x[qty] sample";}, $orde
PHP字符串函数str_replace(子字符串替换)
2020-08-15 21:50

ztnhnr的博客在PHP中，字符串函数 str_replace() 用来替换字符串中的一些字符（区分大小写）。函数语法： str_replace(mixed$search,mixed$replace,mixed$subject[,int&$count]):mixed 函数参数说明：参数描述 ...
str_replace 替换函数
2018-08-02 10:15

燕燕燕燕燕的博客 #单个字符替换 echo str_replace('b', 'B', $str); #输出：aBcdefg echo str_replace(['b'], ['B','C'], $str); #输出：aBcdefg #多个字符替换成同一个字符串 echo str_replace(['b','c'], 'BC', $str); #...
没有解决我的问题, 去提问

悬赏问题

¥15 #MATLAB仿真#车辆换道路径规划
¥15 java 操作 elasticsearch 8.1 实现索引的重建
¥15 数据可视化Python
¥15 要给毕业设计添加扫码登录的功能！！有偿
¥15 kafka 分区副本增加会导致消息丢失或者不可用吗？
¥15 微信公众号自制会员卡没有收款渠道啊
¥100 Jenkins自动化部署—悬赏100元
¥15 关于#python#的问题：求帮写python代码
¥20 MATLAB画图图形出现上下震荡的线条
¥15 关于#windows#的问题：怎么用WIN 11系统的电脑克隆WIN NT3.51-4.0系统的硬盘

替换单个字符时绕过PHP str_replace（）

2条回答 默认 最新

悬赏问题

2条回答默认最新