A Tip of PHP Variable Name in We

test:

Kirin.php:
<?php
  $name=$_GET['kirin_say'];
  echo $name;
?>

url&&output:

127.0.0.1/Kirin.php?kirin.say=12345
#output:12345

It can be seen that '_' replace '.' in php server.

debug:

I chose to use PHP built-in web services for convenient debugging：

php -S 127.0.0.1:1234  -t ./
ps -af|grep php
sudo gdb attach PID

#or ida:
gdbserver ip:port executable program/--attach PID  &&  gdb target remote ip:port/ida remote gdb debugger
#or:
ida remote linux debug->php ELF binary && Debugger Process options->add Parameters

Data processing of HTTP by PHP service：
Source code in main/php_variables.c:

SAPI_API SAPI_TREAT_DATA_FUNC(php_default_treat_data)
{
......
......
    switch (arg) {
        case PARSE_POST:
        case PARSE_GET:
        case PARSE_COOKIE:
            array_init(&array);
            switch (arg) {
                case PARSE_POST:
                    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_POST]);
                    ZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_POST], &array);
                    break;
                case PARSE_GET:
                    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_GET]);
                    ZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_GET], &array);
                    break;
                case PARSE_COOKIE:
                    zval_ptr_dtor_nogc(&PG(http_globals)[TRACK_VARS_COOKIE]);
                    ZVAL_COPY_VALUE(&PG(http_globals)[TRACK_VARS_COOKIE], &array);
                    break;
            }
            break;
        default:
            ZVAL_COPY_VALUE(&array, destArray);
            break;
    }

    if (arg == PARSE_POST) {
        sapi_handle_post(&array);
        return;
    }

    if (arg == PARSE_GET) {     /* GET data */
        c_var = SG(request_info).query_string;
        if (c_var && *c_var) {
            res = (char *) estrdup(c_var);
            free_buffer = 1;
        } else {
            free_buffer = 0;
        }
    } 
......
......
}

But somthing found in dynamic debugging：
There is no change to the variable name in this function, but something happened before:

PHPAPI void php_register_variable_ex(char *var_name, zval *val, zval *track_vars_array)
{
......
......
    /* ensure that we don't have spaces or dots in the variable name (not binary safe) */
    for (p = var; *p; p++) {
        if (*p == ' ' || *p == '.') {
            *p='_';
        } else if (*p == '[') {
            is_array = 1;
            ip = p;
            *p = 0;
            break;
        }
    }
......
......
}

breakpoint&&debug:

 RAX  0x2e
 RBX  0x7ffed0a3b5f0 — 'kirin.say'
 RCX  0x7ffed0a3b5f5 — 0x7961732e /* '.say' */
 RDX  0xa
 RDI  0x7ffed0a3b5f0 — 'kirin.say'
 RSI  0x7f9beb001010 — 'kirin.say'
 R8   0x7ffed0a3b7b8 — 0x7ffed0a3b7ff — 0x0
 R9   0x7ffed0a3b7b0 — 0x7f9beb00101f — 0x7f9beb00103000
 R10  0x7f9beb0001c0 — 0xffffffffffffffff
 R11  0x200
 R12  0x7ffed0a3b7a8 — 0x7f9beb004008 — 0x3534333231 /* '12345' */
 R13  0x0
 R14  0x7f9beb05e038 — 0x700000001
 R15  0x0
 RBP  0x7ffed0a3b6e0 — 0x7f9beb001010 — 'kirin.say'
 RSP  0x7ffed0a3b5f0 — 'kirin.say'
 RIP  0x55f3d6fe900b (php_register_variable_ex+283) — mov    byte ptr [rcx], 0x5f
──────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────
   0x55f3d6fe9005 <php_register_variable_ex+277>    je     php_register_variable_ex+297 <0x55f3d6fe9019>
 
   0x55f3d6fe9007 <php_register_variable_ex+279>    cmp    al, 0x20
   0x55f3d6fe9009 <php_register_variable_ex+281>    jne    php_register_variable_ex+256 <0x55f3d6fe8ff0>
    ↓
   0x55f3d6fe8ff0 <php_register_variable_ex+256>    cmp    al, 0x2e
   0x55f3d6fe8ff2 <php_register_variable_ex+258>  ✔ je     php_register_variable_ex+283 <0x55f3d6fe900b>
    ↓
  0x55f3d6fe900b <php_register_variable_ex+283>    mov    byte ptr [rcx], 0x5f
   0x55f3d6fe900e <php_register_variable_ex+286>    add    rcx, 1

next step:

 RAX  0x2e
 RBX  0x7ffed0a3b5f0 — 'kirin_say'
 RCX  0x7ffed0a3b5f5 — 0x7961735f /* '_say' */
 RDX  0xa
 RDI  0x7ffed0a3b5f0 — 'kirin_say'
 RSI  0x7f9beb001010 — 'kirin.say'
 R8   0x7ffed0a3b7b8 — 0x7ffed0a3b7ff — 0x0
 R9   0x7ffed0a3b7b0 — 0x7f9beb00101f — 0x7f9beb00103000
 R10  0x7f9beb0001c0 — 0xffffffffffffffff
 R11  0x200
 R12  0x7ffed0a3b7a8 — 0x7f9beb004008 — 0x3534333231 /* '12345' */
 R13  0x0
 R14  0x7f9beb05e038 — 0x700000001
 R15  0x0
 RBP  0x7ffed0a3b6e0 — 0x7f9beb001010 — 'kirin.say'
 RSP  0x7ffed0a3b5f0 — 'kirin_say'
 RIP  0x55f3d6fe900e (php_register_variable_ex+286) — add    rcx, 1
──────────────────────────────────────────────────────────────────[ DISASM ]───────────────────────────────────────────────────────────────────
   0x55f3d6fe9003 <php_register_variable_ex+275>    test   al, al
   0x55f3d6fe9005 <php_register_variable_ex+277>    je     php_register_variable_ex+297 <0x55f3d6fe9019>
 
   0x55f3d6fe9007 <php_register_variable_ex+279>    cmp    al, 0x20
   0x55f3d6fe9009 <php_register_variable_ex+281>    jne    php_register_variable_ex+256 <0x55f3d6fe8ff0>
 
   0x55f3d6fe900b <php_register_variable_ex+283>    mov    byte ptr [rcx], 0x5f

to sum up:

Before processing HTTP data and registering variables(php_default_treat_data)->
PHP internals will call php_register_variable_ex to make variable name in data of user safe->
Replace '.'  and  ' ' in variables name to  '_'