PHP anti-sequence unserialize a small feature _php tutorial

These days WordPress that anti-sequence vulnerability comparison fire, specific loopholes I do not do analysis, read this bar http://drops.wooyun.org/papers/596, you can also go to see the original English http://vagosec.org/2013/ 09/wordpress-php-object-injection/. WP Official website hit the patch, I tried to bypass patch, but let me think the success of the time, found me naïve, and did not successfully bypass the patch of WP, but found a small feature of unserialize, here and everyone to share. 1.unserialize () function related source code:

if ((Yylimit-yycursor) < 7) Yyfill (7);        Yych = *yycursor;        Switch (yych) {case        ' C ': Case        ' O ':        goto yy13;        Case ' N ':        goto yy5;        Case ' R ':        goto yy2;        Case ' S ':        goto yy10;        Case ' a ':        goto yy11;        Case ' B ':        goto yy6;        Case ' d ':        goto yy8;        Case ' I ':        goto yy7;        Case ' o ':        goto yy12;        Case ' R ':        goto yy4;        Case ' s ':        goto yy9;        Case '} ':        goto yy14;        Default:        goto YY16;        }

The above code is the process of judging sequence strings, such as sequence string o:4: "Test": 1:{s:1: "a"; S:3: "AAA";}, processing this sequence string, first obtaining the first character of the string o, then case ' O ': goto yy13yy13:yych = * ( Yymarker = ++yycursor); if (Yych = = ': ') goto YY17; Goto Yy3; As seen from the above code, the pointer moves a pointer to the second character, determines whether the character is:, and then Goto YY17

YY17:        yych = *++yycursor;        if (Yybm[0+yych] &) {                goto yy20;        }        if (Yych = = ' + ') goto yy19; ..... yy19:        yych = *++yycursor;        if (Yybm[0+yych] &) {                goto yy20;        }        Goto Yy18;

As seen from the above code, the pointer moves, judging the next character, if the character is a number directly goto yy20, if it is ' + ' on the Gotoyy19, and Yy19 is the next character to judge, if the next character is the number goto Yy20, not Gotoyy18, Yy18 is the direct exit sequence processing, YY20 is the processing of the sequence of the object, so from the top can be seen: o:+4: "Test": 1:{s:1: "a"; S:3: "AAA";} O:4: "Test": 1:{s:1: "a"; S:3: "AAA";} can be deserialized by unserialize and the result is the same. 2. Actual test:

 
  Output: Object (__php_incomplete_class) #1 (2) {["__php_incomplete_class_name"]=> string (4) "Test" ["a"]=> string (3) " AAA "} object (__php_incomplete_class) #1 (2) {[" __php_incomplete_class_name "]=> string (4)" Test "[" a "]=> string (3 ) "AAA"}

In fact, not only object type processing can be more than one ' + ', other types can also, specific tests do not do too much description. 3. We look at the patch of WP:

function is_serialized ($data, $strict = True) {//if it isn ' t a string, it isn ' t serialized if (! is_str        ING ($data)) return false;         $data = Trim ($data);        if (' N; ' = = $data) return true;        $length = strlen ($data);        if ($length < 4) return false;        if (': '!== $data [1]) return false;                if ($strict) {//output $LASTC = $data [$length-1];        if ('; '!== $lastc && '} '!== $LASTC) return false;                } else {//input $semicolon = Strpos ($data, '; ');                $brace = Strpos ($data, '} '); either;                or} must exist.                if (false = = = $semicolon && false = = = $brace) return false;                But neither must is in the first X characters.      if (false!== $semicolon && $semicolon < 3)                  return false;        if (false!== $brace && $brace < 4) return false;        } $token = $data [0]; Switch ($token) {case ' s ': if ($strict) {if (                        ' ' '!== $data [$length-2]) return false;                        } elseif (false = = = Strpos ($data, ' "')) {return false;                        Case ' A ': Case ' O ': echo "a";                return (BOOL) preg_match ("/^{$token}:[0-9]+:/s", $data); Case ' B ': Case ' I ':

The return (BOOL) Preg_match in the patch ("/^{$token}:[0-9]+:/s", $data) can be bypassed with one more ' + ', although we write the sequence value to the database by this method, but extract the data from the database, Once again to verify the time can not be bypassed, I this plus did not make the data in and out of the database any changes, I personally think that the patch bypass focus on data in and out of the data changes. 4. Summary Although hot does not bypass the WP patch, but this unserialize () small features may be ignored by many developers, resulting in a security flaw in the program. What's wrong with the above analysis please leave a message to indicate. 5. Refer to "WordPress < 3.6.1 PHP Object injection" http://vagosec.org/2013/09/wordpress-php-object-injection/"Var_ UNSERIALIZER.C Source code https://github.com/php/php-src/b .../var_unserializer.c security implications of PHP string serialization and deserialization parsing inconsistencies from HTTP ://zone.wooyun.org/content/1664 from: https://forum.90sec.org/thread-6694-1-1.html Author: L.N.

http://www.bkjia.com/PHPjc/532682.html www.bkjia.com true http://www.bkjia.com/PHPjc/532682.html techarticle these days WordPress that anti-sequence vulnerability comparison fire, the specific loopholes I do not do analysis, read this bar http://drops.wooyun.org/papers/596, you can also go to see the original English Http://va ...

