Php deserialization unserialize a small feature these days wordpress that deserialization vulnerabilities are relatively popular, specific vulnerabilities I do not analysis, see this: http://drops.wooyun.org/papers/596 ,? You can also look at a small feature of http://vagosec.org/2013/09/wor php deserialization unserialize.
In the past few days the wordpress anti-sequential vulnerability is relatively fire, the specific vulnerability I did not analyze, read this: http://drops.wooyun.org/papers/596 ,?
You can also go to the original English text: http://vagsec.org/2013/09/wordpress-php-object-injection /.?
I tried to install the bypass patch on the wp official website, but when I thought I was successful, I found that I was naive and did not successfully bypass the wp patch, but I found a small feature of unserialize. I would like to share with you here .?
1. unserialize () function Source code :?
if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7);?
????????yych = *YYCURSOR;?
????????switch (yych) {?
????????case 'C':?
????????case 'O':????????goto yy13;?
????????case 'N':????????goto yy5;?
????????case 'R':????????goto yy2;?
????????case 'S':????????goto yy10;?
????????case 'a':????????goto yy11;?
????????case 'b':????????goto yy6;?
????????case 'd':????????goto yy8;?
????????case 'i':????????goto yy7;?
????????case 'o':????????goto yy12;?
????????case 'r':????????goto yy4;?
????????case 's':????????goto yy9;?
????????case '}':????????goto yy14;?
????????default:????????goto yy16;?
????????}
The above code is used to determine the processing method of the sequence string, such as the sequence string O: 4: "test": 1: {s: 1: "a"; s: 3: "aaa" ;}, to process this sequence string, first obtain the first character of the string as O, and then case 'O ':?? Goto yy13?
yy13:?
????????yych = *(YYMARKER = ++YYCURSOR);?
????????if (yych == ':') goto yy17;?
????????goto yy3;
The code above shows that the pointer moves one character to the second character, determines whether the character is:, and then goto yy17?
yy17:?
????????yych = *++YYCURSOR;?
????????if (yybm[0+yych] & 128) {?
????????????????goto yy20;?
????????}?
????????if (yych == '+') goto yy19;?
.......?
yy19:?
????????yych = *++YYCURSOR;?
????????if (yybm[0+yych] & 128) {?
????????????????goto yy20;?
????????}?
????????goto yy18;
From the code above, we can see that the pointer moves to determine the next character. if the character is a number, go to yy20. if it is '+', go to yy19, in yy19, the next character is judged. if the next character is a number goto yy20, if not, goto yy18 and yy18 exit sequence processing directly, yy20 is the processing of the object sequence, so we can see from the above :?
O:+4:"test":1:{s:1:"a";s:3:"aaa";}?
O:4:"test":1:{s:1:"a";s:3:"aaa";}
Can all be deserialized by unserialize, and the results are the same .?
2. actual test :?
var_dump(unserialize('O:+4:"test":1:{s:1:"a";s:3:"aaa";}'));?
var_dump(unserialize('O:4:"test":1:{s:1:"a";s:3:"aaa";}'));?
?>
Output :?
object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }?
object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }
In fact, not only can the object type be processed with one more '+', but also other types. the specific test will not be described too much .?
3. let's take a look at the wp patch :?
function is_serialized( $data, $strict = true ) {?
????????// if it isn't a string, it isn't serialized?
????????if ( ! is_string( $data ) )?
????????????????return false;?
????????$data = trim( $data );?
???????? if ( 'N;' == $data )?
????????????????return true;?
????????$length = strlen( $data );?
????????if ( $length < 4 )?
????????????????return false;?
????????if ( ':' !== $data[1] )?
????????????????return false;?
????????if ( $strict ) {//output?
????????????????$lastc = $data[ $length - 1 ];?
????????????????if ( ';' !== $lastc && '}' !== $lastc )?
????????????????????????return false;?
????????} else {//input?
????????????????$semicolon = strpos( $data, ';' );?
????????????????$brace???? = strpos( $data, '}' );?
????????????????// Either ; or } must exist.?
????????????????if ( false === $semicolon && false === $brace )?
????????????????????????return false;?
????????????????// But neither must be in the first X characters.?
????????????????if ( false !== $semicolon && $semicolon < 3 )?
????????????????????????return false;?
????????????????if ( false !== $brace && $brace < 4 )?
????????????????????????return false;?
????????}?
????????$token = $data[0];?
????????switch ( $token ) {?
????????????????case 's' :?
????????????????????????if ( $strict ) {?
????????????????????????????????if ( '"' !== $data[ $length - 2 ] )?
????????????????????????????????????????return false;?
????????????????????????} elseif ( false === strpos( $data, '"' ) ) {?
????????????????????????????????return false;?
????????????????????????}?
????????????????case 'a' :?
????????????????case 'O' :?
????????????????????????echo "a";?
????????????????????????return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );?
????????????????case 'b' :?
????????????????case 'i' :?
????????????????case 'd' :?
????????????????????????$end = $strict ? '$' : '';?
????????????????????????return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );?
????????}?
????????return false;?
}
In the patch?
return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
There can be one more '+' to bypass. although we write the sequence value into the database through this method, we can extract data from the database, but we can't bypass it again for verification, my plus sign does not make any changes to the data in and out of the database. I personally think this patch bypasses the focus on the changes before and after the data in and out of the database .?
4. summary?
Although the wp patch is not bypassed, the small feature of unserialize () may be ignored by many developers, resulting in security defects in the program .?
Please leave a message indicating the error in the above analysis .?
5. reference?
WordPress <3.6.1 PHP Object Injection?
Http://vagosec.org/2013/09/wordpress-php-object-injection?
Var_unserializer.c source code?
Https://github.com/php/php-src/blob/73cd2e0ab14d804c6bf0b689490bdd4fd6e969b1/ext/standard/var_unserializer.c?
What are the security risks caused by inconsistent PHP string serialization and deserialization syntax parsing?
Http://zone.wooyun.org/content/1664