A small feature of PHP reverse sequence unserialize

WordPress These days the reverse sequence of the vulnerability of the fire, the specific loopholes I do not do analysis, see this article http://drops.wooyun.org/papers/596, you can also go to see the original English http://vagosec.org/2013/ 09/wordpress-php-object-injection/.   WP official website played a patch, I tried to bypass patch, but let me think of the success of the time, found me naïve, and did not successfully bypass WP patch, but found the unserialize a small feature, here and you share. 1.unserialize () function related source:

if ((Yylimit-yycursor) < 7) Yyfill (7);
        Yych = *yycursor;
        Switch (yych) {case
        ' C ': Case
        ' O ':        goto yy13;
        Case ' N ':        goto yy5;
        Case ' R ':        goto yy2;
        Case ' S ':        goto yy10;
        Case ' a ':        goto yy11;
        Case ' B ':        goto yy6;
        Case ' d ':        goto yy8;
        Case ' I ':        goto yy7;
        Case ' o ':        goto yy12;
        Case ' R ':        goto yy4;
        Case ' s ':        goto yy9;
        Case '} ':        goto yy14;
        Default:        goto YY16;
        }

The above code is the way to judge sequence strings, such as sequence O:4: "Test": 1:{s:1: "a"; S:3: "AAA";}, handle this sequence string, first get the first character of the string o, then case ' O ': goto yy13 yy13:yych =         * (Yymarker = ++yycursor);         if (Yych = = ': ') goto YY17;     Goto Yy3; From the top code, the pointer moves one point to the second character to determine if the character is:, and then Goto YY17

YY17:
        yych = *++yycursor;
        if (Yybm[0+yych] & 128) {
                goto yy20;
        }
        if (Yych = = ' + ') goto yy19;

 .......

Yy19:
        yych = *++yycursor;
        if (Yybm[0+yych] & 128) {
                goto yy20;
        }
        Goto Yy18;

See from the code above, the pointer moves to judge the next character, if the character is the number direct goto Yy20, if it is ' + ' on goto yy19, and yy19 is to judge the next character, if the next character is the number goto yy20, not on Goto Yy18, Yy18 is a direct exit sequence processing, YY20 is the object of the sequence of processing, so from the above can be seen: o:+4: "Test": 1:{s:1: "a"; S:3: "AAA";   O:4: "Test": 1:{s:1: "a"; S:3: "AAA";}   Can be deserialized by unserialize, and the results are the same. 2. Actual test:

<?php
var_dump (unserialize (' o:+4: "Test": 1:{s:1: "a"; S:3: "AAA";}));
Var_dump (Unserialize (' O:4: "Test": 1:{s:1: "a"; S:3: "AAA";});
? >
Output:
object (__php_incomplete_class) #1 (2) {["__php_incomplete_class_name"]=> string (4) "Test" ["a"]= > String (3) "AAA"} 
Object (__php_incomplete_class) #1 (2) {["__php_incomplete_class_name"]=> string (4) "Test" "[" A "]=> string (3)" AAA "}

In fact, not only object type processing can be more than one ' + ', other types can also, specific tests do not do too much description. 3. We look at the patch of WP:

function is_serialized ($data, $strict = True) {//if it isn ' t a string, it isn ' t serialized if (! is_
        String ($data)) return false;
         $data = Trim ($data);
        if (' n; ' = $data) return true;
        $length = strlen ($data);
        if ($length < 4) return false;
        if (': '!== $data [1]) return false;
                if ($strict) {//output $LASTC = $data [$length-1];
        if ('; '!== $lastc && '} '!== $LASTC) return false;
                else {//input $semicolon = Strpos ($data, '; ');
                $brace = Strpos ($data, '} '); either;
                or} must exist.
                if (false = = = $semicolon && false = = = $brace) return false;
                But neither must is in the ' the ' the ' I X characters. if (False!== $semicolon && $Semicolon < 3) return false;
        if (false!== $brace && $brace < 4) return false;
        } $token = $data [0];  Switch ($token) {case ' s ': if ($strict) {if
                        (' "'!== $data [$length-2]) return false;
                        } elseif (false = = = Strpos ($data, ' ")) {return false;
                        Case ' A ': Case ' O ': Echo ' a ';
                return (BOOL) preg_match ("/^{$token}:[0-9]+:/s", $data); Case ' B ': Case ' I ':

The return in the patch (BOOL) preg_match ("/^{$token}:[0-9]+:/s", $data);   Can be more than one ' + ' to bypass, although we use this method to write the sequence values to the database, but extract the data from the database, and again verify the time can not be bypassed, I am not able to make the data into and out of the database any changes, I personally think this patch around the focus is the data access data changes. 4. Summary Although hot does not bypass WP patch, but this unserialize () small features may be overlooked by many developers, resulting in the program security flaws.   The above analysis has any mistake please leave a message to point out. 5. Refer to "WordPress < 3.6.1 PHP Object injection" http://vagosec.org/2013/09/wordpress-php-object-injection/"Var_ UNSERIALIZER.C Source code https://github.com/php/php-src/b .../var_unserializer.c "PHP string serialization and anti-serialization syntax resolution inconsistent security risks" to the HTTP ://zone.wooyun.org/content/1664 from: https://forum.90sec.org/thread-6694-1-1.html Author: L.N.