Php Deserialization: a small feature of unserialize _ PHP Tutorial

Php deserialization unserialize is a small feature. In the past few days, the anti-sequential vulnerability of wordpress has been quite popular. I will not analyze the specific vulnerability. read this article, drops. wooyun. orgpapers596, you can also look at the original English text va. the reverse sequence vulnerability of wordpress has been quite popular over the past few days. I will not analyze the specific vulnerability. let's take a look at this article /.

I tried to install the bypass patch on the wp official website, but when I thought I was successful, I found that I was naive and did not successfully bypass the wp patch, however, we have discovered a small feature of unserialize. I would like to share it with you here.

1. unserialize () function Source code:

if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7);        yych = *YYCURSOR;        switch (yych) {        case 'C':        case 'O':        goto yy13;        case 'N':        goto yy5;        case 'R':        goto yy2;        case 'S':        goto yy10;        case 'a':        goto yy11;        case 'b':        goto yy6;        case 'd':        goto yy8;        case 'i':        goto yy7;        case 'o':        goto yy12;        case 'r':        goto yy4;        case 's':        goto yy9;        case '}':        goto yy14;        default:        goto yy16;        }

The above code is used to determine the processing method of the sequence string, such as the sequence string O: 4: "test": 1: {s: 1: "a"; s: 3: "aaa" ;}, process this sequence string, first obtain the first character of the string as O, and then case 'O': goto yy13

Yy13:

Yych = * (YYMARKER = ++ YYCURSOR );

If (yych = ':') goto yy17;

Goto yy3;

The code above shows that the pointer moves one character to the second character, determines whether the character is:, and then goto yy17

yy17:        yych = *++YYCURSOR;        if (yybm[0+yych] & 128) {                goto yy20;        }        if (yych == '+') goto yy19; .......yy19:        yych = *++YYCURSOR;        if (yybm[0+yych] & 128) {                goto yy20;        }        goto yy18;

Slave

The code above shows that the pointer moves to determine the next character. if the character is a number, go to yy20. if it is '+', go.

Yy19, while yy19 determines the next character. if the next character is a number goto yy20

Yy18 and yy18 exit the sequence processing directly, and yy20 process the object sequence, so we can see from the above:

O: + 4: "test": 1: {s: 1: "a"; s: 3: "aaa ";}

O: 4: "test": 1: {s: 1: "a"; s: 3: "aaa ";}

Can be deserialized by unserialize, and the results are the same.

2. actual test:

 Output: object (_ PHP_Incomplete_Class) #1 (2) {["_ PHP_Incomplete_Class_Name"] => string (4) "test" ["a"] => string (3) "aaa"} object (_ PHP_Incomplete_Class) #1 (2) {["_ PHP_Incomplete_Class_Name"] => string (4) "test" ["a"] => string (3) "aaa "}

In fact, not only can the object type be processed with one more '+', but also other types. the specific test will not be described too much.

3. let's take a look at the wp patch:

function is_serialized( $data, $strict = true ) {        // if it isn't a string, it isn't serialized        if ( ! is_string( $data ) )                return false;        $data = trim( $data );         if ( 'N;' == $data )                return true;        $length = strlen( $data );        if ( $length < 4 )                return false;        if ( ':' !== $data[1] )                return false;        if ( $strict ) {//output                $lastc = $data[ $length - 1 ];                if ( ';' !== $lastc && '}' !== $lastc )                        return false;        } else {//input                $semicolon = strpos( $data, ';' );                $brace     = strpos( $data, '}' );                // Either ; or } must exist.                if ( false === $semicolon && false === $brace )                        return false;                // But neither must be in the first X characters.                if ( false !== $semicolon && $semicolon < 3 )                        return false;                if ( false !== $brace && $brace < 4 )                        return false;        }        $token = $data[0];        switch ( $token ) {                case 's' :                        if ( $strict ) {                                if ( '"' !== $data[ $length - 2 ] )                                        return false;                        } elseif ( false === strpos( $data, '"' ) ) {                                return false;                        }                case 'a' :                case 'O' :                        echo "a";                        return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );                case 'b' :                case 'i' :

Patch in

Return (bool) preg_match ("/^ {$ token}: [0-9] +:/s", $ data );

There can be one more '+' to bypass. although we write the sequence value into the database through this method, we can extract data from the database, but we can't bypass it again for verification, my plus sign does not make any changes to the data in and out of the database. I personally think this patch bypasses the focus on the changes before and after the data in and out of the database.

4. Summary

Although the wp patch is not bypassed, the small feature of unserialize () may be ignored by many developers, resulting in security defects in the program.

Please leave a message to indicate any errors in the above analysis.

5. Reference

WordPress <3.6.1 PHP Object Injection

Http://vagosec.org/2013/09/wordpress-php-object-injection/

Var_unserializer.c source code

Https://github.com/php/php-src/ B.../var_unserializer.c.

Security risks caused by inconsistent PHP string serialization and deserialization syntax parsing