0x00 background
A few days ago someone told a conference about a problem that existed in Perl for 20 years. It's really heartbreaking to be a person who will only Perl without Python. After watching the video feel black to eat nothing.
This is like a interrogates to Perl, the whole speech is full of sucks, fuck and other harmonious vocabulary, but also can see how the speaker is outraged, the field of applause and attached, well, reminds me of Guo Degang.
0x01 problem
What is the problem with Perl that has been around for 20 of years? The real problem with the Perl syntax slot is the data types, and that's the type.
Perl's handling of data types is a bit of an unthinkable.
Let's look at what kinds of variables are in Perl.
Variables in Perl
Perl's data types fall into three categories: scalar $, array @, hash%.
The specific definition here does not say much, let's look at a few examples:
Whether it is a scalar, an array, or a hash (dictionary), the definition is no different from other languages.
Let's take a look at a few special cases, each of which is expected to be the result of a normal human understanding.
@array = (' c ');p rint $array[0];
Expected value 1
Actual value 1
PHP ">$scalar = ($scalar;
Expected value 1
Actual value c I wipe the tears, for the hair will be c! It's too unscientific, keep looking down.
@list = (' c '); print scalar @list;
Expected value 1
Actual value 5 Oh, he put the length of the array out.
And look at the example of this hash.
%hash = (' C '); print $hash {' a '};
Expected value Wood has
The actual value B for the hair to the output of B, who can tell me how this grass mud horse is handled.
0x02 Vulnerability
What loopholes can these problems create?
Take a look at the contrast between PHP and Perl processing in the Web.
So it seems that the wood has any problem, then when using the complex parameter?
PHP is good at handling incoming data, and Perl's practice is that the grass mud horse in the Pentium%>_<% he can directly pass in the array.
Go deeper and see what happens when arrays and hashes are combined.
@list = (' wat '); $hash = {' e ' = +@ list}; $hash;
Expected value
{' B ',? ' d ',? ' e ' = = [' f ',' lol ',' wat '}
The god horse situation, the array of "," became "=" and gave the assignment? E=>f, Lol=>wat,what the f*cuk!
How big a hole this is! See how the Bugzilla fell in.
http://zone.wooyun.org/content/15628
These questions about the data type I don't want to talk about it, it's disgusting.
0x03 GPC Problems
Dick Dick is awesome, right, but ...
I have a *, not to escape, and so on strike, you can smooth smoothly injected into the good.
I want to be quiet.
0x04 Source
Pdf:
Http://events.ccc.de/congress/2014/Fahrplan/system/attachments/2542/original/the-perl-jam-netanel-rubin-31c3.pdf
Video address:
http://media.ccc.de/browse/congress/2014/31c3_- 6243 - en - saal_1 - 201412292200 -the_perl_jam_exploiting_a_20_year-old_vulnerability -_netanel_rubin.html#video
- This article is from: Linux Tutorial Network
Research on Perl data type security