Research on Perl data type security

Research on Perl data type security
0x01 Problem

To put it bluntly, what is the problem that has existed in perl for 20 years? Throwing away the slot of perl syntax, the real problem lies in data types, which is the data type.

Perl's processing of data types is a bit incredible.

First, let's take a look at the types of variables in perl.

Variables in perl

Perl data types include scalar $, array @, and hash %.

The specific definition is not mentioned here. Let's look at several examples:

No matter the scalar, array, or Hash (dictionary), the definition is no different from other languages.

Let's take a look at several special cases. Each of the following values is the expected result of normal human understanding.

@array =(1, 2, 'a', 'b', 'c');print $array[0];

Expected Value 1

Actual value 1

$scalar = (1, 2, 'a', 'b', 'c'); print $scalar;

Expected Value 1

The actual value is "c". It will be "c! It's too unscientific. Let's continue.

@list = (1, 2, 'a', 'b', 'c'); print scalar @list;

Expected Value 1

The actual value is 5. He outputs the length of the array.

Let's take a look at the hash example.

%hash = (1, 2, 'a', 'b', 'c'); print $hash{'a'};

Expected values

The actual value of B is Mao's output of B. Can someone tell me how the trojan is handled.

0x02 Vulnerability

What vulnerabilities will these problems cause?

Let's take a look at the comparison between php and perl processing on the web.

In this case, it seems that there is no problem with wood. What if we use a complex parameter?

Php is very good at processing incoming data, and perl's approach is that it can directly input arrays in Pentium % >_< %.

Let's take a deeper look at the combination of array and hash.

@list = ('f', 'lol', 'wat');$hash = {'a' => 'b',         'c' => 'd',          'e' => @list};print $hash;

Expected Value

{'a' => 'b',?    'c' => 'd',?    'e' => ['f','lol','wat'] } 

In the case of Shenma, "," in the array is changed to "=>" and assigned a value? E => f, lol => wat, what the f * cuk!

 

How big is it! See how Bugzilla falls into it.

Http://zone.wooyun.org/content/15628

I don't want to talk about the data types any more.

0x03 GPC Problems

Awesome, right, ......

I got it *. I don't want to escape any of them, so I went on strike. Can I inject it smoothly.