首頁 > 教學 > PHP 教學

php反序列unserialize的一個小特點

來源:互聯網
上載者:User
創建阿里雲帳戶,並獲得超過 40 款產品的免費試用版;而企業帳戶則可以享有總值 $1200 的免費試用版。立即註冊!
php反序列unserialize的一個小特性

這幾天wordpress的那個反序列漏洞比較火,具體漏洞我就不做分析了,看這篇:http://drops.wooyun.org/papers/596,?
你也可以去看英文的原文:http://vagosec.org/2013/09/wordpress-php-object-injection/。?

wp官網打了補丁,我試圖去bypass補丁,但讓我自以為成功的時候,發現我天真了,並沒有成功繞過wp的補丁,但卻發現了unserialize的一個小特性,在此和大家分享一下。?

1.unserialize()函數相關源碼:?

if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7);?
????????yych = *YYCURSOR;?
????????switch (yych) {?
????????case 'C':?
????????case 'O':????????goto yy13;?
????????case 'N':????????goto yy5;?
????????case 'R':????????goto yy2;?
????????case 'S':????????goto yy10;?
????????case 'a':????????goto yy11;?
????????case 'b':????????goto yy6;?
????????case 'd':????????goto yy8;?
????????case 'i':????????goto yy7;?
????????case 'o':????????goto yy12;?
????????case 'r':????????goto yy4;?
????????case 's':????????goto yy9;?
????????case '}':????????goto yy14;?
????????default:????????goto yy16;?
????????}

上邊這段代碼是判斷序列串的處理方式,如序列串O:4:"test":1:{s:1:"a";s:3:"aaa";},處理這個序列串,先擷取字串第一個字元為O,然後case 'O':??goto yy13?

yy13:?
????????yych = *(YYMARKER = ++YYCURSOR);?
????????if (yych == ':') goto yy17;?
????????goto yy3;

從上邊代碼看出,指標移動一位指向第二個字元,判斷字元是否為:,然後 goto yy17?

yy17:?
????????yych = *++YYCURSOR;?
????????if (yybm[0+yych] & 128) {?
????????????????goto yy20;?
????????}?
????????if (yych == '+') goto yy19;?

.......?

yy19:?
????????yych = *++YYCURSOR;?
????????if (yybm[0+yych] & 128) {?
????????????????goto yy20;?
????????}?
????????goto yy18;

從上邊代碼看出,指標移動,判斷下一位字元,如果字元是數字直接goto yy20,如果是'+'就goto yy19,而yy19中是對下一位字元判斷,如果下一位字元是數字goto yy20,不是就goto yy18,yy18是直接退出序列處理,yy20是對object性的序列的處理,所以從上邊可以看出:?

O:+4:"test":1:{s:1:"a";s:3:"aaa";}?
O:4:"test":1:{s:1:"a";s:3:"aaa";}

都能夠被unserialize還原序列化,且結果相同。?

2.實際測試:?

var_dump(unserialize('O:+4:"test":1:{s:1:"a";s:3:"aaa";}'));?
var_dump(unserialize('O:4:"test":1:{s:1:"a";s:3:"aaa";}'));?
?>

輸出:?

object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }?
object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }

其實,不光object類型處理可以多一個'+',其他類型也可以,具體測試不做過多描述。?

3.我們看下wp的補丁:?

function is_serialized( $data, $strict = true ) {?
????????// if it isn't a string, it isn't serialized?
????????if ( ! is_string( $data ) )?
????????????????return false;?
????????$data = trim( $data );?
???????? if ( 'N;' == $data )?
????????????????return true;?
????????$length = strlen( $data );?
????????if ( $length < 4 )?
????????????????return false;?
????????if ( ':' !== $data[1] )?
????????????????return false;?
????????if ( $strict ) {//output?
????????????????$lastc = $data[ $length - 1 ];?
????????????????if ( ';' !== $lastc && '}' !== $lastc )?
????????????????????????return false;?
????????} else {//input?
????????????????$semicolon = strpos( $data, ';' );?
????????????????$brace???? = strpos( $data, '}' );?
????????????????// Either ; or } must exist.?
????????????????if ( false === $semicolon && false === $brace )?
????????????????????????return false;?
????????????????// But neither must be in the first X characters.?
????????????????if ( false !== $semicolon && $semicolon < 3 )?
????????????????????????return false;?
????????????????if ( false !== $brace && $brace < 4 )?
????????????????????????return false;?
????????}?
????????$token = $data[0];?
????????switch ( $token ) {?
????????????????case 's' :?
????????????????????????if ( $strict ) {?
????????????????????????????????if ( '"' !== $data[ $length - 2 ] )?
????????????????????????????????????????return false;?
????????????????????????} elseif ( false === strpos( $data, '"' ) ) {?
????????????????????????????????return false;?
????????????????????????}?
????????????????case 'a' :?
????????????????case 'O' :?
????????????????????????echo "a";?
????????????????????????return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );?
????????????????case 'b' :?
????????????????case 'i' :?
????????????????case 'd' :?
????????????????????????$end = $strict ? '$' : '';?
????????????????????????return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );?
????????}?
????????return false;?
}
補丁中的?

return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );

可以多一個'+'來繞過,雖然我們通過這個方法把序列值寫入了資料庫,但從資料庫中提取資料,再次驗證的時候卻沒法繞過了,我這個加號沒能使資料進出資料庫發生任何變化,我個人認為這個補丁繞過重點在於資料進出資料的前後變化。?

4.總結?
雖然沒有繞過wp補丁,但這個unserialize()的小特性可能會被很多開發人員忽略,導致程式出現安全缺陷。?
以上的分析有什麼錯誤請留言指出。?

5.參考?
《WordPress < 3.6.1 PHP Object Injection》?
http://vagosec.org/2013/09/wordpress-php-object-injection/?
《var_unserializer.c源碼》?
https://github.com/php/php-src/blob/73cd2e0ab14d804c6bf0b689490bdd4fd6e969b1/ext/standard/var_unserializer.c?
《PHP string序列化與還原序列化文法解析不一致帶來的安全隱患》?
http://zone.wooyun.org/content/1664

    • 本文章原先以中文撰寫並發佈於 aliyun.com,亦設英文版本,僅作資訊用途。本網站不對文章的準確性,完整性或可靠性或其任何翻譯作出任何明示或暗示的陳述或保證。如對該文章有任何疑慮或投訴,請傳送電郵至 info-contact@alibabacloud.com 並提供相關疑慮或投訴的詳細說明。職員會於 5 個工作天內與您聯絡,一經驗證之後,即會刪除該侵權內容。

    聯繫我們

    該頁面正文內容均來源於網絡整理,並不代表阿里雲官方的觀點,該頁面所提到的產品和服務也與阿里云無關,如果該頁面內容對您造成了困擾,歡迎寫郵件給我們,收到郵件我們將在5個工作日內處理。

    如果您發現本社區中有涉嫌抄襲的內容,歡迎發送郵件至: info-contact@alibabacloud.com 進行舉報並提供相關證據,工作人員會在 5 個工作天內聯絡您,一經查實,本站將立刻刪除涉嫌侵權內容。

    A Free Trial That Lets You Build Big!

    Start building with 50+ products and up to 12 months usage for Elastic Compute Service

    Get Started for Free

    • Sales Support

      1 on 1 presale consultation

      Chat Contact Sales

    • After-Sales Support

      24/7 Technical Support 6 Free Tickets per Quarter Faster Response

      Open a Ticket

    • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

      Learn More