Home > Article > Backend Development > php反序列unserialize的一个小特点

php反序列unserialize的一个小特点

WBOYOriginal: 2016-06-13 11:43:40979browse

php反序列unserialize的一个小特性

这几天wordpress的那个反序列漏洞比较火，具体漏洞我就不做分析了，看这篇：http://drops.wooyun.org/papers/596，?
你也可以去看英文的原文：http://vagosec.org/2013/09/wordpress-php-object-injection/。?

wp官网打了补丁，我试图去bypass补丁，但让我自以为成功的时候，发现我天真了，并没有成功绕过wp的补丁，但却发现了unserialize的一个小特性，在此和大家分享一下。?

1.unserialize()函数相关源码：?

if ((YYLIMIT - YYCURSOR) ????????yych = *YYCURSOR;? ????????switch (yych) {? ????????case 'C':? ????????case 'O':????????goto yy13;? ????????case 'N':????????goto yy5;? ????????case 'R':????????goto yy2;? ????????case 'S':????????goto yy10;? ????????case 'a':????????goto yy11;? ????????case 'b':????????goto yy6;? ????????case 'd':????????goto yy8;? ????????case 'i':????????goto yy7;? ????????case 'o':????????goto yy12;? ????????case 'r':????????goto yy4;? ????????case 's':????????goto yy9;? ????????case '}':????????goto yy14;? ????????default:????????goto yy16;? ????????}

上边这段代码是判断序列串的处理方式，如序列串O:4:"test":1:{s:1:"a";s:3:"aaa";},处理这个序列串，先获取字符串第一个字符为O，然后case 'O':??goto yy13?

yy13:? ????????yych = *(YYMARKER = ++YYCURSOR);? ????????if (yych == ':') goto yy17;? ????????goto yy3;

从上边代码看出，指针移动一位指向第二个字符，判断字符是否为:，然后 goto yy17?

yy17:? ????????yych = *++YYCURSOR;? ????????if (yybm[0+yych] & 128) {? ????????????????goto yy20;? ????????}? ????????if (yych == '+') goto yy19;? .......? yy19:? ????????yych = *++YYCURSOR;? ????????if (yybm[0+yych] & 128) {? ????????????????goto yy20;? ????????}? ????????goto yy18;

从上边代码看出，指针移动，判断下一位字符，如果字符是数字直接goto yy20，如果是'+'就goto yy19，而yy19中是对下一位字符判断，如果下一位字符是数字goto yy20，不是就goto yy18，yy18是直接退出序列处理，yy20是对object性的序列的处理，所以从上边可以看出：?

O:+4:"test":1:{s:1:"a";s:3:"aaa";}? O:4:"test":1:{s:1:"a";s:3:"aaa";}

都能够被unserialize反序列化，且结果相同。?

2.实际测试：?

<?php ? var_dump(unserialize('O:+4:"test":1:{s:1:"a";s:3:"aaa";}'));? var_dump(unserialize('O:4:"test":1:{s:1:"a";s:3:"aaa";}'));? ?>

输出：?

object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }? object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }

其实，不光object类型处理可以多一个'+',其他类型也可以，具体测试不做过多描述。?

3.我们看下wp的补丁：?

function is_serialized( $data, $strict = true ) {? ????????// if it isn't a string, it isn't serialized? ????????if ( ! is_string( $data ) )? ????????????????return false;? ????????$data = trim( $data );? ???????? if ( 'N;' == $data )? ????????????????return true;? ????????$length = strlen( $data );? ????????if ( $length ????????????????return false;? ????????if ( ':' !== $data[1] )? ????????????????return false;? ????????if ( $strict ) {//output? ????????????????$lastc = $data[ $length - 1 ];? ????????????????if ( ';' !== $lastc && '}' !== $lastc )? ????????????????????????return false;? ????????} else {//input? ????????????????$semicolon = strpos( $data, ';' );? ????????????????$brace???? = strpos( $data, '}' );? ????????????????// Either ; or } must exist.? ????????????????if ( false === $semicolon && false === $brace )? ????????????????????????return false;? ????????????????// But neither must be in the first X characters.? ????????????????if ( false !== $semicolon && $semicolon ????????????????????????return false;? ????????????????if ( false !== $brace && $brace ????????????????????????return false;? ????????}? ????????$token = $data[0];? ????????switch ( $token ) {? ????????????????case 's' :? ????????????????????????if ( $strict ) {? ????????????????????????????????if ( '"' !== $data[ $length - 2 ] )? ????????????????????????????????????????return false;? ????????????????????????} elseif ( false === strpos( $data, '"' ) ) {? ????????????????????????????????return false;? ????????????????????????}? ????????????????case 'a' :? ????????????????case 'O' :? ????????????????????????echo "a";? ????????????????????????return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );? ????????????????case 'b' :? ????????????????case 'i' :? ????????????????case 'd' :? ????????????????????????$end = $strict ? '$' : '';? ????????????????????????return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );? ????????}? ????????return false;? }
补丁中的?

return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );

可以多一个'+'来绕过，虽然我们通过这个方法把序列值写入了数据库，但从数据库中提取数据，再次验证的时候却没法绕过了，我这个加号没能使数据进出数据库发生任何变化，我个人认为这个补丁绕过重点在于数据进出数据的前后变化。?

4.总结?
虽然没有绕过wp补丁，但这个unserialize()的小特性可能会被很多开发人员忽略，导致程序出现安全缺陷。?
以上的分析有什么错误请留言指出。?

5.参考?
《WordPress
http://vagosec.org/2013/09/wordpress-php-object-injection/?
《var_unserializer.c源码》?
https://github.com/php/php-src/blob/73cd2e0ab14d804c6bf0b689490bdd4fd6e969b1/ext/standard/var_unserializer.c?
《PHP string序列化与反序列化语法解析不一致带来的安全隐患》?
http://zone.wooyun.org/content/1664

Statement：

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

Previous article：php5.1.6情况下，出现RECURSION。求立！Next article：之前的有关问题:用什么方式来实现指定的电脑才可以登录,mac地址限制/ip地址限制/证书/控件等等什么方式可以

See more

php反序列unserialize的一个小特点

Related articles