php反序列unserialize的一个小特点 -PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

php反序列unserialize的一个小特点

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 pm 12:30 PM

casedatafalsegotoreturn

php反序列unserialize的一个小特性

这几天wordpress的那个反序列漏洞比较火，具体漏洞我就不做分析了，看这篇：http://drops.wooyun.org/papers/596，?
你也可以去看英文的原文：http://vagosec.org/2013/09/wordpress-php-object-injection/。?

wp官网打了补丁，我试图去bypass补丁，但让我自以为成功的时候，发现我天真了，并没有成功绕过wp的补丁，但却发现了unserialize的一个小特性，在此和大家分享一下。?

1.unserialize()函数相关源码：?

if ((YYLIMIT - YYCURSOR) ????????yych = *YYCURSOR;? ????????switch (yych) {? ????????case 'C':? ????????case 'O':????????goto yy13;? ????????case 'N':????????goto yy5;? ????????case 'R':????????goto yy2;? ????????case 'S':????????goto yy10;? ????????case 'a':????????goto yy11;? ????????case 'b':????????goto yy6;? ????????case 'd':????????goto yy8;? ????????case 'i':????????goto yy7;? ????????case 'o':????????goto yy12;? ????????case 'r':????????goto yy4;? ????????case 's':????????goto yy9;? ????????case '}':????????goto yy14;? ????????default:????????goto yy16;? ????????}

上边这段代码是判断序列串的处理方式，如序列串O:4:"test":1:{s:1:"a";s:3:"aaa";},处理这个序列串，先获取字符串第一个字符为O，然后case 'O':??goto yy13?

yy13:? ????????yych = *(YYMARKER = ++YYCURSOR);? ????????if (yych == ':') goto yy17;? ????????goto yy3;

从上边代码看出，指针移动一位指向第二个字符，判断字符是否为:，然后 goto yy17?

yy17:? ????????yych = *++YYCURSOR;? ????????if (yybm[0+yych] & 128) {? ????????????????goto yy20;? ????????}? ????????if (yych == '+') goto yy19;? .......? yy19:? ????????yych = *++YYCURSOR;? ????????if (yybm[0+yych] & 128) {? ????????????????goto yy20;? ????????}? ????????goto yy18;

从上边代码看出，指针移动，判断下一位字符，如果字符是数字直接goto yy20，如果是'+'就goto yy19，而yy19中是对下一位字符判断，如果下一位字符是数字goto yy20，不是就goto yy18，yy18是直接退出序列处理，yy20是对object性的序列的处理，所以从上边可以看出：?

O:+4:"test":1:{s:1:"a";s:3:"aaa";}? O:4:"test":1:{s:1:"a";s:3:"aaa";}

都能够被unserialize反序列化，且结果相同。?

2.实际测试：?

<?php ? var_dump(unserialize('O:+4:"test":1:{s:1:"a";s:3:"aaa";}'));? var_dump(unserialize('O:4:"test":1:{s:1:"a";s:3:"aaa";}'));? ?>

输出：?

object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }? object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }

其实，不光object类型处理可以多一个'+',其他类型也可以，具体测试不做过多描述。?

3.我们看下wp的补丁：?

function is_serialized( $data, $strict = true ) {? ????????// if it isn't a string, it isn't serialized? ????????if ( ! is_string( $data ) )? ????????????????return false;? ????????$data = trim( $data );? ???????? if ( 'N;' == $data )? ????????????????return true;? ????????$length = strlen( $data );? ????????if ( $length ????????????????return false;? ????????if ( ':' !== $data[1] )? ????????????????return false;? ????????if ( $strict ) {//output? ????????????????$lastc = $data[ $length - 1 ];? ????????????????if ( ';' !== $lastc && '}' !== $lastc )? ????????????????????????return false;? ????????} else {//input? ????????????????$semicolon = strpos( $data, ';' );? ????????????????$brace???? = strpos( $data, '}' );? ????????????????// Either ; or } must exist.? ????????????????if ( false === $semicolon && false === $brace )? ????????????????????????return false;? ????????????????// But neither must be in the first X characters.? ????????????????if ( false !== $semicolon && $semicolon ????????????????????????return false;? ????????????????if ( false !== $brace && $brace ????????????????????????return false;? ????????}? ????????$token = $data[0];? ????????switch ( $token ) {? ????????????????case 's' :? ????????????????????????if ( $strict ) {? ????????????????????????????????if ( '"' !== $data[ $length - 2 ] )? ????????????????????????????????????????return false;? ????????????????????????} elseif ( false === strpos( $data, '"' ) ) {? ????????????????????????????????return false;? ????????????????????????}? ????????????????case 'a' :? ????????????????case 'O' :? ????????????????????????echo "a";? ????????????????????????return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );? ????????????????case 'b' :? ????????????????case 'i' :? ????????????????case 'd' :? ????????????????????????$end = $strict ? '$' : '';? ????????????????????????return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );? ????????}? ????????return false;? }
补丁中的?

return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );

可以多一个'+'来绕过，虽然我们通过这个方法把序列值写入了数据库，但从数据库中提取数据，再次验证的时候却没法绕过了，我这个加号没能使数据进出数据库发生任何变化，我个人认为这个补丁绕过重点在于数据进出数据的前后变化。?

4.总结?
虽然没有绕过wp补丁，但这个unserialize()的小特性可能会被很多开发人员忽略，导致程序出现安全缺陷。?
以上的分析有什么错误请留言指出。?

5.参考?
《WordPress
http://vagosec.org/2013/09/wordpress-php-object-injection/?
《var_unserializer.c源码》?
https://github.com/php/php-src/blob/73cd2e0ab14d804c6bf0b689490bdd4fd6e969b1/ext/standard/var_unserializer.c?
《PHP string序列化与反序列化语法解析不一致带来的安全隐患》?
http://zone.wooyun.org/content/1664

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP's Purpose: Building Dynamic WebsitesApr 15, 2025 am 12:18 AM

PHP is used to build dynamic websites, and its core functions include: 1. Generate dynamic content and generate web pages in real time by connecting with the database; 2. Process user interaction and form submissions, verify inputs and respond to operations; 3. Manage sessions and user authentication to provide a personalized experience; 4. Optimize performance and follow best practices to improve website efficiency and security.

PHP: Handling Databases and Server-Side LogicApr 15, 2025 am 12:15 AM

PHP uses MySQLi and PDO extensions to interact in database operations and server-side logic processing, and processes server-side logic through functions such as session management. 1) Use MySQLi or PDO to connect to the database and execute SQL queries. 2) Handle HTTP requests and user status through session management and other functions. 3) Use transactions to ensure the atomicity of database operations. 4) Prevent SQL injection, use exception handling and closing connections for debugging. 5) Optimize performance through indexing and cache, write highly readable code and perform error handling.

How do you prevent SQL Injection in PHP? (Prepared statements, PDO)Apr 15, 2025 am 12:15 AM

Using preprocessing statements and PDO in PHP can effectively prevent SQL injection attacks. 1) Use PDO to connect to the database and set the error mode. 2) Create preprocessing statements through the prepare method and pass data using placeholders and execute methods. 3) Process query results and ensure the security and performance of the code.

PHP and Python: Code Examples and ComparisonApr 15, 2025 am 12:07 AM

PHP and Python have their own advantages and disadvantages, and the choice depends on project needs and personal preferences. 1.PHP is suitable for rapid development and maintenance of large-scale web applications. 2. Python dominates the field of data science and machine learning.

PHP in Action: Real-World Examples and ApplicationsApr 14, 2025 am 12:19 AM

PHP is widely used in e-commerce, content management systems and API development. 1) E-commerce: used for shopping cart function and payment processing. 2) Content management system: used for dynamic content generation and user management. 3) API development: used for RESTful API development and API security. Through performance optimization and best practices, the efficiency and maintainability of PHP applications are improved.

PHP: Creating Interactive Web Content with EaseApr 14, 2025 am 12:15 AM

PHP makes it easy to create interactive web content. 1) Dynamically generate content by embedding HTML and display it in real time based on user input or database data. 2) Process form submission and generate dynamic output to ensure that htmlspecialchars is used to prevent XSS. 3) Use MySQL to create a user registration system, and use password_hash and preprocessing statements to enhance security. Mastering these techniques will improve the efficiency of web development.

PHP and Python: Comparing Two Popular Programming LanguagesApr 14, 2025 am 12:13 AM

PHP and Python each have their own advantages, and choose according to project requirements. 1.PHP is suitable for web development, especially for rapid development and maintenance of websites. 2. Python is suitable for data science, machine learning and artificial intelligence, with concise syntax and suitable for beginners.

The Enduring Relevance of PHP: Is It Still Alive?Apr 14, 2025 am 12:12 AM

PHP is still dynamic and still occupies an important position in the field of modern programming. 1) PHP's simplicity and powerful community support make it widely used in web development; 2) Its flexibility and stability make it outstanding in handling web forms, database operations and file processing; 3) PHP is constantly evolving and optimizing, suitable for beginners and experienced developers.

See all articles