Rumah > Artikel > pembangunan bahagian belakang > php反序列unserialize的一个小特性_PHP教程
这几天wordpress的那个反序列漏洞比较火,具体漏洞我就不做分析了,看这篇吧http://drops.wooyun.org/papers/596,你也可以去看英文的原文http://vagosec.org/2013/09/wordpress-php-object-injection/。
if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7); yych = *YYCURSOR; switch (yych) { case 'C': case 'O': goto yy13; case 'N': goto yy5; case 'R': goto yy2; case 'S': goto yy10; case 'a': goto yy11; case 'b': goto yy6; case 'd': goto yy8; case 'i': goto yy7; case 'o': goto yy12; case 'r': goto yy4; case 's': goto yy9; case '}': goto yy14; default: goto yy16; }
yy17: yych = *++YYCURSOR; if (yybm[0+yych] & 128) { goto yy20; } if (yych == '+') goto yy19; ....... yy19: yych = *++YYCURSOR; if (yybm[0+yych] & 128) { goto yy20; } goto yy18;
<?php var_dump(unserialize('O:+4:"test":1:{s:1:"a";s:3:"aaa";}')); var_dump(unserialize('O:4:"test":1:{s:1:"a";s:3:"aaa";}')); ?> 输出: object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" } object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }
function is_serialized( $data, $strict = true ) { // if it isn't a string, it isn't serialized if ( ! is_string( $data ) ) return false; $data = trim( $data ); if ( 'N;' == $data ) return true; $length = strlen( $data ); if ( $length < 4 ) return false; if ( ':' !== $data[1] ) return false; if ( $strict ) {//output $lastc = $data[ $length - 1 ]; if ( ';' !== $lastc && '}' !== $lastc ) return false; } else {//input $semicolon = strpos( $data, ';' ); $brace = strpos( $data, '}' ); // Either ; or } must exist. if ( false === $semicolon && false === $brace ) return false; // But neither must be in the first X characters. if ( false !== $semicolon && $semicolon < 3 ) return false; if ( false !== $brace && $brace < 4 ) return false; } $token = $data[0]; switch ( $token ) { case 's' : if ( $strict ) { if ( '"' !== $data[ $length - 2 ] ) return false; } elseif ( false === strpos( $data, '"' ) ) { return false; } case 'a' : case 'O' : echo "a"; return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data ); case 'b' : case 'i' :