A small feature of php deserialization unserialize_PHP tutorial

The desequence vulnerability in WordPress has become quite popular these days. I will not analyze the specific vulnerability. Please read this article http://drops.wooyun.org/papers/596. You can also read the original English text http:/ /vagosec.org/2013/09/wordpress-php-object-injection/.

WP official website has a patch, I tried to bypass the patch, but when I thought I was successful, I found that I was naive and did not successfully bypass the patch of WP, but I discovered a small feature of unserialize, here Share it with everyone.

1.unserialize() function related source code:

if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7);
        yych = *YYCURSOR;
        switch (yych) {
        case &#39;C&#39;:
        case &#39;O&#39;:        goto yy13;
        case &#39;N&#39;:        goto yy5;
        case &#39;R&#39;:        goto yy2;
        case &#39;S&#39;:        goto yy10;
        case &#39;a&#39;:        goto yy11;
        case &#39;b&#39;:        goto yy6;
        case &#39;d&#39;:        goto yy8;
        case &#39;i&#39;:        goto yy7;
        case &#39;o&#39;:        goto yy12;
        case &#39;r&#39;:        goto yy4;
        case &#39;s&#39;:        goto yy9;
        case &#39;}&#39;:        goto yy14;
        default:        goto yy16;
        }

The above code is the processing method of judging the sequence string, such as the sequence string O:4:"test":1:{s:1:"a";s:3:"aaa";}, processing this sequence String, first get the first character of the string as O, then case 'O': goto yy13

yy13:

yych = *(YYMARKER = ++YYCURSOR);

if (yych == ':') goto yy17;

goto yy3;

As can be seen from the above code, the pointer moves one position to point to the second character, determines whether the character is:, and then goto yy17

yy17:
        yych = *++YYCURSOR;
        if (yybm[0+yych] & 128) {
                goto yy20;
        }
        if (yych == '+') goto yy19;

 .......

yy19:
        yych = *++YYCURSOR;
        if (yybm[0+yych] & 128) {
                goto yy20;
        }
        goto yy18;

From

As can be seen from the above code, the pointer moves to determine the next character. If the character is a number, goto yy20 directly. If it is '+', goto

yy19, and yy19 is to judge the next character. If the next character is a number goto yy20, if not, goto

yy18, yy18 is to exit the sequence processing directly, yy20 is to process the object sequence, so it can be seen from the above:

O:+4:"test":1:{s:1:"a";s:3:"aaa";}

O:4:"test":1:{s:1:"a";s:3:"aaa";}

can all be deserialized by unserialize, and the results are the same.

2. Actual test:

<?php
var_dump(unserialize(&#39;O:+4:"test":1:{s:1:"a";s:3:"aaa";}&#39;));
var_dump(unserialize(&#39;O:4:"test":1:{s:1:"a";s:3:"aaa";}&#39;));
?>
输出：
object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" } 
object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }

Actually, not only the object type can be processed with an extra '+', but also other types. The specific test will not be described too much.

3. Let’s take a look at the wp patch:

function is_serialized( $data, $strict = true ) {
        // if it isn't a string, it isn't serialized
        if ( ! is_string( $data ) )
                return false;
        $data = trim( $data );
         if ( 'N;' == $data )
                return true;
        $length = strlen( $data );
        if ( $length < 4 )
                return false;
        if ( &#39;:&#39; !== $data[1] )
                return false;
        if ( $strict ) {//output
                $lastc = $data[ $length - 1 ];
                if ( &#39;;&#39; !== $lastc && &#39;}&#39; !== $lastc )
                        return false;
        } else {//input
                $semicolon = strpos( $data, &#39;;&#39; );
                $brace     = strpos( $data, &#39;}&#39; );
                // Either ; or } must exist.
                if ( false === $semicolon && false === $brace )
                        return false;
                // But neither must be in the first X characters.
                if ( false !== $semicolon && $semicolon < 3 )
                        return false;
                if ( false !== $brace && $brace < 4 )
                        return false;
        }
        $token = $data[0];
        switch ( $token ) {
                case &#39;s&#39; :
                        if ( $strict ) {
                                if ( &#39;"&#39; !== $data[ $length - 2 ] )
                                        return false;
                        } elseif ( false === strpos( $data, &#39;"&#39; ) ) {
                                return false;
                        }
                case &#39;a&#39; :
                case &#39;O&#39; :
                        echo "a";
                        return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );
                case &#39;b&#39; :
                case &#39;i&#39; :

in patch

return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );

It can be bypassed by adding an extra '+'. Although we wrote the sequence value into the database through this method, it cannot be bypassed when extracting the data from the database and verifying it again. My plus sign failed. To make any changes in the data in and out of the database, I personally think that the focus of this patch is to bypass the changes in the data in and out of the data.

4. Summary

Although the wp patch has not been bypassed, this small feature of unserialize() may be ignored by many developers, resulting in security flaws in the program.

Please leave a message to point out any errors in the above analysis.

5. Reference

《WordPress < 3.6.1 PHP Object Injection》

http://vagosec.org/2013/09/wordpress-php-object-injection/

《var_unserializer.c source code》

https://github.com/php/php-src/b ... /var_unserializer.c

"Security risks caused by inconsistent syntax parsing between PHP string serialization and deserialization" Reprinted from

http://zone.wooyun.org/content/1664

Reprinted from: https://forum.90sec.org/thread-6694-1-1.html

Author: L.N.

http://www.bkjia.com/PHPjc/532682.htmlwww.bkjia.comtruehttp: //www.bkjia.com/PHPjc/532682.htmlTechArticleThe desequence vulnerability in WordPress has become quite popular these days. I will not analyze the specific vulnerability. Read this article http://drops.wooyun.org/papers/596, you can also read the original English text http://va...