php反序列unserialize的一个小特点

php反序列unserialize的一个小特性

这几天wordpress的那个反序列漏洞比较火，具体漏洞我就不做分析了，看这篇：http://drops.wooyun.org/papers/596，?
你也可以去看英文的原文：http://vagosec.org/2013/09/wordpress-php-object-injection/。?

wp官网打了补丁，我试图去bypass补丁，但让我自以为成功的时候，发现我天真了，并没有成功绕过wp的补丁，但却发现了unserialize的一个小特性，在此和大家分享一下。?

1.unserialize()函数相关源码：?

if ((YYLIMIT - YYCURSOR) ????????yych = *YYCURSOR;?<br style="margin: 0px; padding: 0px;">????????switch (yych) {?<br style="margin: 0px; padding: 0px;">????????case 'C':?<br style="margin: 0px; padding: 0px;">????????case 'O':????????goto yy13;?<br style="margin: 0px; padding: 0px;">????????case 'N':????????goto yy5;?<br style="margin: 0px; padding: 0px;">????????case 'R':????????goto yy2;?<br style="margin: 0px; padding: 0px;">????????case 'S':????????goto yy10;?<br style="margin: 0px; padding: 0px;">????????case 'a':????????goto yy11;?<br style="margin: 0px; padding: 0px;">????????case 'b':????????goto yy6;?<br style="margin: 0px; padding: 0px;">????????case 'd':????????goto yy8;?<br style="margin: 0px; padding: 0px;">????????case 'i':????????goto yy7;?<br style="margin: 0px; padding: 0px;">????????case 'o':????????goto yy12;?<br style="margin: 0px; padding: 0px;">????????case 'r':????????goto yy4;?<br style="margin: 0px; padding: 0px;">????????case 's':????????goto yy9;?<br style="margin: 0px; padding: 0px;">????????case '}':????????goto yy14;?<br style="margin: 0px; padding: 0px;">????????default:????????goto yy16;?<br style="margin: 0px; padding: 0px;">????????}

上边这段代码是判断序列串的处理方式，如序列串O:4:"test":1:{s:1:"a";s:3:"aaa";},处理这个序列串，先获取字符串第一个字符为O，然后case 'O':??goto yy13?

yy13:?<br style="margin: 0px; padding: 0px;">????????yych = *(YYMARKER = ++YYCURSOR);?<br style="margin: 0px; padding: 0px;">????????if (yych == ':') goto yy17;?<br style="margin: 0px; padding: 0px;">????????goto yy3;

从上边代码看出，指针移动一位指向第二个字符，判断字符是否为:，然后 goto yy17?

yy17:?<br style="margin: 0px; padding: 0px;">????????yych = *++YYCURSOR;?<br style="margin: 0px; padding: 0px;">????????if (yybm[0+yych] & 128) {?<br style="margin: 0px; padding: 0px;">????????????????goto yy20;?<br style="margin: 0px; padding: 0px;">????????}?<br style="margin: 0px; padding: 0px;">????????if (yych == '+') goto yy19;?<br style="margin: 0px; padding: 0px;"><br style="margin: 0px; padding: 0px;">.......?<br style="margin: 0px; padding: 0px;"><br style="margin: 0px; padding: 0px;">yy19:?<br style="margin: 0px; padding: 0px;">????????yych = *++YYCURSOR;?<br style="margin: 0px; padding: 0px;">????????if (yybm[0+yych] & 128) {?<br style="margin: 0px; padding: 0px;">????????????????goto yy20;?<br style="margin: 0px; padding: 0px;">????????}?<br style="margin: 0px; padding: 0px;">????????goto yy18;

从上边代码看出，指针移动，判断下一位字符，如果字符是数字直接goto yy20，如果是'+'就goto yy19，而yy19中是对下一位字符判断，如果下一位字符是数字goto yy20，不是就goto yy18，yy18是直接退出序列处理，yy20是对object性的序列的处理，所以从上边可以看出：?

O:+4:"test":1:{s:1:"a";s:3:"aaa";}?<br style="margin: 0px; padding: 0px;">O:4:"test":1:{s:1:"a";s:3:"aaa";}

都能够被unserialize反序列化，且结果相同。?

2.实际测试：?

<?php ?<br style="margin: 0px; padding: 0px;">var_dump(unserialize('O:+4:"test":1:{s:1:"a";s:3:"aaa";}'));?<br style="margin: 0px; padding: 0px;">var_dump(unserialize('O:4:"test":1:{s:1:"a";s:3:"aaa";}'));?<br style="margin: 0px; padding: 0px;">?>

输出：?

object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }?<br style="margin: 0px; padding: 0px;">object(__PHP_Incomplete_Class)#1 (2) { ["__PHP_Incomplete_Class_Name"]=> string(4) "test" ["a"]=> string(3) "aaa" }

其实，不光object类型处理可以多一个'+',其他类型也可以，具体测试不做过多描述。?

3.我们看下wp的补丁：?

function is_serialized( $data, $strict = true ) {?<br style="margin: 0px; padding: 0px;">????????// if it isn't a string, it isn't serialized?<br style="margin: 0px; padding: 0px;">????????if ( ! is_string( $data ) )?<br style="margin: 0px; padding: 0px;">????????????????return false;?<br style="margin: 0px; padding: 0px;">????????$data = trim( $data );?<br style="margin: 0px; padding: 0px;">???????? if ( 'N;' == $data )?<br style="margin: 0px; padding: 0px;">????????????????return true;?<br style="margin: 0px; padding: 0px;">????????$length = strlen( $data );?<br style="margin: 0px; padding: 0px;">????????if ( $length ????????????????return false;?<br style="margin: 0px; padding: 0px;">????????if ( ':' !== $data[1] )?<br style="margin: 0px; padding: 0px;">????????????????return false;?<br style="margin: 0px; padding: 0px;">????????if ( $strict ) {//output?<br style="margin: 0px; padding: 0px;">????????????????$lastc = $data[ $length - 1 ];?<br style="margin: 0px; padding: 0px;">????????????????if ( ';' !== $lastc && '}' !== $lastc )?<br style="margin: 0px; padding: 0px;">????????????????????????return false;?<br style="margin: 0px; padding: 0px;">????????} else {//input?<br style="margin: 0px; padding: 0px;">????????????????$semicolon = strpos( $data, ';' );?<br style="margin: 0px; padding: 0px;">????????????????$brace???? = strpos( $data, '}' );?<br style="margin: 0px; padding: 0px;">????????????????// Either ; or } must exist.?<br style="margin: 0px; padding: 0px;">????????????????if ( false === $semicolon && false === $brace )?<br style="margin: 0px; padding: 0px;">????????????????????????return false;?<br style="margin: 0px; padding: 0px;">????????????????// But neither must be in the first X characters.?<br style="margin: 0px; padding: 0px;">????????????????if ( false !== $semicolon && $semicolon ????????????????????????return false;?<br style="margin: 0px; padding: 0px;">????????????????if ( false !== $brace && $brace ????????????????????????return false;?<br style="margin: 0px; padding: 0px;">????????}?<br style="margin: 0px; padding: 0px;">????????$token = $data[0];?<br style="margin: 0px; padding: 0px;">????????switch ( $token ) {?<br style="margin: 0px; padding: 0px;">????????????????case 's' :?<br style="margin: 0px; padding: 0px;">????????????????????????if ( $strict ) {?<br style="margin: 0px; padding: 0px;">????????????????????????????????if ( '"' !== $data[ $length - 2 ] )?<br style="margin: 0px; padding: 0px;">????????????????????????????????????????return false;?<br style="margin: 0px; padding: 0px;">????????????????????????} elseif ( false === strpos( $data, '"' ) ) {?<br style="margin: 0px; padding: 0px;">????????????????????????????????return false;?<br style="margin: 0px; padding: 0px;">????????????????????????}?<br style="margin: 0px; padding: 0px;">????????????????case 'a' :?<br style="margin: 0px; padding: 0px;">????????????????case 'O' :?<br style="margin: 0px; padding: 0px;">????????????????????????echo "a";?<br style="margin: 0px; padding: 0px;">????????????????????????return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );?<br style="margin: 0px; padding: 0px;">????????????????case 'b' :?<br style="margin: 0px; padding: 0px;">????????????????case 'i' :?<br style="margin: 0px; padding: 0px;">????????????????case 'd' :?<br style="margin: 0px; padding: 0px;">????????????????????????$end = $strict ? '$' : '';?<br style="margin: 0px; padding: 0px;">????????????????????????return (bool) preg_match( "/^{$token}:[0-9.E-]+;$end/", $data );?<br style="margin: 0px; padding: 0px;">????????}?<br style="margin: 0px; padding: 0px;">????????return false;?<br style="margin: 0px; padding: 0px;">}
补丁中的?

return (bool) preg_match( "/^{$token}:[0-9]+:/s", $data );

可以多一个'+'来绕过，虽然我们通过这个方法把序列值写入了数据库，但从数据库中提取数据，再次验证的时候却没法绕过了，我这个加号没能使数据进出数据库发生任何变化，我个人认为这个补丁绕过重点在于数据进出数据的前后变化。?

4.总结?
虽然没有绕过wp补丁，但这个unserialize()的小特性可能会被很多开发人员忽略，导致程序出现安全缺陷。?
以上的分析有什么错误请留言指出。?

5.参考?
《WordPress
http://vagosec.org/2013/09/wordpress-php-object-injection/?
《var_unserializer.c源码》?
https://github.com/php/php-src/blob/73cd2e0ab14d804c6bf0b689490bdd4fd6e969b1/ext/standard/var_unserializer.c?
《PHP string序列化与反序列化语法解析不一致带来的安全隐患》?
http://zone.wooyun.org/content/1664