Home  >  Article  >  Operation and Maintenance  >  Using syntax differences between PHP serialization and deserialization to bypass protection

Using syntax differences between PHP serialization and deserialization to bypass protection

王林
王林forward
2020-01-02 16:53:082081browse

Using syntax differences between PHP serialization and deserialization to bypass protection

Introduction

The official documentation introduces PHP serialization and deserialization as follows:

All values ​​in php are You can use the function serialize() to return a string containing a byte stream. The unserialize() function can change the string back to the original value of PHP. Serializing an object will save all the object's variables, but it will not save the object's methods, only the class name. In order to be able to unserialize() an object, the object's class must have been defined. If you serialize an object of class A, a string related to class A will be returned that contains the values ​​of all variables in the object.

Simply put, serialization is the process of converting objects into strings, and deserialization is the process of restoring objects from strings.

Environment

The usage environment for the content described in the article is as follows:

PHP7.3.1, SDKVSCodeC and C

The public parameter deserialization execution process on the Internet is very detailed, but there are some deficiencies in some details, including the syntax difference between serialization and deserialization.

Difference issues

1. Serialization

We analyze by compiling the PHP kernel source code, It was found that PHP serialization adds: { and } to the object conversion by default to concatenate it into a string.

[var.c]
Line:882
static void php_var_serialize_intern()
Line:896
if (ce->serialize(struc, &serialized_data, &serialized_length, (zend_serialize_data *)var_hash) == SUCCESS) {
                        smart_str_appendl(buf, "C:", 2);
                        smart_str_append_unsigned(buf, ZSTR_LEN(Z_OBJCE_P(struc)->name));
                        smart_str_appendl(buf, ":\"", 2);
                        smart_str_append(buf, Z_OBJCE_P(struc)->name);
                        smart_str_appendl(buf, "\":", 2);

                        smart_str_append_unsigned(buf, serialized_length);
                        smart_str_appendl(buf, ":{", 2);
                        smart_str_appendl(buf, (char *) serialized_data, serialized_length);
                        smart_str_appendc(buf, '}');
                    }
Line:952
smart_str_appendl(buf, ":{", 2);
Line:995
smart_str_appendc(buf, '}');

Let’s take a look at the above code. PHP will use smart_str_appendl to splice the serialized string before and after: {and}, and enter the serialization logic starting from line 882 of var.c. Serialized string splicing is performed at line 896, and lines 952 and 995 are spliced ​​for inline methods.

2. Deserialization

Deserialization is to convert and restore the serialized string according to certain grammatical rules.

[var_unserialize.c]
Line:655
static int php_var_unserialize_internal()

Line:674{
    YYCTYPE yych;    
    static const unsigned char yybm[] = {          
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
        128, 128, 128, 128, 128, 128, 128, 128, 
        128, 128,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
          0,   0,   0,   0,   0,   0,   0,   0, 
    };
    if ((YYLIMIT - YYCURSOR) < 7) YYFILL(7);
    yych = *YYCURSOR;    
    switch (yych) {    
    case &#39;C&#39;:    
    case &#39;O&#39;:    goto yy4;    
    case &#39;N&#39;:    goto yy5;    
    case &#39;R&#39;:    goto yy6;    
    case &#39;S&#39;:    goto yy7;    
    case &#39;a&#39;:    goto yy8;    
    case &#39;b&#39;:    goto yy9;    
    case &#39;d&#39;:    goto yy10;    
    case &#39;i&#39;:    goto yy11;    
    case &#39;o&#39;:    goto yy12;    
    case &#39;r&#39;:    goto yy13;    
    case &#39;s&#39;:    goto yy14;    
    case &#39;}&#39;:    goto yy15;    
    default:    goto yy2;
    }

Line:776
yy15:
    ++YYCURSOR;
    {    /* this is the case where we have less data than planned */
    php_error_docref(NULL, E_NOTICE, "Unexpected end of serialized data");    
return 0; /* not sure if it should be 0 or 1 here? */
}

Through the kernel code, you can see that line 655 enters deserialization. Deserialization uses lexical scanning to determine the corresponding objects of each symbol conversion. It can be seen that } is processed during deserialization. During the processing, the counter is only incremented by one and no other operations are performed.

Actual effect

The difference in deserialization syntax has a great impact on the security protection equipment's judgment of deserialization. In Snort, there is a rule as follows:

alert tcp any any -> any [80,8080,443] (uricontent:".php"; pcre:"/\{\w:.+?\}/"; sid:1; 
msg:php_serialize;)

Most characters can be used instead of {} in the attack payload, causing the rule to become invalid.

Summary

Differences in PHP serialization and deserialization syntax can be exploited in red team attacks to bypass protection.

In blue team defense, it is recommended to consider the method described in the definition that will not save the object, but only the name of the class. , intercept the name of the saved class, and the same characters in the syntax such as colon for defense.

Related article tutorial sharing: Website security tutorial

The above is the detailed content of Using syntax differences between PHP serialization and deserialization to bypass protection. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:freebuf.com. If there is any infringement, please contact admin@php.cn delete