Skip to content

Instantly share code, notes, and snippets.

@chtg
chtg / gist:c6fb2acdc5d6cfd7ebd2
Created November 2, 2014 12:26
PHP WDDX Serializier Data Injection Vulnerability

#PHP WDDX Serializier Data Injection Vulnerability

Taoguang Chen <@chtg> - 2014.11.2

PHP 在把数组序列化为 WDDX 结构的过程中,没有对数组的键名严格限制,导致可以伪造对象的 WDDX 结构。

##i 序列化对象

PHP 在把对象序列化为 WDDX 结构时,会做如下处理:

@chtg
chtg / gist:07ebf5fb7fdbf4393ff3
Last active March 28, 2023 22:21
Code Injection Vulnerability via unserialize() Function and var_export() Function in HHVM 3

#Code Injection Vulnerability via unserialize() Function and var_export() Function in HHVM 3

Taoguang Chen <@chtg> - 2014.10.29

HHVM's var_export() function wrongly handles an undefined class, and unserialize() function wrongly handles an invalid classname.

##HHVM's var_export() function HHVM's var_export() function had a parse error when exporting an undefined class:

@chtg
chtg / gist:f74965bfea764d9c9698
Last active November 5, 2019 14:20
PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患

#PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患

Taoguang Chen <@chtg> - 2014.11.11

##PHP Session 序列化及反序列化处理器

PHP 内置了多种处理器用于存取 $_SESSION 数据时会对数据进行序列化和反序列化,常用的有以下三种,对应三种不同的处理格式:

处理器 对应的存储格式
@chtg
chtg / gist:e9824db42a8edf302b0e
Last active August 29, 2015 14:09
MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability

#MyBB <= 1.8.2 unset_globals() Function Bypass and Remote Code Execution Vulnerability

Taoguang Chen <@chtg> - 2014.03.06

MyBB's unset_globals() function can be bypassed under special conditions and it is possible to allows remote code execution.

##I. MyBB's unset_globals() Function Bypass

When PHP's register_globals configuration set on, MyBB will call unset_globals() function, all global variables registered by PHP from $_POST, $_GET, $_FILES, and $_COOKIE arrays will be destroyed.

@chtg
chtg / gist:dd3f92f7f221bebc4db0
Last active August 29, 2015 14:11
PHP 脚本多字节字符解析模式带来的安全隐患
PHP 脚本多字节字符解析模式带来的安全隐患
> Taoguang Chen <github.com/chtg> - 2014.12.15
多字节字符解析模式
========
PHP 从 5.3 起引入了多字节字符解析模式,在 5.3 版本中开启该模式较为麻烦,需要在编译时开启相应参数,并在 php.ini 文件和脚本中进行配置。但 PHP 从 5.4 起默认支持多字节字符解析模式,只需通过 php.ini 文件中配置即可开启该模式。
我们先来看看 PHP 提供的一些配置选项:
@chtg
chtg / gist:ffc16863cbcff6d9a034
Last active August 29, 2015 14:14
Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

#Use After Free Vulnerability in unserialize() with DateTime* [CVE-2015-0273]

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.6
Affected is PHP 5.5 < 5.5.22

@chtg
chtg / gist:a492176ff789120689f9
Last active August 29, 2015 14:14
Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

#Type Confusion Infoleak Vulnerability in unserialize() with DateTimeZone

Taoguang Chen <@chtg> - Write Date: 2015.1.29 - Release Date: 2015.2.20

A type confusion vulnerability was discovered in unserialize() with DateTimeZone object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks.

Affected Versions

Affected is PHP 5.6.x
Affected is PHP 5.5.x

@chtg
chtg / gist:d62d42b55c68bfcb0c2f
Last active August 29, 2015 14:14
Use After Free Vulnerability in unserialize()

#Use After Free Vulnerability in unserialize() [CVE-2015-2787]

Taoguang Chen <@chtg> - Write Date: 2015.2.3 - Release Date: 2015.3.20

A use-after-free vulnerability was discovered in unserialize() with a specially defined object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

@chtg
chtg / gist:597360ca0a56fedc5efe
Last active October 1, 2024 08:15
Use After Free Vulnerability in unserialize() with DateInterval

#Use After Free Vulnerability in unserialize() with DateInterval

Taoguang Chen <@chtg> - Write Date: 2015.2.28 - Release Date: 2015.3.20

A use-after-free vulnerability was discovered in unserialize() with DateInterval object's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23

@chtg
chtg / gist:304478984a7d47bae398
Last active July 28, 2017 08:07
Type Confusion Vulnerability in SoapClient

Type Confusion Vulnerability in SoapClient

Taoguang Chen <@chtg> - Write Date: 2015.3.1 - Release Date: 2015.3.20

A type confusion vulnerability was discovered in SoapClient object's __getCookies() method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

Affected Versions

Affected is PHP 5.6 < 5.6.7
Affected is PHP 5.5 < 5.5.23