catalog

. 漏洞描述

. PHP SESSION持久化

. PHP 序列化/反序列化内核实现

. 漏洞代码分析

. POC构造技巧

. 防御方案

. Code Pathc方案

1. 漏洞描述

Joomla在处理SESSION序列化数据的时候,对序列化格式未进行严格规范,导致攻击者可以构造畸形HTTP包,实现对象注入

Relevant Link:

https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html

http://www.freebuf.com/vuls/89599.html

2. PHP SESSION持久化

0x1: Session简介

会话支持在 PHP 中是在并发访问时由一个方法来保存某些数据.从而使你能够构建更多的定制程序 从而提高你的 web 网站的吸引力.
一个访问者访问你的 web 网站将被分配一个唯一的 id, 就是所谓的会话 id. 这个 id 可以存储在用户端的一个 cookie 中,也可以通过 URL 进行传递.
会话支持允许你将请求中的数据保存在超全局数组$_SESSION中. 当一个访问者访问你的网站,PHP 将自动检查(如果 session.auto_start 被设置为 1)或者在你要求下检查(明确通过 session_start() 或者隐式通过 session_register()) 当前会话 id 是否是先前发送的请求创建. 如果是这种情况, 那么先前保存的环境将被重建.

$_SESSION (和所有已注册得变量) 将被 PHP 使用内置的序列化方法在请求完成时 进行序列化.序列化方法可以通过 session.serialize_handler 这个 PHP 配置选项中来设置一个指定的方法.注册的变量未定义将被标记为未定义.在并发访问时,这些变量不会被会话模块 定义除非用户后来定义了它们.

0x2: The SessionHandler class

SessionHandler is a special class that can be used to expose the current internal PHP session save handler by inheritance. There are seven methods which wrap the seven internal session save handler callbacks

. open

. close

. read

. write

. destroy

. gc

. create_sid

By default, this class will wrap whatever internal save handler is set as defined by the session.save_handler configuration directive which is usually files by default. Other internal session save handlers are provided by PHP extensions such as SQLite (as sqlite), Memcache (as memcache), and Memcached (as memcached).

<?php

    echo ini_get('session.save_handler');

?>

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAF0AAAAuCAIAAADFpYL7AAAAyUlEQVRoge3X0Q7EEBQAUf//0/oqNW4RQZM5j1a7THSbTVkknV7ApezC7MLswuzC7MLswrq6pEI50pq2eI0nfO+h3GfcpZ7/X2Nduu5olyXz7xTtIVVe462r4lsFXzG7i/Xmz0v/eN0iHr/Bpi6tczey1K0OnJfXRxc+RPl4l4lpe/j7wgbeR9PjufG8XPsyyv4/arELswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswt7AG4KzdXmDAHzAAAAAElFTkSuQmCC" alt="" />

When a plain instance of SessionHandler is set as the save handler using session_set_save_handler() it will wrap the current save handlers. A class extending from SessionHandler allows you to override the methods or intercept or filter them by calls the parent class methods which ultimately wrap the interal PHP session handlers.
This allows you, for example, to intercept the read and write methods to encrypt/decrypt the session data and then pass the result to and from the parent class. Alternatively one might chose to entirely override a method like the garbage collection callback gc.
Because the SessionHandler wraps the current internal save handler methods, the above example of encryption can be applied to any internal save handler without having to know the internals of the handlers.

<?php

 /**

  * decrypt AES 256

  *

  * @param data $edata

  * @param string $password

  * @return decrypted data

  */

function decrypt($edata, $password) {

    $data = base64_decode($edata);

    $salt = substr($data, , );

    $ct = substr($data, );

    $rounds = ; // depends on key length

    $data00 = $password.$salt;

    $hash = array();

    $hash[] = hash('sha256', $data00, true);

    $result = $hash[];

    for ($i = ; $i < $rounds; $i++) {

        $hash[$i] = hash('sha256', $hash[$i - ].$data00, true);

        $result .= $hash[$i];

    }

    $key = substr($result, , );

    $iv  = substr($result, ,);

    return openssl_decrypt($ct, 'AES-256-CBC', $key, true, $iv);

  }

/**

 * crypt AES 256

 *

 * @param data $data

 * @param string $password

 * @return base64 encrypted data

 */

function encrypt($data, $password) {

    // Set a random salt

    $salt = openssl_random_pseudo_bytes();

    $salted = '';

    $dx = '';

    // Salt the key(32) and iv(16) = 48

    while (strlen($salted) < ) {

      $dx = hash('sha256', $dx.$password.$salt, true);

      $salted .= $dx;

    }

    $key = substr($salted, , );

    $iv  = substr($salted, ,);

    $encrypted_data = openssl_encrypt($data, 'AES-256-CBC', $key, true, $iv);

    return base64_encode($salt . $encrypted_data);

}

class EncryptedSessionHandler extends SessionHandler

{

    private $key;

    public function __construct($key)

    {

        $this->key = $key;

    }

    public function read($id)

    {

        $data = parent::read($id);

        var_dump($data);

        if (!$data) {

            return "";

        } else {

            return decrypt($data, $this->key);

        }

    }

    public function write($id, $data)

    {

        $data = encrypt($data, $this->key);

        return parent::write($id, $data);

    }

}

// we'll intercept the native 'files' handler, but will equally work

// with other internal native handlers like 'sqlite', 'memcache' or 'memcached'

// which are provided by PHP extensions.

ini_set('session.save_handler', 'files');

$key = 'secret_string';

$handler = new EncryptedSessionHandler($key);

session_set_save_handler($handler, true);

session_start();

$_SESSION['OP'] = "HE;L";

var_dump($_SESSION);

?>

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAfgAAABgCAIAAAB+CPeyAAAIE0lEQVR4nO3cPW7jOhSGYa7KgHbjiutw51JNFpAygKtpVKSbPjAwtYALzA68A91CPzwkD2XFY0vO8fvgFoms8E/UZ4r2XHd5DOcODyp527qC08fu+N8G9W7V38vlcrmcj2/709qVbtvf9a/y+v097Q+743+X8+du/7VOjc4dpv/kr2vUvWI3VWtf3/PnbvfpHlQ4Qf842wXf1373uX6tW/T3a99Hzwv093x8c33wvU7Qh9o/Vl+3rD6fTx+7/ccDgz7/r/TSzzoehi8O+mdr5537e/7cuYNczj9bO+/c3/4i90vdp2znvY6f9tHBdfqrjvb00mrX93L6cON727Ndl3sdPx/fnDuwor/VK63oz8c3596O55WrHWxzfQcbPMRs1t8XWdFH7F/f8/HNsXVzu5cJ+tN+mx2Mycr9Pe7Cg8tpf3Cr7+cS9A913IWnlrBttaL1r+9xx4r++5JH3fVDcNX+RhuaBxfv3qxj9Rtj3KDf4uJeNgr6aVavs3zZdkV/3L3a9f2yEPQAfpZ8Q3mjrZtXQdADWBtBvzKCHsDaCPqVEfQA1kbQr8wBAIzrAACmEfQAYBxBDwDGEfQAYJxz7rB1GwA8tbauqrrduhW4neu/1VR6+e/v9/f3919/LreU3dZV+NDXN+KVxjvnXD51+uP9a0tqyM9vvFrwnYV6o26JHsftD8eH87MBGA/c0JipcNnt8eBwbPjNN/FFER0Yu+Sb+Odyf9V6F2i8VrRa779Lu7tgkOuq2KdQWFU3PpyjjU84ltdYmv/ZPLmXa/OtNCvC2fMNuud8xiO46Rus+WuXP7/ef//t/v6+Pei16dHWlfNNJ2+Uruv6uTGe39bV1cleOv/hi4/Gy/eVqbLGh5kdrYDi84dW9rdWiNmqUgdrMWXNlUSRzNYoZ0OLopiS52j9LdY7q66cr6OJUaz3TqIWtnW1IH3UPsm+t3UVcm1mfNq6it8SuvL81+fJvSybb+otu+gS33s+476c/NcK+in3DvpBPv2z1XFVt8PyqhZL93bu/K6/SxuxtG772sTv4pfoNZfcyc57ZakW19x4LTjkvRF1dPrjtq58M/wifx6XjVXdtmEd3hXHQatx0kdKmhvxb9MflgJ3vr+lesdRGx6xplKruk1KLAa9XGbGlebli6Eaipn+amyhcqXkE6HsR/+zqN835XeImfEZXsozvVMO6vOkMB+K7ZcnTaPQzs23cl+mSsKx+fsxL195olrhiRsZl/zLNOWUfwn6cHGV+RNdb22BMwa3i5fuQ3bNni/mn1ixFla4jZzHcc4U/las3OOujbeeuNvTG7h/qb+lGl/Vbd+WJC7k+1D/gj4OUcH5/dN456vk1GS5OP6a3JPL+qvUW1dyrRs95TjxJidLUOtNFuJTOXr5WURNw17aT8ueCNWgF2vUUjyVx2dsk7YauBr08k+0+VBsfzuOUDKDZ+abqDY5ql5fZR4uKx9beWTQS/mzaDzRZ3YekkjrZ9R3z08aEf11nDQy6OXaSdsB71dSyoSOt3TKQS+iKlsXlpbnWvNmnq+1kS8F/Q39TevNEyr6+EQJdL1eZSk4trJQfl9Mn3gyWwsrev1RbCwqe2MIAyL6EeVsNj5inJWtmG8GfXZx59o/Nih/RMjnW9Q05e0ya7g+Dwvls6J/Eu6BWzeRbF5e27qZplieJGJiLT5f/hzN3mhbVTlZbe1Mv7Lj+p00/TA+TywI+rkBuznoS1s3C/t7JejVHY/ZrZuQp+rAlssfVpP9nrjYmSg+68wGvffeuVIr45YWik3e2OYXOt184n436POPtYvzLb0Zrk6qK/ejOp+xNXcl5bvbg148Yuc7DfpEj84Xj+pybTVNoEXnpxU3Pt6NjYIjfvBeEnzyxpA1ycfqrq29+MA2epQWlqzo1XEQ/bgh6AstWtDfUr3JLpfy1YtFQR+/Ay8pv/He+/4zGPlRYNJCdf4kV2x6Boj3Ya7sNXbJIj79XOHaG4U6T8qVldovZnE/POMTUmG+hfu0lbes0orxD7V5OD+fsTU3k/L9dyuDX3++W7r8Otp0MF3pRJNGPVh5Lz+Wa2fO7x8dxfnKh5bF70SOf+jFtxCn59FQluxAuvmttD9qp7gXQ5HhV9+UF4KFcUjP1zYUxNHsWTpp0eL+LqvX+yTvok/F5+uV47ak/JBTIQO1rQOZ3crR6TOepKlpWdG7emE0Q3vCr4vmf3mc5YzL26+PZ5g3+XyLylnyjKjMw7n5jKfgnuofTE0zpP+OwbjnXtzTU8+36mf2b3aH4QeU/7JKD1Q/dB6+umf6XyBEKzInvlaYLnxmzrdqbhyelfzy308sH7mfOA/RPVfQAwAegKAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOP+B8VPGEHVrDlMAAAAAElFTkSuQmCC" alt="" />

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgcAAABoCAIAAADq/sTKAAAHrUlEQVR4nO3dXXKjOhAGUG93FnIrU7OxecmefB9SExEktZp/k5xTecBESAJMf+AklccTAP55XD0BAF6IVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKF46Fd4fj/fHS88QXsH2y2TLtfa450V602mf4NWPy+yd+vHe/fwatsz0P212RA7Vs+3N/3Nlb3ndiM3e6sMYDBq/zMxnOMQKvR1pNgs2z6xsbj7ccIXh2yA5vbi3XuMVE57W1sc/K/rJDLS052b72YS3Tus7Our87dJP/TZNXvnTMpTpv7ntLuqeh/OcXsPPflFbMXRv0Pg4DPsZTmNjD3Hnmd6CN1Jmbs3ND92p3qnP5FO+t3wnPcOyu0UdA4t6zsxNKjQtPijXHsfM2zp5J9VrdnQqDAc9IhWm3QZz2z0VMoNukU+mzFbB7sc3KBemwnC47W+knkMjoe4q33PzkaW3cuMkv6X7pULvQThOhfoBPEiF3nP3bOj6W8/q2guWhwW67rCeSeaAzLqNB42PZ+YOuj7Cwx6au9DcwfrgNLutz1RzfT3/3u6vSIXgDPbeNvF7KTON5r73xoqPxlDyZnxaix9f1c0+VjabxWum29Yzaa7s7QLRQQlOw/TldGG23OwkXh8LqlKzQPTWB9fb6lpZl6Fnq0YsGrQ5gWSZTuZEvQvNkhoPHexCc/7N8FhxQILZNnvrlfhgT1enwjM8YvFbpTfu0pCIe9tomArDAj2t43VvvQoeVIxFkRB39ZMNUmG4slnWh6czc4KHrk2FaT9xs2aD5KCZCWS+ldx20S7EvSWL5nNyDOPi3kuF3kI9t17OxXtat8nsVHMyQRrF+5vv8LRUyERC87Zy1jh5F9+s8vHoww1FQs/guDTv8YOXcZv6TbNors/cJTetNfX6z+Vks1mf8Yi9ufVW3iUVlg5Xl/vkoMNmwcmKpx1HTm8CK478aamw+rjNYnhdVOQfFIYNFt1ZPidxUgdP8xOI4OOKwU7+VKnjsjRv888KSy29SpP1aHhVxzUi+G6wEK88MxWSc4v7X11A8yfuiLOQ3+V9U2E4peNSYRcbPz56Top7r/94wy1zy3Tyk0WHJsjYWTI3t6pfxpGe1LzBad6T9tasaPbsFNnebdf75BEkM9vZyulCs7fZQMEu1C17G9YT6O1Cs//MEc4P0Zvh9ETEBz/Yr9k56p2XYIZ7vd+aQ9SnfnYEpgszdSfNN9J2vZvx5oUfv2zWgV6RGRaNZFFatdM/xTVHZ1Hyb9G8ouJm9/Ka0953Vq+5j2dqpkuv5VmT2uHKPa0O9Aal6bIDtPpZYZ3m3ejdveZO7Tur19zH13S7Y7XlMwOO42QAUEgFAAqpAEAhFQAopAIAhVQAoJAKABRSAYBCKgBQSAUACqkAQCEVACikAgCFVACgkAoAFFIBgOI2qXDt/+XwX0GAH+IexS5TlPct3M1/JLtj/wCv6QaV7vxy3Pv34idPA+B8r17pLqnFzUGlAvATxJXu71v5b9tvfydr3v5+fuvtb7iyfjlp9tltf35fa/Hjq+mauFnd8lHpDRqsBPhmgkr3UbunYfAlGL4W9NnK5ra9DsP5VeV+2Ky5XC/kB81vCHB3w0rXe1yYFfRg5Xzbf88KiyPhufAT/95jwdJBgyEAvpnMJ0iZ2/x6ZXfbLanQXD8Mj14DHx8BzKz+BClOhaB9NhKea1Mh+NQo86CQfxYB+H7yP23+8OvXl5eznzQEK+NQ6Uzu6y387Na+ebMfrxwOVzcTCcCPcnLJWxAJH64tyiIB+GlOq3oLfhsVgKu4FwagkAoAFFIBgGKHVMj8es8R297C++PxfuQObun/Fkf+FpOE72SfS6556Q5/YTTYduj3n/9WbHWJadX+KOIfaz6X669eP83vrkuF5m/9rugnM9DSnv1yMFxon2eFYGW90Fu51KHBsFcliov453Jz5dLe8uJTttHG4K8bSwU401G3h/XLZipstC4Yrq0yw1RIbrvaoZFQd5XvuffIIhXgTDdIhd9//pt9zb67cXoni1NhVvfjl+tkUqH3x+Gzqj1b2WwWr5lu25ueVIAznZoKvZvBjYJgCErS9OV0YbYczHzdHjV/hDD8ocJns/xAPc3ZzvY3Xjmt48MiHpT7ZBupAGe65llhR/GzQqbKNMv6sLRlil3TomeFYNt1MpHQjNJZ497uBy97BypuIxLgZDdIheATpMzHR817/OBl3KYuoIk9+OLanyvkHxSGDRal6XPyNqiDJ3jqkgpwsqMuue331EOLfqIQFL51qbB6d/b6HaSDfvso/vjoOSnuvf7jDRfNTSTA+Q686mYfQay7s+5JRkLvJrS+S21uVb/M3N4Glv69QvNvHTI/geiZlel6L/Ive7f2zQM7PFD1wRQJcAkX3krn1K8j/i56+2xP2HeRAFdx7a23+wPQXax7TgJuwVUNQCEVACikAgCFVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKKQCAIVUAKCQCgAUUgGAQioAUEgFAAqpAEAhFQAopAIAhVQAoJAKABRSAYBCKgBQSAUACqkAQCEVACikAgCFVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKKQCAIVUAKCQCgAUUgGAQioAUEgFAIr/Ab4ZHx9xDArgAAAAAElFTkSuQmCC" alt="" />

这里需要明白的是,PHP的SESSION持久化和serialize序列化是两个完全独立的东西,SESSION化(包括自定义SESSION化方案)本质上只是定义了一套算法,用于将超全局变量$_SESSION中的值本地持久化到第三方存储中(例如磁盘文件)
而序列化本质上是一种编码转换方式,因为序列化的设计初衷就是为了网络传输、持久化存储,因为序列化的这个特性,序列化被默认用在了PHP的SESSION本地化中,综上,PHP的SESSION本地化流程是

//session存储

. PHP对$_SESSION中值进行serialize进行序列化,返回$result

. PHP调用用户自定义的write函数对$result进行自定义算法处理

. 持久化存储

//$_SESSION['OP'] = HE;L -> OP|s:4:"HE;L"; -> T1B8czo0OiJIRTtMIjs=

//session加载

. 从持久化中读取字符串,$input

. PHP调用用户自定义的read函数对$input进行算法处理

. 在取$_SESSION值的时候,PHP自动对上一步结果进行反序列化处理

//T1B8czo0OiJIRTtMIjs -> OP|s:4:"HE;L"; -> $_SESSION['OP'] = HE;L

Relevant Link:

http://php.net/manual/zh/intro.session.php

http://php.net/manual/zh/class.sessionhandler.php

http://drops.wooyun.org/tips/3909

http://bobao.360.cn/learning/detail/2499.html

http://weibo.com/p/1001603920354568452417

http://php.net/manual/zh/function.session-set-save-handler.php

3. PHP 序列化/反序列化内核实现

\php-src-master\ext\session\session.c

#define PS_DELIMITER '|'

#define PS_UNDEF_MARKER '!'

PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */

{

    const char *p, *q;

    const char *endptr = val + vallen;

    zval current;

    int has_value;

    int namelen;

    zend_string *name;

    php_unserialize_data_t var_hash;

    PHP_VAR_UNSERIALIZE_INIT(var_hash);

    p = val;

    while (p < endptr)

    {

        zval *tmp;

        q = p;

        //搜索序列化的定界符"|"的位置

        while (*q != PS_DELIMITER)

        {

            //逐字符搜索到序列化字符串结尾

            if (++q >= endptr) goto break_outer_loop;

        }

        //PS_UNDEF_MARKER = '!'

        if (p[] == PS_UNDEF_MARKER)

        {

            p++;

            has_value = ;

        }

        else

        {

            has_value = ;

        }

        //p代表从本次搜索的开始位置,q -p即代表"|"之前的键名

        namelen = q - p;

        //获取键名

        name = zend_string_init(p, namelen, );

        q++;

        if ((tmp = zend_hash_find(&EG(symbol_table), name)))

        {

            if ((Z_TYPE_P(tmp) == IS_ARRAY && Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars))

            {

                goto skip;

            }

        }

        if (has_value)

        {

            ZVAL_UNDEF(&current);

            //调用php_var_unserialize进行key-value解析

            if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash))

            {

                zval *zv = php_set_session_var(name, &current, &var_hash);

                var_replace(&var_hash, &current, zv);

            }

            else

            {

                zval_ptr_dtor(&current);

            }

        }

        PS_ADD_VARL(name);

skip:

        zend_string_release(name);

        p = q;

    }

break_outer_loop:

    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    return SUCCESS;

}

/* }}} */

继续跟进php_var_unserialize函数,我们关注关键代码逻辑
\php-src-master\ext\standard\var_unserializer.c

/*

指针依次移动反序列化数据,当解析到如下数据的时候: 130:"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

len = parse_uiv(start + 2);通过parase_uiv获取130这个值给len

*/

len2 = len = parse_uiv(start + );

/*

maxlen = max - YYCURSOR;

获取当前指针以后数据的长度

*/

maxlen = max - YYCURSOR;

if (maxlen < len || len == )

{

    *p = start + ;

    return ;

}

//这样,此时if判断成功,进入内部语句,使得反序列化失败返回0,而我们的指针p指向上一次解析的结尾

php_var_unserialize返回0,

if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC))

{

    php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);

}

zval_ptr_dtor(&current);

efree(name);

p = q;

注销当前变量,p = q;进入下一个循环,继续寻找"|",这个时候会把我们注入的test|当成一个key值

总结一下这个漏洞的利用成因

. joomla使用自定义的SESSION持久化方案将SESSION数据保存到Mysql数据库中

. joomla会将HTTP数据包中的HTTP_USER_AGENT、HTTP_X_FORWARDED_FOR保存到SESSION超全局变量中,并进行持久化

. 攻击者在包含HTTP_USER_AGENT的攻击包中使用了2个关键性因素

    ) "|"(key-value分隔符): }__test|O::"JData

    ) 截断字符: }__test|O::"JData...ð(%F0%9D%8C%86)

. 攻击者在二次回访的时候,joomla的$browser = $this->get('session.client.browser');会从数据库中读取SESSION数据,并尝试进行反序列化

. ð(%F0%9D%8C%)被会Mysql识别为截断字符,即当攻击者的HTTP包中包含这种字符,会导致之后的内容遭到截断

. 因为截断字符的关系,导致PHP内核在解析session.client.forwarded后面字符串的时候,因为长度Check不一致,导致php_var_unserialize提前退出,返回false

. PHP在上一次php_var_unserialize失败的时候,会从之前的指针位置继续开始下一轮key-value尝试

. 在下一轮key-value尝试中,PHP内核将攻击者注入的"|"当成了分隔符,进行key-value解析,导致对象注入

0x1: 非Joomla场景复现

为了模拟出同样的畸形字符串解析问题,我们来构造如下代码

<?php

class Example

{

   var $var = '';

   function __destruct()

   {

      eval($this->var);

   }

}

session_start();

ini_set('session.save_handler', 'files'); 

$_SESSION['prefix'] = 'hello';

$_SESSION['pyaload'] = '_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}';

$_SESSION['after'] = 'alibaba';

var_dump($_SESSION);

?>

访问后,我们手工修复磁盘上的SESSOIN持久化文件,主动触发PHP的畸形解析

/*

1. 删除原本phpinfo();";}后面的双引号,以及之后的所有内容,模拟Mysql的特殊字符截断

2. 修改pyaload|s:..之后的长度为130,远超过原本的70,使之满足长度不符合的条件

*/

prefix|s::"hello";pyaload|s::"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABSUAAAJgCAIAAADzoZHgAAAgAElEQVR4nOzd/+8lZX03/vM/3L9TQ2JiJIGYfBJLWrOJJtIGg7o3FSxGbURhYfm27A3eoCjLjXyVbjYFxa7ujUJWEWlvRbsrpVSKrK0HSwobS6u0N1S9Y7n3hiaQ1F/enx8OHOY9c13XXDPnXOfM+z2PR14h5z3vmWuuuc5Zdp57zZmZ/MuLv/mXF3/zLwAAAMDyTJ578TfPvfib++//plJKKaWUUkoppZZVr+XtDQAAAGB5Jj//9//8+b//57q7AQAAANuKvA0AAADLJ28DAADA8k1+9u//+TN5GwAAAJZK3gYAAIDlm/zs1//5s1/L2wAAALBMk3/+9X/+s7wNAAAASyVvAwAAwPLJ2wAAALB8WyxvTyaT0e4dAACALWQr5e2cuLusSDypKNE+AAAA29uWydvrCrq1yC1vAwAAkGNr5O01plzz2wAAAPSQk7eP3fTGtdU3HassuenY/Fc3HUsubP5YWW3ebLyXjdBbu947du1387Lw2I/NFpoNNnsCAAAAQa15e5aKqzF7U+TeHJVrC4PbxhpM9jJvknkSufC7mq7TLaT3m78hAAAAI5d5PXlsirsWlRML69u+Pr/dOWxvdJx5jk1lt+020KawDQAAQKb868lzpqabC6PbLpK3g8tbY3lshUQIl7cBAADoZ8HrydN5O7F+btje6Ju3E9eQJ2JzIp8L2wAAAOTrer+0mV27Nv1Y+0Z3YmE6rke62LiHWXU6OjhBnV7YurvmasI2AAAAnazleWAdwvbMeuOusA0AAEBXK87bHZ4BBgAAAFvXWua3AQAAYJuTtwEAAGD55G0AAABYvqXl7Zxbf6/GcHpSyHQyma78ABfZ6fDfjuH3EAAA2HKWOb+99NDS+9Fc/Xpy86039thqLarRNz8Jz9asrRxc2LrTfF2fx9ZbfuOxx8UV6hgAADBOy5zfXryRYINdW16kJ0Uj97KGqJl7OyXh4MqtLSwYthNL+gmm6/y8nbkQAACgt+F+f3td+adf5F5vWltB3u6hXNhepPHYavI2AACwXAXzduyq3dnr2vxkdbXghhuNC5Kb6+f37eZbb6xV7bc9DrbrJks0S8uZ14rn5O38i8wTciJxzvve/FX64xFsrfaxCe5ikYMFAACoKTu/XYtD8xeJqFNdrVOby+jvGxKROxHhqj9ubD7SdDhsXZ5WzcbNF4nXrSssErmbhxB734Mvagtb43HXD4O8DQAAFLWevN1cLRhiW9vcaOTYpUjPbwd3l9OrTmmzS3/DCXk+R12bqV5N3s45/Nqbnv60BH8bXNIjbwvbAADA0g0lb6e3TSzvl7cT15PnXEwenJdO/JhepznvnXEEm8TyduvK6RYSjbTK/+eG4JL0mLRu29S6i7YDAgAA6GZwebvT/HbvCeGYTt/cTgS2fnm791G05u1hzm/HXsQWVn+bGPBOn5zE+gAAAIuY3P+Xf3//X/59qdZDE4y1JbXlidWC85aT1y9FXjw1ZYbt9CE0jyV9gMENOx1L7Yrx5uv0FebphfndqAm+lcF3cyMyOPNGEkOd2DbWq2Y3eh8jAABAwuQ//uM/fv3rX5dqXZjpYpvlwMUPofSAbINBBgAABqtg3u4xVYtBq+o34Q8AADAEZee3AQAAYJzkbQAAAFg+eRsAAACWb2l5e8hfsh1y3wAAANiWljm/vcRMu5S7ZNUeE9WvkU5P5G71/3383lkllgAAALANLHN+e/FGlt5m9THOvS03cm9sbDTTtbwNAACwzQz6+9vLfYDzIpY+y926BAAAgC1tFc/fnl/XHXvd/HG+MNZmYslGr+c233zrjbVqrhDbdn5BePNF7fV8SbOFzH4CAACwJZSd364F4+CS2MKNRt5esLXF5UTujdfDc+1L2rWVm5svrZcAAAAMwKrz9kb8O9XBuevW1pobFsrb6UvKm+la3gYAABizoeTtnLScns1eMG+nrydv/f62vA0AAEDVGvL2RpeJ6/Rqq7mePOdmafI2AAAAVcXzdtcboQU1V4ttmFjYT2bYDt4gbb680xIAAAC2gdXNb6cXAgAAwHayiueBJZYAAADAtlR2fhsAAADGSd4GAACA5ZO3AQAAYPmWlrdX88Xs4LO7S+/RF84BAADoapnz27Fc2nwYWPAJYa3JdvVhu7rfrnIeJAYAAMB2tcz57djy2i3Km69jKwR3kZN+e2fy4IPB+zW1IXIDAACM2Cq+v906752ZtxffY7kNY0RuAACAcVpP3s6c9O6RfiebNZcnVg5umOPmW2+sVe23XY8CAACArW6489uL3Kismavzd9pvj2kiNwAAwNgMN28vcY/pSe+cri5C2AYAABihseTtzJV734o8dj25sA0AADBOq87bnS7t3urXkwvbAAAAo1U8b3e9dVltyYL7zelGsCe99zsnbAMAAIzZKua3AQAAYGy2cN5e8CFeAAAAUM4WztsAAAAwWPI2AAAALJ+8DQAAAMs30rw9tC97Jx5Rnv5quu+uAwAADNPa8/axm14LjDcdS60Q+20fsUeRFQ2uOck5c2GzQXkbAABgaNaetzdKJOp0m810urK8upS8Xc3t8jYAAMAwjS5vDzNsx1ZoDeHyNgAAwDCtPm/PLyCf5+HqkmpITq8ZXG0ymezaVbtAfHPqTmTa6ot5jq1NJgd/bK5fXS226+ZqPf4tQN4GAAAYphXn7eq08/x1cGFzk07bdpvfjkXfWBiehC7nrm2SDs/B1Trl7Vryj60GAADAWmy5vF1V2za2o02ak8yx5YlkXt0kGLYTO9rYnPD75e1E4wAAAAzBlsvbtQi9tLzdXK2ZkGubLJK3YzttXZK/GgAAAGu0RfN2/+vJN7Kv644l5Jy8nY7EiZ0mtuq6LQAAAGs05PulVdfPvF9aM6gHUvc8G9dUF85fV7cKrh/7VXCr2sJmr2qa68T2EhtuAAAA1mIIzwNLK/G0sCIBdZE2Y9sGk3mnFQAAAFiLwebt2Kz1EAm9AAAA1Aw2bwMAAMAWJm8DAADA8snbAAAAsHzydovlfjF723/NezqZTLfCAc46mdnVRQ5qi77dW7TbAAAwKNshb8dCbOw2Zl2zxHKzR7/Wbr71xiX2oajWaNo1vnZKxTkrV9fJbzxntZrgk+F6tJOzo04tB/9QeMgcAAAs13bI2xvJbLBgbBhC2J4pGrmXdZhF42tOgyXy9uJhO72wX+M5z2/vuq28DQAAS7Qd8na5sD00/SL3AAehXN7usWaJC+CLhu1mU4tMbscy9gA/NgAAsLUMN29PNqsurL1urlZtpNlgbEedetXcMNbVrtf63nzrjbWq/Ta/qXlPum6yLPNrvGtXes+/Pl19EVytuqS2fusugpeXZ+btBUN4Tt6OfX5qH5jawsSfi0RrtQZjvUqsBgAAdDXcvL2RcZnrPIE0f5W5pEfACG4SW1gitCQidyJ31boUXBhrJL08LXjxdi0wx1YLthC8dDy9SexXsSWLCw5Rj09O7RMeaz/xR6C1b/I2AAAUMty8nRlOMifuMlfo3bH5j7Uc26P9tPT8dmvM24j8K0Brfut9ULG8XVvYIzwPNm/nhO3gv4zUVo6N+SL/ZiRsAwDAysjb/fuWn1E7SVxPnnMxeXBeOvFjep1mSsw4gk3k7ebCTrPfnT7G809mMNLnbJvoIQAA0MkWyNvpHJIItz1mcTv1rTWrLDe0dPrmdqd/hkiss/ixDC1vt/52cZ3idGKF2JgnInT6bUr8W4ywDQAASzf5yU9+MsC8HZyaqy1PzODVlreu2a+HiT7H9thbZthOj9tG5JBrC5tDl2i5VfNmZrEfE/c8C64QvN1ac9tgl4KvY+t0lf40biQHfCMy/rX2g+9m+t3Jees3hG0AAFieybe+9a1h5u11d4FNekeyzOBaYp65dXeJnZa4P3nvFlb2x8GfOwAAWKLJnXfdOai83W8SlRXo8dYkJpl7rDYqvS8oAAAABmJweRsAAAC2AXkbAAZtAgAjtu6/hxcibwPAoE0mk7vvniqllFIjLHkbAChI3lZKKTXakrcBgILkbaWUUqMteRsAKEjeVkopNdqStwGAguRtpZRSoy15GwAoSN5WSinVr/704PTgwSf/9OD0S3+6/s70K3kbAChI3lZKKVWtgwefPPz1fzj89X/4zkM/ffDPnz76/WePHH32e3/x06Pff/bo95/93l/89NsPPfPgnz/94J8/ff8DT9339Z/cc++Pv3LP3x089KO7Dz5x190/PHDn3+w/8Njtdzx6x/4f3Pr5R2++7ZHbP/+DWz//6B37f3DgwON33vWjtR9gteRtAKCgat6+9fwdwWeTvv/q6dXvf+PH084/cvfdhyoL/ktsq/RZTrXN2cqVDuw4/9ZyJ1hHzj9tttdDhc/kqqM0t/vqghu+Xlfvfv2dqiy89cbTejeolNqmdfDgk/c/8NTR7z/72OPPHfvb/338p//n6eO/+slT//aTp/5t+uTzx/72fz9x7F8fe/y5R//6Z4/+9c8efuTZI9//6Txy3//AU4fv//tq5L7r7h/+yV0/PHDn38zD9g2fO/qZfUeuve6711733f/23//XlVc/uOeqB6799Leuve67+274zu2f/8F6E7i8DQAUVJ/fvnr3ZDKZnHbjra8teS34nXb+kVk8rkS42a92nH9raqv0ic4sYFdXu/r9pcP2dMV5u/XfHZa6YfNfRsLv7GurvfGWKaVGVPfe99SRo88+cexf//HZX//Lv/7ff/nX//vz5178+XMv/vPP/v0fn/31LHJPn3x+Fq3v+/pPZln6jv0/uPm2R2Z1480Pz+qGzx2d1Wf2HalVdeEsb1997UN7P/ngnqseuOzKw5decd8ll3911+6DF170pd2XfeWqTx6+ft+f3X7HoyseCnkbACioLW+/seTiDnk7tCRYs9XeyL1Hzj9tG4XAW288rd+/HfTe8PVq/ONIc0nl7Vv7QCmlytdX7vm77zz00+mTz//Lv/7f51/4f7/45Uuzev6F//f8C/9vlq7vf+Cpu+7+4f4Dj1197UPlajbLfcXeb1x6xX0XXfLlCy/60icuvOv8Txz4o499/sMfveWPPvb5Sy/74vX7/uyO/T9YwbDI2wBAQWvO26818vqFzbfeeFrGrPiWqeHl7co15LNJfnlbqW1eX7nn7773Fz/9yVP/VovZ//jsr//yr/7p8P1/f+DOvymarlvryqsfvOzKwxdfeuj8Txz48Edv+fBHbznvQzf84XnXnXPupz780VuuueZrRYO3vA0AFNSSt1//xm+368krW7We68yarXx/u5oAX7/we1K5+LnyJeT3Xx35ynf9i8rzvm1qsH7Bdm2r+eHMjm6y4/yrN63Qfr13tBvFNtw8qqnxn+1i21xKoJTaXAcPPjmbzf7HZ3/98+denIXtnz/34l/+1T/dc++Pb7z54fVm7ET2vuTyr37iwrvO+9AN55z7qT/4wCd37tyzc+eePzzvuqs+efhP7vrh0gdK3gYACgrn7c1mwfLq0C28NuXt0FatVfkKd+1i8s0XPIci/WmnzbY9NEvRr8fLzXPm9R/fOJZNPXw94m66c1s9cr++pNPV8q8fQr3NEhtuPsB43ja5rdS2rXvve+ro9599+vivjv/0//zjs7/+55/9+9PHf/Xth565/Y5H1x6nO9UVe79x/icOnHPup3bu3HPWWRefddbF7znzYxdecMu+G76zxOGStwGAgsJ5OxTtutwvrUvNJ1o3X0weuZXa6yE5NYV+6P1tnWnm7diS19qvf888kOEzqvdXpjtvmM7bK7kpnVJq1XX46//w6F//bPrk8z956t9mNzx78M+fvvXzy4zZ+w88dvfBJ5p1822PlAvel115+I8+9vmdO/e858yPnfHuj5zx7o/s3Lnnmmu+tpRBk7cBgILWn7fnc63n766GwMh0+usdSF8OXZlvD06zN9J1INC+Nqs8y9jLyduvXc3e/cbjnTeM5+3efVBKDbcOf/0f/vKv/umJY/967G//9/TJ57/3Fz/9k7t+uPTce/Ntj2xsbBx74lizTpx4ZQUz3rsuPnjOuZ86490fedc7z33XO899z5kf23vlFxccOnkbAChoAHm7Gq3fSLCBS76rlfX14ze+rV1LnqvJ241nbuVm3d4bxt+sajtmtpXaPjV7stejf/2zxx5/7rHHn7v/gadu+NzRQnH37oNPHHvi2Mkn/Vatzvy9319N3p7VFXu/MUvdO97xvh3veN8Z7/7IInPd8jYAUNAQ8vYb09GVB2JvirvN6nC7r0DIbOTtQKBd+HryI5u/VT7Nviy894aJNys0DrfeeJqJbqW2bB08+OSDf/70ke//9C//6p8efuTZg4d+NHvAdbl6+JFnv3Lwy828vXfPlU8f/9XK8vasrrz6wfM+dMO73nnu6W8/4/S3n3HWWRfffvv3ewyjvA0AFDSIvP1aU6kbmN1d+9ZxIm9fvTvUz8z7pUVuUdbvevLNW702a/3+Q2+0H4u7vTd8rZqJPfCdbd/iVmrr1r33PfXth5753l/89Mj3f3rPvT/+zL4jK4i4Tx//1d49Vzbz9lcOfvnhR55dcd6e1WVXHt65c88scr/t1NM/cf7/6DqS8jYAUFA1b1eerRUOqDOnnX9knpAnk8lk8l9iW2XXLB82t63u5fWQ2XxWVm3DwArzdLr5AWNvHE5ow+bNyV8LvdVe5UXuTZtvGupobO67YfN77433Kz50SqnB15f+dHr4/r9/8M+f/vZDz9z39Z+Uu3q8WSdOvHLm7/1+M28fe+LYPff+eC15e1YXX3rojHd/5G2nnv62U09/1zvPve22o/njOZG3AYByJrX5baWUUkOtgwefvO/rP7n/gafuf+Cp/QceW2Wm/cy+IxsbG82wffJJv7WxsVH0/uSZdd6HbpjNcr/t1NPz76MmbwMABcnbSim1JepPD07vuffH9339J1+55+9WOa09q8TN0l599TdrD9uz2rX74I53vO/UU0479ZTTPvLhT+eMqrwNABQkbyul1PDrSwf/9iv3/N099/74T+76Yc590W6+7ZHgg7J7Pz374UeefeD+bwZvlvaLX75Ua7B17r1T9zp9O33PVQ+858yPnXrKaW9581v/6/svbB1YeRsAKEjeVkqpgdcX7/7R3Qef+Mo9f5d52fbNtz3y6qu/6frXwYkTrzx9/Ff3P/BUMN8+ffxX+z57ffBmaYk2f/HLl6ZPPl/7dvf+A4/1+NvqxIlXpk8+f/8DT+WMwB984JNvefNb3/Lmt77nzI+lx1beBgAKkreVUmrI9Sd3/fCuu39498Enbrz54cw53nvu/XHw2u90nfl7v7/vs9cfe+LYq6/+pnm/8RMnXvngB87p1OCpp5z2wQ+cs/+OP37h+RdOnHhlPun97YeeCU6Vp+uDHzhn32evP/7M8RMnXslJ3X943nVvefNbTz7pTenILW8DAAXJ20opNdj6k7t+eODOv7nr7h92+sJ27EHZ+cn2+DPHf/7ci/OJ7sTN0jJr32evf/mll+8++MTV1z40ffL54FR5fvdeeP6F6ZPP50Tuk09608knvelD510VG2F5GwAoSN5WSqlh1p13/eiO/T84cOffdL3798+fezH4oOxO9cD93/z5cy/OGrz74BPHnzm+YIMXnP/xEydeufrah37xy5e6TpXX6tRTTjv+zPGcyH3Guz8yi9zXXPO14CDL2wBAQfK2UkoNsL7wxR/f+vlH79j/g1s//2insH31tQ+9+upvgg/K7lrHnzk+u7A8drO0Hg3e/8BTG4tNlc8j9wvPv5Dz3O/T337GySe96S1vfuv+A481x1neBgAKkreVUmqAdcf+H9x82yM9wvbNtz2ysYxAe/JJv/XBD5wze9ZX7GZpXWv/HX/8i1++tPhU+az27rlyNmGeriv2fmP2Re7g7crlbQCgIHlbKaWGVnfe9aMbPnf05tse6fQorFnFbpZ25u/9fvOvgJdfevnokaOJi8+PP3P8nnt/HLtZ2rEnjjUbPPbEsQvO/3gsb29sbASnyj/4gXOa3Xvh+ReOHjmauPj8hedfaH322NXXPrRz557ZVeW33PK92lDL2wBAQfK2UkoNrW6+7ZEbPne00z3S5hW7WdrePVfOv489r/0HHrv/gadOnHgldn+1/Xf88WOPP7cRmTDf2Niofbf87oNP3P/AU6+++pvf+e3fjeXt/Xf8cfBXze9j7z/w2LcfeubVV38Tm11/4P5vfvuhZ3KG5dRTTgveq1zeBgAKkreVUmpQ9YUv/vgz+47c8Lmj11733R55O3aztK8c/HLzKV+zmt1+PJiQ9+65cmNjI3gF+Jm/9/uzq82DfQhOSs/ydvBXR48cjSXnm2975OWXXo79c0DsoGp1zrmfmk1x177FLW8DAAXJ20opNai6Y/8Prr3uuz2uJJ9V7GZpx544lri7WCwhzy7zDl4BHpwwn1Xs+vOjR45ubGycesppwSvDZ08L69Rgft6+Yu83Znl790W3V0db3gYACpK3lVJqUHXjzQ9fe913+01uJ26W9vJLLyeeKxbL2xec//GNjY3g5dyxCfPEw7pfeP6FF55/obn81FNO29jYSBzX4nn76msf2vGO9zUvKZe3AYCC5G2llBpUzcJ2v7wdu1na7/z278au/U7PiieuAI9NmMce1j0L1UePHA3Oov/ily8lurcRCfCJi+SbddZZF5980pvedurp1dGWtwGAguRtpZQaVP23//6/eiTtWcVulnbB+R+PXfudnhV/4P5vxn4VmzCPPax7dml6/s3SqgE+OCueyPzB+qOPfX52SXl1tOVtAKAgeVsppQZVez/5YO+8HbtZWvq6628/9Exw2nl2BXhwsjoxYR57WPe+z16/0f1maVdf+9Bjjz8Xu316+iJ5eRsAWDN5WymlhlN33vWjK69+sPcUd7+bpcW+Hf07v/27G5GbpSUmzGOtzabKu94s7TP7jsSeLnbB+R8/ceKV/MGRtwGAVZO3lVJqULXnqgf6TXEnblSWmAeePvl88CvfJ7/+5e3gZHVswjzRh+PPHO9xs7Snj/8qNrn9wP3fzP/ytrwNAKyBvK2UUoOqK/Z+Y89VD/SY4r774BOxm6VthALtzbc98vTxXx1/5nhwzvnUU057+aWXX331N0u5WdrJJ/3WRsebpd198ImfP/dirHuzC9o7PTVN3gYAVk3eVkqpQdXeTz7YL28nbpZ24sQrDz/y7Lx+/tyLJ0688vJLL++/44+Dafbkk37r6JGj0yef31jJzdKC3Xvh+ReC688Df6fJ7avdnxwAWD15WymlBlXXXvfdK/Z+48qrO19S/vTxXwVvlvbBD5yz/44/rtbePVcGv+Y9r717rnz11d/cc++PYzdL24hcAd7jZmk9urfvs9ennx8WLM/fBgBWTd5WSqlB1c23PXLZlYev2PuNrnnyxIlX0jE1sy44/+Ovvvqb/Qce+/ZDz3S9WdovfvlS15ulda3ZvwXsP/BYp8G5Yu83ZheT777o9upoy9sAQEHytlJKDaruvOtHl15x32VXHu5017TEjcp6p9npk8/Hbpb22OPPBbsR60PsZmlda99nr+8Rtq++9qFzzv3ULG/vP/BYdbTlbQCgIHlbKaWGVtde991Lr7iv0xR34kZlmXXqKacdPXK0mmZjk9XHnjh2/wNPderDRuRmafn1O7/9u0ePHP3FL1/qEbavvvahU085rXkx+d3yNgBQlLytlFJDqwMHHr/k8q9eesV9+d/ijt2oLKfO/L3f/8rBL7/80svTJ5+v3vF7I3IF+MsvvRwMvbHrzxM3S8vs3uxy9Mcef67TDcnntXPnntnk9i23fK821PI2AFCQvK2UUgOs6/f92SWXf/WyKw9nRsrYjcqadyOb11cOfvnYE8defunlEydemT75fO1+4/sPPLaxsRHccCNys7SHH3n22BPHmusfPXJ0I3KztL17rszp3mOPPxd7fnhrXbH3G29581tPPulN//X9FzbHWd4GAAqSt5VSaoB1510/uuTyr15y+Vczryo/ceKV2LXfv/jlSz9/7sV5PX38V/Mnb91z748Tl2fPHs3VrOCTt2cRffrk8831Z88VC06VH3/meLp7vWP2vE5/+xknn/Smt7z5rbVvbs9K3gYACpK3lVJqmHX7HY9efOmhSy7/6p6rHkhHysTN0mLXfq+y9h94LHaztI2NjX6XiGfWGe/+yOxK8muu+VpwkOVtAKAgeVsppQZb+274zixyp7/IHbtRWeJB2aus+x94KniztA9+4JwTJ14pt9/5Pck/dN5VsRGWtwGAguRtpZQacl376W+1Ru7YzdISD8peZT32+HPBm6Xt++z1Tx//Vemw3bwnebXkbQCgIHlbKaUGXvPIHbuwPHaztMSDsldZP3/uxeB3yx+4/5sPP/JsiT3Ob0ieDtt3y9sAQFHytlJKDb+u/fS3LrrkyxdfeuiKvd/4b//9f9XiZeJmacEHZa+4NjY2fue3fzd4s7S7Dz6x3H1dsfcb73rnuZlh+255GwAoSt5WSqktUftu+M4scl96xX3VyD38m6W9/NLLq7lZ2gW7vvC2U09v/c52teRtAKAgeVsppbZK3XLr93df9pWLLvly9dryuw8+8cLzL3zwA+fU6oLzP74xgJulze7l1uzevs9ev9ybpe3cuWf2nO23vPmte6/8YuaQytsAQEHytlJKbaE6cODxPXu/tmv3wflE92f2HXn6+K+CD8r+9kPPrD1vJ7q3rGvdL9j1hdlDtk8+6U2/89u/e8st38sfT3kbAChI3lZKqS1X+274zq6LD84uL7/sysPNb3SPpC65/Kvzb2vnX0NeLXkbAChI3lZKqa1YBw48ftUnD+/afTBxH7VtXHuueuCssy6eXUB+8klv2vGO93Wa1p6XvA0AFCRvK6XU1q1bbv3+pZf/z10XH5wF7zHMdV9y+VfPePdH5kn7baeenv9t7WbJ2wBAQfK2UhDUIx4AACAASURBVEpt9brx5oerqfvSK+6LPal7S9eHP3rLu9557lve/NZZve3U03dfdPuCQydvAwAFydtKKbU96sabH96z92sXXvSlXRcf3HXxwdlXu/d+8sG15+QFa9fug2eddfHpbz/j1FNOmyXt099+xuJJe1byNgBQkLytlFLbqW6/49FrP/2tC3Z94cKLvjTL3rPrzLdc8L7oki/v3Lnn9Lef8bZTTz/1lNNmYfu/vv/Ca6752hKHS94GAAqSt5VSavvVnXf9aN8N37n08v/5iQvvumDXF2bxe9fFBy+5/KtDvrPaZVce/vBHb5nNZr/t1NNndeopp+14x/suvOCWAwceX/pAydsAQEHytlJKbeM6cODxefCu1oUXfemSy7962ZWH1/5N7wsv+tKHP3rLzp173vXOc09/+xnVpP2ud567+6Lbb7vtaLnxkbcBgILkbaWUGkMdOPD4DZ87etUnD1+w6wvnf+JArS7Y9YVduw/OEvgVe79R9CrxC3Z94bwP3bBz5573nPmxHe943453vG8Ws+f1ofOu2nvlF4vG7HnJ2wBAQfK2UkqNre7Y/4Pr9/3ZLHv/0cc+H6wPf/SWWRSf3fZ8nsardekV91Xrksu/Oq95yx/+6C1/8IFP7ty554x3f+SMd3/kXe88d1azpD0L2+9657kfOu+qiy8+sO+G76x4KORtAKAgeVsppcZcd971o5tve+TaT39rz96vXXrZFz/80Vvmdd6HbqjVH5533TnnfmpWf/CBT85q58498zrrrIvn9Z4zP/aeMz82i9m1pL1z556PfPjTuy+6/fp9f1biW9n5JW8DAAXJ20oppap1510/uuXW79/wuaPXXPO1a6752sUXH7j44gOfuPCu8z50Q37SPuusiz/y4U//4XnX/eF511162RcvveyL1376W2tP182StwGAguRtpZRS/eqO/T+45Zbv3fC5o3fs/8HaO9Ov5G0AoCB5Wyml1GhL3gYACpK3lVJKjbbkbQCgIHlbKaXUaEveBgAKkreVUkqNtuRtAKAgeVsppdRoS94GAAqaAMCIrfvv4YXI2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAIM2AYARW/ffwwuRtwFg0CaTyXS6oabT2VAAMCLyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW+znfgYw0zmnwV5GwAoaHPePrZ700NSbjq07gy8rrw9e139b9cTuOXGnnmDsefZpLettRNckm4nseFylzSPNLM/rcceayTdQrOdxK5zOtw82NbGMzs5DX1uJ4P59Ga+oUvfe77F95s4iuYbvYL+1Lq0eFNr6Uy/P6exJcGt1v338ELkbQAYtMkbeXsWtmcZu/o6p7quP8Rqng03E0u+pWeGakgL/jezJ8GV81uo7bH5Itir/CWxNoP9ae1267vQ+21q7Vtsec6L2sKuYWNon97896vTasOUOIrVH1fXhL8Cme9ybKv0Oj3+5zaVtwGAoiJ5u2vJ251P8no0mMioORsmNumdtzPX6Zq30yOfP7bDydvNFXLGMLPNYMuD+vTmNJvZ4YHkxpjEUaw3bw9EubwdW03eBgDWqZK3NyrXk1dnuSeTyWT3ofnrXWdPqm46tOkq9Grkrra2Ba5Ur52WzftaW9JcodOGwSwUa6rZ7LRjEsvcJHZcsc2DHY4dwiR0hp3oWHC/tQZbhytxsMGmmrtuLky3nNOl9Ocn9ja1HkWi8dqSxN5zNqy+L7Xx6XTssRWawx7rdnPD2uvaix7vcqID+UeROLT0VsEdtY5PrD+t7TRfBBe2Huwi45NYrdmxWOOZC2srrPvv4YXI2wAwaJNNebs5WX1s92Qy2X2ssjA4ld1cWFt/19mvh/bXo/vgInfzhK95rhb7Mf9F8785Z4TTzWecnU4la6v1OCVtbp6zJOd18LeJ8/t0m+k10yskXgTbaf0ktPan3xh2anw4n96c1Vo/EvlH0WOdRMvp/izlKHKWZH5WE71KbJ7zeV5Kf3JGNf3xS+jxP7epvA0AFDUJ5O1GWt590+aEXJsGT+TtOXm7fnbbbConqtVWyzmVrO2uxylpc485S5rNdtoqMSD5I5B/gp7ODD2yUGt/Mkcj5yhyGszpc7lPb85RJAY5MRo5n/D0m5vuQG3XwcNf/ChylmR+Vls7lj9imZ+f6pIe41PdsLXlWLPpxlu3WvffwwuRtwFg0CZv5O3Y/dKa6Tq9fjCBv5G05e1gy62nhpln7a1bBTdPt9PcpOuS/HZyepU/AouMT6d01Hskq6/Tv23V+has8dObcxT93ovWt6a1wdYeZr65rfvq9IlqLslsOdZCOs0Gt838/KTbaV0n53B6/PnK75W8DQAU1Mjbc7G56/RqsTW3w/z2/GCaPwaX15bktJw4b67uK9if2FbNXSSkm0qMRmJ8YoOW3mqaPFEOttO6Tk4708bbkXNcza1iu2s9itYl6cOpvsgf5+DRVZfUdtH1wJvH3vxtYtiDYxI8tGBPEsceWyd2XOkjbR5FsKlYI5mdjB11uj+xg010Jj0+wYWZ49Paz1gPuzYeW7m2zrr/Hl6IvA0AgzZ5I2/HaqDxuHTehq3Ix7jJmIxT5vsubwMABSXzduxK8u1ZTsph+0nPuIK8DQAUlDG/PZZyRg4wNvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvyNsBoydsAQEHydiJvN59z03yR+TgcYR5ggORtAKAgebt33q6uMP9Vc8Np8pmxAKyRvA0AFCRvp/N2NULn5+1aI7FfAbBe8jYAUJC8HcvbzSnrnLwdvMJ8Km8DDJK8DQAUJG/n5+3YwubyxJoADIe8DQAUJG8n8nZ1srpf3m62A8BwyNsAQEHydiJvV1/0ztvBHwEYAnkbAChI3g7m7ead0oKpO/ht7eBUtvltgAGStwGAguTtYN4GYAzkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoaAIAI7buv4cXIm8DwKBNzG+b3wYYK3kbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoSN6WtwFGS94GAAqq5O1juzc9IeWmQ9FoOltztkJ1q+Ym898mftW6u7Xl7aUk8PkRJpb03irYSGu3+x1psDOtB1LdsNNWACsgbwMABW2e354H6WqizqnE+jm/Su+ua2cGlLdrGTW4pPdWwdSameQ7bdJcJ39kqhs2XwCsl7wNABQkb6fz9hKT4dLzdrOF5sqt7fdbktPzRH/kbWAg5G0AoKBQ3p6Zx+DJZMd7dzQXbgrAwUicvtQ8lrdr7ccaSVypvpy8XcuKk4rqkmlGLA/O8U67BOPV5+30Vs3RSGwS7CTAEMjbAEBBobxdDcDHdk8mkx2HjwQicTpv58xdR3YXTuBdG19y3p6G0m9r4MxsMLF+j9cryNudlsvbwGDJ2wBAQQPL28EJ7VjjtdWWn7drU7iJF5lnddPsvJ3IqIkWmn3OaTzdk9Z10kfR7I+8DQyHvA0AFDSwvN11fns5V5In5rczXyTO5Gqvc5JnOg+3ttCpV5mbdO1DonF5GxgOeRsAKKiSt2OTxrXlu87etE7tt4kNE9/ubt2q+W3t1i+HL5S3Z+3WXs/3V12ekzZrq7VuWBvQru1kNp5up/ljj62C/WkdMYCVmcjbAEA5k03z26OunOS8mvM/AFZD3gYACpK3M/N25mw2AFuIvA0AFCRvZ+ZtALYfeRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgoAkAjNi6/x5eiLwNAIM2Mb9tfhtgrORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHl7+Hl7sB1bI2MCLIW8DQAUtDlvH9u96SEpNx1aKMHOWps1Um15wWZXkbdnHa2+mL9O/Kq5zvy3zTO8/HPB2L46tZNov9bb9GoLHlewkWYHmj+2rgPQg7wNABRUydvNeLz0YFyo2VXk7WDOrL2IrRNMj5kngomdLlG6zVjG7pq3m9vmjFhijyI3sCB5GwAoKJK3C9U2ydvV1aovYvGv9/z2APN2evlS8nbm69bdAbSStwGAgjLy9vxS8JsOBS44j12CXt0qkbcDje8+FNx2zXl72ph3nTZC4wrydrCTtSXBfyxo3TCzG80dVXdRXZLTYPMAE/3pPYwAMRN5GwAoZ9KSt+cLZy92nf16Hn49Fc9/VX2RTtfNFWovVp20g3l7Goq402QGXnHebv0x2LfWrJvuRubuMlvLz9uZCRygE3kbAChoAHl7rtnCEPP2tJEMV5O3a/tKtBwMrs0+ryVvt/7jRetqnXYHkCZvAwAFRfJ2LEsXmt+OrTCgvN11VrbHbG3wRDC9VWsQXfr89iLH1fovF5l7ydwdQCt5GwAoqJK3NyJP7ap/xTqSt2NbNdeprlldvuvsQDsDyttztXO12o+1dXKWpM8Fe+wrvbD+VkQOLb2vHoL7ah2fWA8X7AzAVN4GAIqabMrb/WrQdx3vl7cHZbAdWyNjAiyFvA0AFLRw3g5Obm/JEuEAxkbeBgAKWsb89jYpeRtgbORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgIISj4YCgG1v3X8PL0TeBoBBm5jfNr8NMFbyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW8DjJa8DQAU1Mjbx3ZPJpPJTYdyY+ps/eAmXZsaet6ePzymubzYqSAABcnbAEBBC+ftTpv0TuCriO7p2Dz/bW21YAIHYEuQtwGAgiJ5u8cU91jydnOhvA2wRcnbAEBBm/P2sd2Tye5D83D7WvZ+fck88c5/3LTa5pTezO29V4vsbsd7d7y2cNfZLf3MCurV2Dyfta69qM1my9sAW5q8DQAUlMzbiTw8z73BF7FJ6dgKXZs6tnsymew4fKS+frrxbvPbtSydiNnyNsAWJW8DAAU183ZFMKwmlvTL2+nddcrbzX1VG+98PXkzY9deBye9Adgq5G0AoKBQ3k7MM5fI2+nGF8zbHb7y3XV+O/YjAFuFvA0AFFTJ29VLsmuTw4mp49e+Oz2pf306+G3t5gXqrd/Wztkwp5/d5rdn20w333583lbzdE3kBtiK5G0AoKDJpvntUZfMDDA28jYAUJC8LW8DjJa8DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFBR+qBYAjMO6/x5eiLwNAIM2Mb9tfhtgrORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHl7y+XtrdLP7WQ25kZ+q8h5v7ynaeMZQ3kbAChoc94+tnvTQ1JuOtQhr1a3nW04W9Kpke2Zt5fYcqem5u/Hsva+LLWOrbiHXXe3slDRfLOG9g4uqzP57VRXS4xG8+NULijW+tDj47TEd3lZn41ml1ob3zZ/LuRtAKCgSt6uxuOuUXmLResV5+3Mc74lrrbgJkUNrT+tVjmJFwuTK9h1pmV9UHsfVGzDleXtRTZMbD7Ad3kgeTu2F3l7Rt4GgEGL5O2uJW8v4ZxviastuElRQ+vPoGyVJLb4auXy9gps+7w9NPJ2grwNAIOWkbfnF4rfdCh8wXl6YbXB2pqTyWQy2fHeHa+92nX2ZDKZTHYfam4bbK143p73sfZjdc3qkuaL2uucRtLnhel2mrubhs5KY1sluh3rT/BAco40vaNJwzQ0vIm9p/uc6E+rWMd6jEaiP7V1EkcR3HuihzntJManx1Gke1hrIbgwZzSay/M1exjsc6LbwaZqC9Mdjh1XrIf99p7TvX66jmGiP80uLWvEYj1f99/DC5G3AWDQJi15e74w8aJ122RTOw4fqf9qEkrptT0Wz9vV87bE6V3zRWK1RIM557v5PUy0nLNV4pAXb6fH+OSMc06fczqzLP3Gp987mNj7svrTqZ103xZsp/f7vrhO705iq2W9y+X2Xs56/1zEurTuv4cXIm8DwKBNVpe3m9PUsbwdbGdu1Xm7trBTGMg/L+yUEmPt9D4rjR3X0hNdesP8/sQ2qW2Y0/OcTXpo9icx8l3fwZwjzXlP83uYaGfBz/OCn5acz+qy5Pcw9pblt5P/LpfYezlr/3MR7NK6/x5eiLwNAIM2CeftnJjde3578wq5ebv4l8Nj5/HB87PYOsGtchJCfj5JtJN5Vpp/FDmDsGB/Ej3s1+dWOe/R4vqNT6d3sFM3eu99KX3u17F0T1r7vHSdjnQ173KhvZczkD8XtQ3X/ffwQuRtABi0St6uzSQHvzv9xgqVb1m/9r3rzRvGHg+WXtjce6JjZfP2NDTHUltSW6f52+DC4Grz5YmTwlizzU42O9zsQLOpxDqxLiW2Cvawua/E+MQWpgdwEjo1r62W3teyNEdgEnm/gqtN297BRJ8TzebvvWs7wT7kDE7O7nJGI7G7Zek6Yks5rtbOLLL3nB0tV6wzsTFp9rD3iMX6s+6/hxcibwPAoE025e2itcjzxlZRqzzdXMEm/Rpf2SAklO7PEI5xmIzMGHiXa+RtAKCgFebtjdVMUw88b694KinT0HpVoj9DO8ahMT5j4F1ukrcBgIJWm7cHXc5BAcZG3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5e5vl7fntfBdcZ8yM4XB4L0owqlXyNgBQ0Oa8HXxkV+mqPm9scHk7cW+h9d52KLj3FZ9Gt+5o4CfrwXtHGcM17tR7UdtjswOd+rDt/y+xlDdF3gYACqrk7TU+r2sQjwdL5OrEidqCp3qLWPuZdGuXeu9llQO73oyX2Z/F21nZtovwXuS00DVyB5dsg1FdyuZTeRsAKCqSt1dc8nYfA5w9Hk4+Gea+cgxhDAeSt9duCO/Fgq0NbUin8vayydsAMGgZebt6vXfzgvPEJejpDWvrDDFvz3tWWxJbYf46tlpT7bfNvSf6U9u897lmoj/zJbX/5nQv1rfWEQuOauuINRemV6su6Td0wV1v6TFMdKBTO82F6dWqS9qHOyndw8nWeS+aO2o22zyK5obBPne1ylHNHJ9EU7F2Eke37r+HFyJvA8CgTVry9nzh7MWusyeT3YeO7X79v6EltSvSO70YUN6ebD6vXeKL4Alf7xfpU8mlCJ5JB3e9lDEMttzan9bO9NvXsgxtDBdpufW4vBetLcd2lLNVs/8L/v9nKZY4qrHGu77I7/m6/x5eiLwNAINWLG835663Q96e63TOV90kdsIX2yqdYVpbXpbgvtaVTxJn9s0OBJvtlIWWZVBjuEjLzUa8F0t/LxJbNf+PVP1V6/+jylnWqAZb7vEiv9vr/nt4IfI2AAzaJJy3Y5HY/Hb/s8D0CV+PdlZ8Jt3c0brySSzjtfZq7RmvubtBZbweH2PvReuLYMuxHcW2Cr5uHsX2+L9ErOWuL/K7ve6/hxcibwPAoFXydnNGurbwtWDca377Da+vNqkk7eZO15+3p5HJosSPwa2ajQRP+Frbqa3WfN3pFLOrSejMPrjf1h7mHGlwtWBnmoOTWBLsVeu7syyDGsPY3mPDmHNQ3otaU4u8F5lLakfRXG1lQxrsT+9RDa7fOs79jnQibwMA5Uw25e1RV6FT0ub5cXodVsCATwczCAPpxnoZhLSi4yNvAwAFydul8/a0bYpplRNQTA34dDodzCAMpBvrZRDSSo+PvA0AFCRvryBvAzBM8jYAUJC8LW8DjJa8DQAUJG/L2wCjJW8DAAXJ20PI20OL+uvtz7L2PrRRHZptMz7N22L3W2ckDEKNvA0AFCRvL5i3W7dqPrSmdyM9utfaYLDlcrdqzzmQnL3Hmmq9G/xwwkbOISzYfnp3+TtKf1ryN1+WaoMrDtutO1rikba+g7EODO3/NgMnbwMABcnbC+bt1jO54OvEaous00ktsRTdV6fG81cIBpL8dvIV+reY3i23tpMYisT7ntN+uaHo1+CK83aiJ8EfS+wltosh/99myORtAKAgeXuJeXuy2bTLA7cXT6FdpRNUuRPuxU/3Ex0uFH62XN6extNXv3+SGGzeXrt15e2t9X+bIZO3AYCC5O1E3m5eV1m7VrP1wsseeWa6+Uw6vevYksRqwaZiC5vHXnsdbLm5VTMtxFqOjUbzRbDZRDux3rYubK4THI30IGeORnOTRfbV6XVm47W3YBrSewybI5Azhl1NNostqf03szOxA+96XD0OPH9Mgh3OPIr0cW1FE3kbAChnIm9H8vZkc8AIvpi2neN2OhMNNtvpRU4HYpsn1oxttZQRix1Fc5NEa4mhSDTb2tUeW3U90vwOd/0cxn7bOs45e+/6sc/8GPc79hKqh7ng+xVrPP0i83WiJ2kl/m+zRcnbAEBB8naPvB1cbRqfJcs/7cvZe9cz4FqMieWcHnk7tq+u2TXYgcxY2DyK/HZih9PayDR+pIlclDMawa167Cvx29YB6fdpae493U6zqcQgd/3ML0XOx6m5JKeH+X+aEq8nm6X3mNl4pxfbxkTeBgDKmcjby8vb6d/mRJScvfc7A+7RTmZ/Oq2T3kt67zk5Mz8OtXY1Zy+dMnDm5yf/iNKfrnRay+zVKj91rUPRde8LCobY4eTt/PXzV5a3tyJ5GwAGTd6O5e1pY45uvqR66tlcJ9hI15CZ2FHtRebea6fXTbHjDY5GbNfN3TXbT/QnOBrB7qU7EGynuVV6VJtD0WMME0caHI3ErieNNz2xr2Y7sRELjk+nI222GVyz2edYy7FjT3SyhObRpTs5Tb47sU1ijScOPN3nYMuJA0zvOnho28xE3gYAypnI2/G8vUY5nRlUhxktn8OtbuT/t5G3AYCC5O0B5u3eE1mwYj6BW53/28jbAEBB8vYA8zYAqyFvAwAFydvyNsBoydsAQEHytrwNMFryNgBQkLy93Ly93tC+rL37p4e0bTM+81tPL7gOnRjMQZG3AYCC5O2uebv5pJzab5d/Pph9v6LM+wy39jzYznBCQs4hLNh+enf5O0p/WvI3X5ZqgysO2zl35Fp8L8F99f7j0/stS+8upyfD+eO27cnbAEBB8nbXvD3d/Nza2K9KWDxvx3reO0+26tdU5j8c9Gi5tZ3EUCTe95z2yw1FvwZXnLcTPQn+WGIv6Qyc/iQsd1+dmqIoeRsAKEjeXm7eji1cisVP0xMdLhR+tlzensZTU+8p7q6bpLu3oOEEuUHl7eBvc+bkq7PZsfV7/MPccN6mbU/eBgAKkrdjeTt4XWhtyfwku7mw2VTtdbDlYAeqSxItN9dp7it2UM3Gg53JHJzawSaayhnkzNFobrLIvjq9zmy89hZMQ3qPYXMEcsawq8lmsSW1/2Z2JnbgXY8rc4Vgy83jTYxAcHyaC4OCB545GumjoKuJvA0AlDORt+N5u3laFnyRPk0PbhXbV+JFc0fBdYKbJFqLNZJutrWrPbbqeqT5He60r8RvW8c5Z+/paJTfTu1Fv2MvoXqYC75fscbTLzJfJxrv3cNOY9v6f4nWFyyFvA0AFCRvx/L2NDRh2HwRnFzKPJNu7qtrdg12IDMWNo8iv53Y4bQ2Mo0faWayTbcc3FGnfSV+2zog/T4tzb2n22k2lRjkzI/fcuV8nJpLcnqY/6ep9XV6q8SS4B+cScY/puR0stMLlmIibwMA5Uzk7Xjenp+N5b9o/phzutwjRcTWCe69X6ZtjZc5G7Zu1a9vPTqcua/Ebzv1asG8tGAAyzz2QoLhcxvk7dahy99XbGV5e/XkbQCgIHk7lrdrM1fNhbV5rXTkrp4rN1cO7q7ZfqI/zdaq+83vQLCd5lbBYw/2sNly5hgmjjQ4Gold17ZK76vZTmzEguPT6UibbQbXbPY51nLs2BOdLKF5dOlOTpPvTmyTWOOJA0/3uXWrnAEMrhBbP9bn4Gis5r0boYm8DQCUM5G3I3kbSvOR21pq2btQy4usQw/yNgBQkLwtb7MWPm9bUYlJ5n7T7yyLvA0AFCRvy9sAoyVvAwAFydvyNsBobfm8fd9998nbADBY8ra8DTBaWz5vP/zww/I2AAyWvL3cvL3e0L6svfunh7RtMz7zG18vuA7bQ4n/gQz/M7bl8/Z//Md/yNsAMFjydte83XxOT+23yz8fzL5bUuZdjlt7HmxnOIkr5xAWbD+9JH9H6U9L/ubLUm1wUEGoeaTLukNYopHhfKRjap0v2uFE453GcGuF7am8DQAUJW93zdvTzU/Njf2qhMXzdqzn5U7r+zWV+Q8HPVpubScW/HrvOvFp6dG9xQ0zb8f2spRdr/3zvEg7KwuiOZ+Eru0M7TMW68C6/x5eiLwNAIMmby83b8cWLsXiKTTR4UUiZe/+LLLVymazM5e0tj+0vD008vbia1Ytt0sD/AeCZZG3AYCC5O1Y3g6eudaWzJNqc2GzqdrrYMvBDlSXJFpurtPcV+ygmo0HO5M5OLWDTTSVM8iZo9HcZJF9NdtJL8lpvPYWTEN6j2FzBHLGsKvJZsElsR6mjyJxpME+xPrTqeXMJbH3Iv/YY93OaafZVKLl3tLj3OxMcJ1gOz16UhuN2Pgsy0TeBgDKmcjb8bzdPC0LvkisGdsqtq/Ei+aOgusEN0m0Fmsk3WxrV3ts1fVI8zvcaV+ZS/Ibaf20ZO46/aLfsReS2eecHmZ+5rvuPbGjrp+Wfnvv0U6w/8t6N3t/flr/tzl88jYAUJC8VPbpiAAAGJ9JREFUHcvb09AMT/NF8JQ38zy+ua+u2TXYgZxQETyKTmfSsTzQev4dO9KclNXacnBHXZNPzpLY7pq/bf20NJtNt9NsKjHImR+/5cof+R6fhNZhTDSY/qPROqqxhT323qOddP9rh9DpXU584LuOYf5Oh2MibwMA5Uzk7Xjenp+N5b9o/pgTeDJDUfpsO7H3HufurSvkHE7OVv361qPDmfvKXNK6MP/TEtSpnU6HsIJQ1C+/9f4k9NhX645i+xpy3u5N3l7338MLkbcBYNDk7VjeDs4UTULmy2ub17aqtdA856v9qtl+oj/N1qr7ze9AsJ3mVsFjD/aw2XLmGCaONDgaiV3Xtkrvq9lObMSC49PpSJttBtds9jnWcuzYE50spOtRNDscO7qcQ8jcZBL/tCQ27Lr35pF2aqd1fBItNI8xc0mzezlj2NqZYZrI2wBAORN5O5K3oTQfufUy/tOFB6Ga/5fRnTWQtwGAguRteZu18Hlbl8yZYRK20xjK2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvy9rYxv43zgutQgndnDLbiuyxvAwAFydtLzNuJ5wAt2PKChtCHEt2oPR5pusIT/ZwnOS2+l60i86lU5d6d5sOrFtl8Oow/uavZ+xKPdCuG7am8DQAUJW8vMW9P40+yXbzlBeWcBC+3zSXuKKfBtZ/rNwNbib3kK/ee9n7fi747Cw540T+5hUZ1ieTtrUveBoBBk7fl7dbf5mw12Wy5O8rsw3oNOW9nvjvTrZAMY+TtRQzzPV0NeRsAKEjeTuTtajiJxZXmhazBdTJbTjeV7k+/dporLHKkwcMMNp4ejdjugo0nOpDWHLHgktp/MzuTGNXmvmJNxV4Ee5vYe+vhJ7ZqbTm4o5wOpKVHLNGlxJAmuh079mCvYj0M7qvQqKZHI3HgsSFK7CVzDHtoHkXsuMqZyNsAQDkTeTuSt6vnrIu8mDbO2oPrNE8B0y+a/+3XTmYPc7ZK7L1Ty4kwkO5PCbFxThxaZg+DLS9xNHq8O5lHsfixL1Gnz3Niq6X/yU0sLDeqpf8fFdxkNam4HHkbAChI3k7k7docS+w8NWeddMvBU8DYknXl7Wafg+PQXKf1HD02hsHGE+0UEnyzFk9HwXewtdnmJrHNe7w7sd0l3vfgkhW8Kc19tfaw2cnWT1Rsk/QBrndUM48rvffmZyz4Y85oDN9E3gYAypnI2/G83Twt6/Gi2VTO6Wnr3oNpLdFOvx4GV+50IPndSOwr570oJyd7JFaI9TD4DuYc+zT7XzGC+431JLhVfppt7XMhnY59BX9ygyuvbFSX9f+oaca/Gmz1mD0nbwMABcnbsbw93TwL1HxdW6e5Wu23tbPb5ulsYu/VJfPXtf+2tlPrVXC1nCMNbpWz65wxjI1MYgzTh7+45iCnOzmNH2ms2VjjiR0195voT+y4ct7T4GrBty+nSyXUepj5UUlvNdks/7jWPqqTkFjjwTXn67QeV05/hm8ibwMA5Uzk7XjehmFqZqF19YTtajwfKnkbAChI3pa32UL6zXlCvrF9nORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILk7S2Ut+f3GV53RwC2CXkbAChI3u6Ut3OexLO888DAroVtgCWStwGAguTtTnk7eK6W+HGJ5G2ApZO3AYCC5O2tkrcBWDp5GwAoSN4O5u3qZPJ8ec6jj2tLJpvVlgSbSuwOgOWStwGAguTt/Lw9DU1fx+a3E1G5uU7OCwCWTt4GAAqSt4N5exqau54Wy9vTxmy2vA2wAvI2AFCQvJ3I29N4nI4tWXB+u1M7ACxI3gYACpK38/N2cMZ7Wpmabn5PO3Z615zNji1c9FwSgDh5GwAoSN6O5e2ip3eJJTI2wMrI2wBAQfL2ivN2epJc2AZYJXkbAChI3l5x3gZgOORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgIImADBi6/57eCHyNgAM2sT8tvltgLGStwGAguRteRtgtORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgoM15+9juTQ9JuenQGnLvrA+zXQf7U1u4tH428/biCXzWv94bprdtXaf62x49mW+S0xmArUjeBgAKquTtZtBde96u/hhbvrRdl8jb/RqpbhLbPGed6q96x/6cvQBsUfI2AFBQJG+vsebT17Xkv568vZQp7kU2kbcBypG3AYCCKnm7mXWbC197vfvQfOGus1+/2LiysHbhd3DDYFQ+tvuNdZpXjzd7VTBvzy+lnv8YvKw6tqS5YXqr2Ilgzq/SqzU7EOxe+iiCe2m2k39oAEMwkbcBgHImgfulBS8sr72Y1Keadx/rvmF+3m5usuq8PQ3NFS/rRewsMPO3ObF88R4Gx6f2QtIGthZ5GwAoKJS3m2l5rnld9zxv3xS63ju9YWy/OVutIm/PzZfUXlRXa/4qtlWz5eApYOs5Ys7KnfrcNW+3HjvAwMnbAEBBlbydnp1OB93IpHfnK8Bjs+Jrm9/u/SKnncT5X845Ys76Cx5FOm/36DbAoMjbAEBBjbw9F5ypfuPb2l1CeGLDWGhPPPRrFc8Dm7Vbez3fX+1crba8+mPzdXOd4PlfsNnYaonzyOZRNNtP9zC4ZvpIAbaKibwNAJQzCV9PPsZqzYrCJMA2I28DAAXJ25l52/wtwPYjbwMABcnbmXkbgO1H3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoKPHYJwDY9tb99/BC5G0AGLSJ+W3z2wBjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvyNsBoydsAQEGVvH1s9+zRKLuPvfF6ctOh117fdGjJ+Xa+ixKNrydvzw6muSSz5fw1AVgKeRsAKGjz/Pax3Zvydn4M7p3JC4X59eTt2alb5sL8zQEoRN4GAAqSt+VtgNGStwGAgkJ5+6ZKBq5eWP7Gj7sPNS84D6w22fHeHcHlbwTsQeft6gXek4rYOtPIBeTplhMbAlCUvA0AFNSWt5uRuJmZg7H52O7JZLLj8JE3ftV8Mei8XU3ai7yYNvJ25lYAlCZvAwAFbc7bOVPQwYSck7c3QvdIG3Ters05x7J0zjo9WgagNHkbACgokrcTc9e98/ZWnd9uLlnW/HaiZQBWQN4GAApqy9u1GenEQ7xiE+OxzZvWnLqDMXg+C918XVunuVrtt5P4rHizHQBWQN4GAApq5O3xlqALMDbyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW8DjJa8DQAUVMnbzcd3VZcP4hHZ8jYASyRvAwAFbZ7fnkfrQhl70NFd3gYYG3kbAChI3pa3AUZL3gYACmrL2/OLzGch+bUfdx8KL9+cpasXqFebal6svmmFzY2/sVVjp/I2AAuRtwGAgjLmt2uT0s3Qm96qtalEvK+stvtY6elxeRtgbORtAKCgvnk7No8d2yq4bSxvh7bafVPpa9HlbYCxkbcBgIKWl7fT0XqRvB2cVJe3AViUvA0AFDRpeR5Yznewm6vlLGx+8TvWeCy9y9sALETeBgAK2jy/PdiStwFYPnkbACho8Hl7FVeSy9sA4yRvAwAFDT5vr67kbYCxkbcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACgo9fzv2UK5tXvI2wNjI2wBAQY3nb1cfi72CvL2yHcnbANTJ2wBAQZG8vbKStwFYG3kbACgocj15dZZ7Mtnx3h2vLd91dv2C88Ql6NXWXnu9+1Bg4UCuXZe3AcZG3gYACgrdL61xYfmOw0feWJjzotpI7UUwk68/bMvbACMkbwMABUXuT745JC8zb9eitbwNwNrI2wBAQW33S5O3Adi25G0AoKBG3m5+obq2vPoV7s1f8w5fK167mDwWudefuuVtgLGRtwGAgiLXkyeqOSM9oDlqeRuAfPI2AFBQx7zdnKYe1j3G5W0A8snbAEBB3ee3t23J2wBjI28DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFDQBgBFb99/DC5G3AWDQJua3zW8DjJW8DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvL5K3RXSALU3eBgAK2py3j+3e9JCUmw51yKvVbWcbzpZ0amSRWnR3tfBcHYjEiVrzx+p/g6slWhPgAVZJ3gYACqrk7Wpe7ZpdVxyti+wxlpAXz9udzvx6bAVAP/I2AFBQJG+vP/0OJ2/XzswSS+RtgK1F3gYACsrI2/MLxW86FL7gPL2w2mBtzclkMpnseO+O117tOnsymUwmuw81t60tiV27HttdrOed83bwXK3240xtSXOFThtOQkk+1hQAmSbyNgBQzqQlb88XJl60bptsasfhI/VfBWNz6x7zdldvZ9G8PY1Pccdaq6XonBexvJ3fSQCa5G0AoKAV5u3INHUgbyfm2Eeat6ehCfD5wvyuAlAlbwMABUXydk5Y7T2/vXmF9ry95vnt1kC7srwd64zIDdCPvA0AFFTJ28Fp5Oi3oCvfsn7te9ebN0x8xTqxsLn34Be/m9/Z7tfzTXtppuKZ2sLYGVv1xWRzAq+2U/0xuLy2pLaLYMuxXgGQNpG3AYByJpvydtFa5HljqyipFWBs5G0AoKAV5u3gpPeASt4GGBt5GwAoaLV5e9AlbwOMjbwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUFAlbzcfzdW8l/igb3gmbwPQibwNABQ0aT5/e/extud1DfFpXvI2AF3J2wBAQaG8fVNbnJa3AdgO5G0AoKBA3g5cTF5L1828HVxti5W8DTA28jYAUFAgb+94745NyTmWrpsrbO15b3kbYGzkbQCgoFDePnxkUxDNzNtb/j5q8jbA2MjbAEBBy8vbWzVmy9sAoyVvAwAFRZ4HFpy7nl8xHntmmPltALYSeRsAKGjz/PaoS94GGBt5GwAoSN6WtwFGS94GAAqSt+VtgNGStwGAguRteRtgtORtAKAgeVveBhgteRsAKCiet4fzlK8V9UTeBhgbeRsAKCiSt2MRd/7cr37pNyc5B9dZReSWtwHGRt4GAAoK5e10uF3XvHfx/crbAGMjbwMABcnb8jbAaMnbAEBBybw9v3q8eg15dWFsnURgDrbTXBi7lF3eBmBp5G0AoKC2+e1a9s58kTlHHdww/dVxeRuApZG3AYCC5G15G2C05G0AoCB5W94GGC15GwAoKJS3m0k48G3t3Yfmr3edXf8adjAe925qFWFb3gYYIXkbACgokrfnEXcWgHs8MXuJtaI7osvbAGMjbwMABcXzdnNGuvc6W6PkbYCxkbcBgIKSeXtcJW8DjI28DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFBQJW9X73yWf/Oz+VZb+2Zp8jbACMnbAEBBm+e3a4/dTt+TPPGo7S1Z8jbA2MjbAEBB8ra8DTBa8jYAUFAob9euD69dMd5cZ5s8glveBhgbeRsAKCgyv91cUv1VbH57a090y9sAYyNvAwAFteXtjfiEtrwNwNYmbwMABZnflrcBRkveBgAKijwPrBm5Y9/Z3nX267/YfWhrPxtM3gYYG3kbACho8/z2qEveBhgbeRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpoAwIit++/hhcjbADBoE/Pb5rcBxkreBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpK3F8nb5SL6slpe7z8ibNd/wtge7w4wlbcBgKIqefvY7jcej3LToc55db55etvM1dact6uPikmfqJU7Baz9GNxXawcK9bB1ZAay96X0s9nOyt6dzP73azxzHdje5G0AoKDN89uzMNw7CWduvuBeVpG3p5Uoksgkq5zf7rev9c7Ar3HviXjcXDPzLU58JMq9OyIxFCVvAwAFydud8vayglbmWeBSdlRuknnIe8/M27Nfdc3bzU3KvTvyNhQlbwMABWXk7eYV4IklPVYbSvWY356GMlgzwlVnUCcVsSXB/TbXCf7Y2k5rf4KNNzuQv9Ua9x7sQPO3iXWa72+w2aW8O8F1YgfeelyZLScagTGYyNsAQDmTlrw9X9LpReaG68/Yi+ft5pq1CJf4bWydZsuxdTL7nG6n3Iu17701lGauFoy4w3l3Yt1u3bu8DfI2AFBQ97zdnKZuXWcseXuanHcdSN5udjLWcnCdxL5ycukq954TJmN9jq0c+3FZ705iWFo/LZm9TfQQRmgibwMA5UyieXv2etfZ9ZDcdX47Hd0HVJnpKHi6VnudSFDN/yb2NZxEl5l4pyFr2XunJJkZXAf77qS7nd9DGCF5GwAoqJK3azPSM/N4XE3Isbnr6pLmNHhww/XH7GDervaydmYWO2OrvmhuVWuwtlpwX82Wa+vUltTaT/S82Zng+q3tN/cVO5DV732yWbMbzd3F1okd1LTAu5OzVXBf6T5ntgMjNJG3AYByJpvmt0ddawwe6808Y9770OSMhhGDJZK3AYCC5O215+31TjOOee9DkzMaRgyWS94GAAqSt9eetwFYF3kbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoKDNeXuR53XFnv61sod+Lbo7eRtgbORtAKCgSt6u5tWu2XXF0brIHuVtgLGRtwGAgiJ5e/3pV94GoDR5GwAoKCNvzy8Uv+lQ+ILz9MJqg7U1J5PJZLLjvTtee7Xr7MlkMpnsPtTctrYkdu16bHexnsvbAKMmbwMABbXl7fnCxIvWbZNN7Th8pP6rYGxu3WPe7urtyNsA4yVvAwAFrTBvR6apA3k7MccubwOwNPI2AFBQJG/nhNXe89ubV2jP2/9/e/du3DYQRmEUnakEJ27CM+pDZTB0C+5AiYpyIAkCiF0QfFy+/nMGAQmDCykyv9mF1vw2ABF6GwAIGrr7gTWfnf65YPKU9ddz1635596Z3snl3ZsPfi+f2T7tJ5/dRW8DVKO3AYCgeW9Hj3P2G7vGobcBqtHbAEDQFXu7Oel9R4feBqhGbwMAQdft7bs+9DZANXobAAjS23oboCy9DQAE6W29DVCW3gYAgvS23gYoS28DAEHD/v7bvW23ert8Pc+htwGq0dsAQNCw3H/79f3Qfl33uJuX3gbgWHobAAhq9fbboZzW2wA8A70NAAQ1eruxmHyvrpe93bzswQ69DVCN3gYAghq9/fLrZVbOvbpeXvDY8956G6AavQ0ABLV6+++/WYhu7O2H/ztqehugGr0NAARdrrcfNbP1NkBZehsACOrsB9acux5XjPf2DDO/DcAj0dsAQNB8frv0obcBqtHbAECQ3tbbAGXpbQAgSG/rbYCy9DYAEKS39TZAWXobAAjS23oboCy9DQAE6W29DVCW3gYAgva39wKASm79//BZ9DYA3LXB/Lb5bYCq9DYAEKS39TZAWXobAAjS23oboCy9DQAE6W29DVCW3gYAgvS23gYoS28DAEF6e0tvXzbFhT3AndDbAEDQvLffX2ebpLztgn073mvvLp/nT7v13pjHDdXL4EQeS26Ae6C3AYCgSW9P6/Sc6D3Yw+OwibucPmazgXNhLLkBbk5vAwBBnd4OHXr7GiMDsJHeBgCCOuvJp706XWQ+nf3+fLt9CfrKOM2Rl586avzm2vLhdddbx36gt6c/xN4FR12zHBmAW9HbAEDQ0Ph7ac2F5Ue9OHZ+e2Up+8b56u1DdUdb7+2PeXuf86L5FoDr09sAQFCrt3v5uj6THOrtw518qXTP9XZv0vtiXxgBOIneBgCCJr29Pq29Urbp3t5Sy3fd270veed+TwTgPHobAAha9PZ04ro5m7288svKo9GtufE/vxsf/DnZudfG57eXQy1/i029/fEdxuOHx9fjvw6LqeyV89MxAbitQW8DADlDez15xWOlgS+bx2Ib4E7obQAgSG9v6W0AnpLeBgCC9LbeBihLbwMAQXpbbwOUpbcBgCC9rbcBytLbAECQ3tbbAGXpbQAgqNXbh7fOespDbwNUo7cBgKBFb3/GdqHM1tsAZeltACBIb+ttgLL0NgAQNO/t6UrysbrHk2+779evu+nJ26ey3gbgBHobAAg6NL89vt178VSlrbcBatLbAEDQqb39bLGttwEK0tsAQJDe1tsAZeltACDotOe3rScH4AnobQAgqLX/dtFDbwNU8+i9/R/G93rmr3544wAAAABJRU5ErkJggg==" alt="" />

Relevant Link:

https://github.com/php/php-src/blob/PHP-5.4.5/ext/session/session.c

4. 漏洞代码分析

\Joomla_3.4.5_to_3.4.6-Stable-Patch_Package\libraries\joomla\session\session.php

// Record proxy forwarded for in the session in case we need it later

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

        {

            //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中

            $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

        }

        // Check for client address

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))

        {

            $ip = $this->get('session.client.address');

            if ($ip === null)

            {

                $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

            }

            elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

            {

                $this->_state = 'error';

                return false;

            }

        }

        // Check for clients browser

        if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))

        {

            $browser = $this->get('session.client.browser');

            if ($browser === null)

            {

                //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中

                $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);

            }

            elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)

            {

                // @todo remove code: $this->_state = 'error';

                // @todo remove code: return false;

            }

        }

攻击者发送的畸形HTTP数据包的数据,会被joomla保存到全局SESSION中,Session默认初始化是在所有代码执行之前,然而joomla使用自定义存储session机制,替换了php自带的存储方式使用session_set_save_handler自定义了session存储函数
\Joomla_3.4.5\libraries\joomla\session\storage.php

public function register()

{

    // Use this object as the session handler

    session_set_save_handler(

    array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc')

    );

}

Relevant Link:

http://zone.wooyun.org/content/24440

http://zone.wooyun.org/content/24444

http://drops.wooyun.org/papers/11330

5. POC构造技巧

http://drops.wooyun.org/papers/11330

6. 防御方案

. /Joomla/configuration.php

class JConfig

{

    ..

    public $session_handler = 'files';

}

. 升级PHP >= 5.6.

从PHP 5.6.13开始,如果第一个变量解析错误,直接销毁整个session 

. joomla CMS代码修复

https://github.com/joomla/joomla-cms/releases/download/3.4.6/Joomla_3.4.5_to_3.4.6-Stable-Patch_Package.tar.gz

\Joomla_3..5_to_3.4.6-Stable-Patch_Package\libraries\joomla\session\session.php

. 去除HTTP_USER_AGENT的接收

. 使用filter_var验证HTTP_X_FORWARDED_FOR是否符合IP格式,防御通过这个字段的注入攻击

// Check for client address

if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false)

{

    $ip = $this->get('session.client.address');

    if ($ip === null)

    {

        $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

    }

    elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

    {

        $this->_state = 'error';

        return false;

    }

}

// Record proxy forwarded for in the session in case we need it later

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false)

{

    $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

}

Relevant Link:

7. Code Pathc方案

\libraries\joomla\session\session.php

// Record proxy forwarded for in the session in case we need it later

        /*

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

        */

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false)

        {

            $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

        }

        // Check for client address

        /*

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))

        */

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false)

        {

            $ip = $this->get('session.client.address');

            if ($ip === null)

            {

                $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

            }

            elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

            {

                $this->_state = 'error';

                return false;

            }

        }

        // Check for clients browser

        if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))

        {

            /*

            $browser = $this->get('session.client.browser');

            */

            $browser = "";

            if ($browser === null)

            {

                /*

                $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);

                */

                $this->set('session.client.browser', "");

            }

            elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)

            {

                // @todo remove code: $this->_state = 'error';

                // @todo remove code: return false;

            }

        }

Copyright (c) 2015 Little5ann All rights reserved

joomla \libraries\joomla\session\session.php 反序列化截断畸形字符串导致对象注入漏洞的更多相关文章

  1. joomla对象注入漏洞分析

    0x00 漏洞简单介绍 jooomla 1.5 到 3.4.5 的全部版本号中存在反序列化对象造成对象注入的漏洞,漏洞利用无须登录,直接在前台就可以运行随意PHP代码. Joomla 安全团队紧急公布 ...

  2. dedecms SESSION变量覆盖导致SQL注入漏洞修补方案

    dedecms的/plus/advancedsearch.php中,直接从$_SESSION[$sqlhash]获取值作为$query带入SQL查询,这个漏洞的利用前提是session.auto_st ...

  3. PHP反序列化中过滤函数使用不当导致的对象注入

    1.漏洞产生的原因 ####  正常的反序列化语句是这样的 $a='a:2:{s:8:"username";s:7:"dimpl3s";s:8:"pa ...

  4. PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患(转)

    PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患 时间 2014-11-14 15:05:49  WooYun知识库 原文  http://drops.wooyun.org/t ...

  5. Joomla CMS 3.2-3.4.4 SQL注入 漏洞分析

    RickGray · 2015/10/26 11:24 昨日,Joomla CMS发布新版本3.4.5,该版本修复了一个高危的SQL注入漏洞,3.2至3.4.4版本都受到影响.攻击者通过该漏洞可以直接 ...

  6. Cookie和Session(session过程和设置进程外session)

    cookie 和  session 的区别 cookie 是保存在客户端上的一种机制   而session 是保存在服务端的一种机制 cookie的理解: 打个简单的比方,一个人生病了去A医院看病,回 ...

  7. 巨人大哥谈Web应用中的Session(session详解)

    巨人大哥谈Web应用中的Session(session详解) 虽然session机制在web应用程序中被采用已经很长时间了,但是仍然有很多人不清楚session机制的本质,以至不能正确的应用这一技术. ...

  8. Session session = connection.createSession(paramA,paramB);参数解析

    Session session = connection.createSession(paramA,paramB); paramA是设置事务,paramB是设置acknowledgment mode ...

  9. JMS Session session = connection.createSession(paramA,paramB) 两个参数不同组合下的含义和区别

    Session session = connection.createSession(paramA,paramB); paramA是设置事务,paramB是设置acknowledgment mode ...

随机推荐

  1. salt yum安装lamp

    在批量安装软件前,先找台测试机yum装一遍,看是否报错等,是否依赖包全等 .         本次我们在dev环境下搞. 先看一下已搞成功的目录结构         定义dev环境的第二个好处     ...

  2. 用opencv的traincascade训练检测器

    #1,准备正负样本 正样本:可以一张图片上多个sample,也可以一张图片单独成一个sample,准备多个sample.生成描述文件如下所示: 负样本:只要不含正样本,任意图片都可以作为负样本,但是最 ...

  3. crontab小结

    crontab是linux下的计划任务,可以用来定时或者按计划运行命令. 创建计划任务: 1.使用crontab -e命令,直接创建计划任务 2.使用编辑器编写好计划任务的文件后,再使用crontab ...

  4. Java实现生产者和消费者

    生产者和消费者问题是操作系统的经典问题,在实际工作中也常会用到,主要的难点在于协调生产者和消费者,因为生产者的个数和消费者的个数不确定,而生产者的生成速度与消费者的消费速度也不一样,同时还要实现生产者 ...

  5. Apache POI 实现对 Excel 文件读写

    1. Apache POI 简介 Apache POI是Apache软件基金会的开放源码函式库. 提供API给Java应用程序对Microsoft Office格式档案读和写的功能. 老外起名字总是很 ...

  6. hibernate Expression详解

    关键字: hibernate expression hibernate Expression详解Expression.gt:对应SQL条件中的"field > value " ...

  7. 3DMax 物体选择方法

    全选: Ctrl + A, 取消选择:Ctrl +D 加选:ctrl+鼠标左键:减选:alt+鼠标 窗口与交叉:下面红框内的右边的按钮, 是切换两种模式: 选择模式一:只要选框碰到物体边缘, 就可选中 ...

  8. JS 问题集锦

    [1]js页面跳转 和 js打开新窗口方法 第一种: <script language="javascript" type="text/javascript&quo ...

  9. doc2vec使用说明(一)gensim工具包TaggedLineDocument

    gensim 是处理文本的很强大的工具包,基于python环境下: 1.gensim可以做什么? 它可以完成的任务,参加gensim 主页API中给出的介绍,链接如下: http://radimreh ...

  10. CSS HACK tab制表符导致行内元素之间的空隙如何解决

    <!DOCTYPE html> <html lang="zh-CN"><head> <meta name="viewport&q ...