Shulou(Shulou.com)05/31 Report--

This article mainly introduces the relevant knowledge of "PHP deserialization native class instance analysis". The editor shows you the operation process through the actual case. The operation method is simple, fast and practical. I hope this article "PHP deserialization native class instance analysis" can help you solve the problem.

Analysis on the Utilization of php deserialization Native Class

If there is a deserialization function point in code audit or ctf, but can not construct a complete pop chain, then how should we break the situation? We can try to start with php native classes, php has some built-in magic methods, if we cleverly construct controllable parameters, trigger and use its built-in magic methods, it is possible to achieve some of our desired goals.

1. When the common magic method _ _ wakeup () / / executes unserialize (), the function _ _ sleep () / / executes serialize () first. This function _ _ destruct () / / triggers _ _ call () / / triggers _ _ call () / / triggers _ _ callStatic () / / triggers _ _ get () / / when calling an inaccessible method in a static context when the object is destroyed or this key does not exist. / / used to write data to the inaccessible attribute _ _ isset () / / trigger _ _ unset () / when calling isset () or empty () on an inaccessible attribute / / trigger _ _ toString () / when using unset () on an inaccessible attribute / / trigger _ _ invoke () when using an object as a string / / trigger when trying to call an object as a function. Magic methods in native classes

Let's use the following script to traverse the magic methods in all the native classes

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.