Shulou(Shulou.com)05/31 Report--

This article shows you how to understand PHP deserialization vulnerabilities, which is concise and easy to understand, which will definitely brighten your eyes. I hope you can gain something through the detailed introduction of this article.

Serialization

Is the process of converting the state information of an object into a form that can be stored or transmitted. During serialization, the object writes its current state to a temporary or persistent store. Later, you can recreate the object by reading or deserializing its state from the store. [save status information as a string]

Deserialization

Deserialization is to take out this state information and use it (re-convert it to an object or something) [convert a string to state information]

Special writing method

Common function

_ _ FILE__ gets the current file path

Show_source () displays the file source code

Print_r () can output non-string

Common magic methods

It is called automatically when the _ _ construct () object is created (new), but not when unserialize () is created.

Called automatically when the _ _ destruct () object is destroyed

Called automatically when _ _ wakeup () uses the unserialize () function

_ _ toString () is called automatically when the object is output as a string

Flag in. / flag.phpReadmeCheck Code

First, you define a class where _ toString () is a magic method.

Means to concatenate the code in Readme.txt and source and highlight it.

Determine whether there is a source string in the passed parameter of get

Then create an object s of the readme class and assign the value of the current file path to the parameter source of the variable s

Finally, enter s.

Determine whether there is a todos string in the passed parameter of cookie

If the todos string that passes the parameter cookie is assigned to the variable c

The variable h represents the string that intercepts the variable c from start to bit 32

The variable m represents a string formed after 32 bits of variable c

When the value of the variable m after md5 encryption is equal to the variable h, the deserialized variable m is output.

Indicates that traversing the output todos triggers the _ toString () method

The Readme.txt file is written dead, and only the variable source is controllable

So you can return the contents of flag.php by changing FILE to flag.php.

The above is how to understand PHP deserialization vulnerabilities. Have you learned any knowledge or skills? If you want to learn more skills or enrich your knowledge reserve, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.