In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-01 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >
Share
Shulou(Shulou.com)05/31 Report--
In this article Xiaobian for you to introduce in detail "PHP deserialization character escape how to achieve", the content is detailed, the steps are clear, the details are handled properly, I hope this "PHP deserialization character escape how to achieve" article can help you solve doubts, the following follow the editor's ideas slowly in-depth, together to learn new knowledge.
Essence: closure
Classification: more characters and fewer characters
What they have in common:
The string serialized by php is replaced or modified, resulting in a change in string length
Always serialize first, and then replace and modify
Increase in number of classification characters
Train of thought:
According to the format and characteristics of the serialized string, the number of characters identifies the length to be identified later.
To modify a property, you need to replace it, which can be controlled by passing in a string
To close the preceding double quotation marks, pass in the characters to be constructed later
But at this time, the length of the previous string does not match, and the construction is invalid.
Solution: according to the change of the length of the replacement character, extrude the constructed string into the length range and become the next part
(to fill the gap in the injected string with the length transformation at the time of replacement)
Tips:
It is judged that after each character filter, there will be x more than the original character.
Determine the length n of the target substring to be injected
The injection character repeats nstroke x times, with the injection character (the length of the construction code / the number of extra characters)
Example:
Goal: modify a value in the object, such as age to change to 20
The following part can be recorded as a template and output to have a look at it when you do the problem.
Var_dump (serialize ($user)); # serialize echo ""; $r = filter (serialize ($user)); # serialize var_dump after replacement ($r); var_dump (unserialize ($r)); # print deserialization
You can observe that each substitution changes p to ww, that is, one extra character each time.
This results in length allocation read errors and output errors when deserialization
Therefore, consider constructing character escape through the nature of its length reading.
To change 10 to 20, first determine the string to be constructed later:
Original string: "; iVO1TISRATION 2:" 10 ";} target substring:"; iVOLATIOSRANSRAN2: "20";}
Determine the length: 16 (that is, the incoming string needs 16 more characters to put these characters in the position of the next attribute)
One more character at a time, so 16 p is required
Therefore, it is introduced:
Result output:
Character reduction value escape
Value filtering, key and value after the value package (until the left parenthesis)
Example
Goal: age changed to 20
Similar to the above code, except that at this time, two p is replaced with a w, and the characters are reduced.
If the same value does not correspond, deserialization will fail.
Username: code needed to construct an escape
Age: constructing escape code
An is followed by the passed-in age string to calculate the construction length
That is, these 13 characters should be occupied.
Every 2 p changes to 1 w, which is equivalent to escaping one bit, so enter 13 "2" 26 p, the character length is identified as 26, become 13 w, and the last 13 characters account for the remaining 13 bits.
Payload:
Username='pppppppppppppppppppppppppp'age=A "; i 1: S 2:" 20 ";} read here, this article" how to achieve character escape of PHP deserialization "has been introduced. If you want to master the knowledge of this article, you still need to practice and use it before you can understand it. If you want to know more about related articles, please follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.