Shulou(Shulou.com)05/31 Report--

In this article Xiaobian for you to introduce in detail "PHP deserialization character escape how to achieve", the content is detailed, the steps are clear, the details are handled properly, I hope this "PHP deserialization character escape how to achieve" article can help you solve doubts, the following follow the editor's ideas slowly in-depth, together to learn new knowledge.

Essence: closure

Classification: more characters and fewer characters

What they have in common:

The string serialized by php is replaced or modified, resulting in a change in string length

Always serialize first, and then replace and modify

Increase in number of classification characters

Train of thought:

According to the format and characteristics of the serialized string, the number of characters identifies the length to be identified later.

To modify a property, you need to replace it, which can be controlled by passing in a string

To close the preceding double quotation marks, pass in the characters to be constructed later

But at this time, the length of the previous string does not match, and the construction is invalid.

Solution: according to the change of the length of the replacement character, extrude the constructed string into the length range and become the next part

(to fill the gap in the injected string with the length transformation at the time of replacement)

Tips:

It is judged that after each character filter, there will be x more than the original character.

Determine the length n of the target substring to be injected

The injection character repeats nstroke x times, with the injection character (the length of the construction code / the number of extra characters)

Example:

Goal: modify a value in the object, such as age to change to 20

The following part can be recorded as a template and output to have a look at it when you do the problem.

Var_dump (serialize ($user)); # serialize echo ""; $r = filter (serialize ($user)); # serialize var_dump after replacement ($r); var_dump (unserialize ($r)); # print deserialization

You can observe that each substitution changes p to ww, that is, one extra character each time.

This results in length allocation read errors and output errors when deserialization

Therefore, consider constructing character escape through the nature of its length reading.

To change 10 to 20, first determine the string to be constructed later:

Original string: "; iVO1TISRATION 2:" 10 ";} target substring:"; iVOLATIOSRANSRAN2: "20";}

Determine the length: 16 (that is, the incoming string needs 16 more characters to put these characters in the position of the next attribute)

One more character at a time, so 16 p is required

Therefore, it is introduced:

Result output:

Character reduction value escape

Value filtering, key and value after the value package (until the left parenthesis)

Example

Goal: age changed to 20

Similar to the above code, except that at this time, two p is replaced with a w, and the characters are reduced.

If the same value does not correspond, deserialization will fail.

Username: code needed to construct an escape

Age: constructing escape code

An is followed by the passed-in age string to calculate the construction length

That is, these 13 characters should be occupied.

Every 2 p changes to 1 w, which is equivalent to escaping one bit, so enter 13 "2" 26 p, the character length is identified as 26, become 13 w, and the last 13 characters account for the remaining 13 bits.

Payload:

Username='pppppppppppppppppppppppppp'age=A "; i 1: S 2:" 20 ";} read here, this article" how to achieve character escape of PHP deserialization "has been introduced. If you want to master the knowledge of this article, you still need to practice and use it before you can understand it. If you want to know more about related articles, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.