Shulou(Shulou.com)06/01 Report--

This article mainly introduces "the principle of PHP deserialization". In daily operation, I believe many people have doubts about the principle of PHP deserialization. The editor consulted all kinds of data and sorted out simple and easy-to-use methods of operation. I hope it will be helpful to answer the doubts about "the principle of PHP deserialization". Next, please follow the editor to study!

First of all, look at a picture.

PHP deserialization principle: the serialization string entered by the user is not detected, so that the attacker can control the deserialization process, resulting in uncontrollable consequences such as code execution, SQL injection, directory traversal and so on. Some magic methods are automatically triggered during deserialization. When deserialization occurs, it is possible to trigger some magic methods in the object.

Serialize () / / converts an object into a string

Unserialize () / / restore the string to an object

Deserialization is divided into classful and classless

Let's first look at serialized data, that is, serialized strings.

The picture above first.

Let's take a look at the picture above.

SRV 8: "chixigua" s

S for string, 8 for length "chixigua" for value

In classless, he called unserialize () to restore the string to an object without filtering. We can observe its code and construct payload for sql injection, code execution, getshell, directory traversal, etc., mainly depends on his code, his code has sql statements to receive serialized strings, which will lead to deserialization sql injection. The same is true of other vulnerabilities, mainly depends on the code to identify the harm.

Deserialization is also a required test for our interview, so it is still very important.

In the mind map, we mentioned that in the case of class, we will design all kinds of magic methods.

First of all, let's introduce various magic methods.

_ _ construct ()

Classes with constructors call this method every time a new object is created, so it is ideal for doing some initialization work before using the object.

_ _ destruct ()

The destructor executes when all references to an object are deleted or when the object is explicitly destroyed.

In other words, when deserialization occurs, the process of creating a new object from the string is completed. _ _ construct () is called at the beginning, and _ _ destruct () is called when the object is destroyed, such as when the program exits.

Trigger: the variable of the unserialize function is controllable, there are classes available in the file, and there are magic methods in the classes:

Reference: official documentation section on magic methods

Triggered when _ _ construct () / / creates an object

Triggered when _ _ destruct () / / object is destroyed

_ _ call () / / triggered when an inaccessible method is called in the object context

Triggered when an inaccessible method is called in a static context

_ _ get () / / used to read data from inaccessible attributes

_ _ set () / / used to write data to inaccessible attributes

_ _ isset () / / trigger by calling isset () or empty () on an inaccessible attribute

Triggered when unset () is used on an inaccessible attribute

_ _ invoke () / / triggered when a script attempts to call an object as a function

Next, let's look at a magic method php code.

First, analyze the code and create a class.

There are three magic tricks in it.

We see that the result first outputs the 'called constructor'. Why is this string of code in the magic method executed? This is because we instantiate a class, that is, create a new object, trigger the code in the _ _ construct () method, and then output the 'awakening function called' when the anti-sequence speech function is executed, it will first detect that the _ _ wakeup () method has the method, which will first execute the code in this method.

Refer to this picture in detail

You can play with the deserialization problem in the Qinglong Cup of Wangding last year. I'll write down the idea of solving the problem.

The problem of php deserialization of Qinglong formation in Wangding Cup

First, ctf naming and code function unserialize determines deserialization knowledge points first: get flag storage flag.php second: two magic methods _ _ destruct _ _ construct third: trigger destruct after transmitting str parameter data, store is_valid filtering fourth: _ _ destruct will call process, in which op=1 writing and op=2 reading fifth: involving object FileHandler, variables op and filename,content to construct output

**

Involved: deserialization of magic method calls, weak type bypass, ascii bypass using this class to read flag, in which only the _ _ destruct function (destructor) can be used. The _ _ destruct function judges $this- > op and assigns the content to 1 in the 2-character string. Use = = to judge $this- > op in the 2-string function (only the content can be read if it is 2). Therefore, there is a weak type comparison, which can be bypassed by the number 2 or the string'2'. The is_valid function also validates the serialized string because the member is decorated with protected, so a character with an ascii of 0 appears in the serialized string. After testing, in the environment of PHP7.2+, the members are decorated and serialized with public, and the members are also decorated by public overrides after deserialization. At this point, the study of "the principle of PHP deserialization" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.