Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "the concept of php serialization and deserialization". In the operation of actual cases, many people will encounter such a dilemma, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

What is serialization and deserialization?

(deserialization) provides us with an easy way to pass objects. Serialize () converts an object into a string, and unserialize () restores the string to an object. In PHP applications, serialization and deserialization are generally used as caches, such as session cache, cookie, and so on.

Serialization

Serialization is the process of converting a variable into a string that can be saved or transferred; in php, the class is serialized using the serialize () method implementation. Here is a piece of php serialization code that you can understand through comments.

Serialize the run result

The result of deserialization: ORV 8: "LessSafe": 2: {SRAV 4: "name"; SRAR 8: "LessSafe"; SRAR 3: "age"; iRAPR 2;}

O is the object Object,8 is the length of the LessSafe object name, 2 is the number of attributes in {}, {} is the attribute of the object, and s is the type string string 4 is the length semicolon of the attribute name Separated by the attribute's value s is the value type string string type 4-digit attribute name length name is the attribute name (attribute name string type to use double quotes) 8 length LessSafe is the value after the age attribute is similar to the name attribute except that the value data type is integer I and the value is 2

Deserialization

Here, I use the result of the above sequence exchange to pass it to the server for processing and view the print result.

Http://192.168.75.138/fxlh.php?H=O:8:"LessSafe":2:{s:4:"name";s:8:"LessSafe";s:3:"age";i:2;}

Magic function

Before we introduce deserialization, we need to understand the magic function: _ _ construct is called when an object is created (constructor); _ _ destruct is called when an object is destroyed (destructor); and _ _ toString is used when an object is used as a string _ _ sleep when serializing an object, php calls the _ _ sleep method (if it exists), and when _ _ wakeup is deserialized, php calls the _ _ wakeup method (if it exists).

The following is a case when _ _ construct, _ _ destruct, _ _ toString are called

The following is a case when _ _ sleep is called

The following is a case study when _ _ wakeup is called

A ctf question takes you to understand the deserialization vulnerability ctf source code

The following is a simple ctf question I wrote. The test code has a LessSafe class, a variable and two magic functions in the class. The key breakthrough of this question is the _ _ destruct magic function, and the file name is also controllable, which will lead to deserialization vulnerabilities to read flage.php content. There are several difficulties in this question: 1. Need to bypass _ _ wakeup 2 and need to bypass the protected attribute of $file.

Normal thinking payload

Http://192.168.75.146/ctf/index.php?file=O:8:"LessSafe":1:{s:4:"file";s:8:"flag.php";}

After constructing the above payload, it is found that the flag.php file is not read, because there is a _ _ wakeup magic function in the LessSafe class, which executes the _ _ wakeup magic function when using unserialize, which sets $file='index.php'

_ _ wakeup bypass

When you only need to construct serialization, you can bypass _ _ wakeup if the number of attributes of the sequence object is greater than that of the sequence object.

Http://192.168.75.146/ctf/index.php?file=O:8:"LessSafe":2:{s:4:"file";s:8:"flag.php";}

Change the number of attributes to 2 and test payload

What??, do you have a lot of question marks?

Well, when you read the source code carefully and find the attribute of $file in the source code, protected, after learning, you find that you bypass the protected method.

Protected bypass

After learning to get the final payload

Http://192.168.75.146/ctf/index.php?file=O:8:"LessSafe":2:{S:7:"\00*\00file";s:8:"flag.php";}

\ 00 is the binary of 0, and S is the sequence-to-binary representation.

Finally got the flag.

This is the end of the introduction to the concept of php serialization and deserialization. Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.