Shulou(Shulou.com)06/01 Report--

This article introduces the knowledge of "the difference between PHP serialization and deserialization syntax". Many people will encounter this dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

Introduction

PHP serialization and deserialization are described in the official documentation as follows:

All values in php can be represented by using the function serialize () to return a string containing a stream of bytes. The unserialize () function can change the string back to the original value of php. Serializing an object will save all the variables of the object, but not the method of the object, only the name of the class. In order to unserialize () an object, the class of that object must have been defined. If you serialize an object of class A, a string associated with class An and containing the values of all variables of the object will be returned.

To put it simply, serialization is the process of converting a string by an object, and deserialization is the process of restoring an object by a string.

Environment

The content described in this article is used in the following environment:

PHP7.3.1, SDKVSCodeC++ and C

Reference for environment configuration suggestions: "debugging PHP7 source code with VSCODE under WINDOWS" the https://www.jianshu.com/p/29bc0443***6( author found the most complete version after several hours of trying)

It is very detailed to expose the execution process of parameter deserialization on the Internet, but there are some deficiencies in some details, including the syntax difference between serialization and deserialization.

Difference problem serialization

By compiling the PHP kernel source code analysis, we found that PHP serialization adds: {and} to concatenate strings in the object conversion by default.

[var.c] Line:882static void php_var_serialize_intern () Line:896if (ce- > serialize (struc, & serialized_data, & serialized_length, (zend_serialize_data *) var_hash) = SUCCESS) {smart_str_appendl (buf, "C:", 2); smart_str_append_unsigned (buf, ZSTR_LEN (Z_OBJCE_P (struc)-> name)) Smart_str_appendl (buf, ":\", 2); smart_str_append (buf, Z_OBJCE_P (struc)-> name); smart_str_appendl (buf, "\": ", 2); smart_str_append_unsigned (buf, serialized_length) Smart_str_appendl (buf, ": {", 2); smart_str_appendl (buf, (char *) serialized_data, serialized_length); smart_str_appendc (buf,'}');} Line:952smart_str_appendl (buf, ": {", 2) Line:995smart_str_appendc (buf,'}')

Taking a look at the above code, PHP uses smart_str_appendl to concatenate the serialized string: {and}, starting at line 882 of var.c to enter the serialization logic. Serialize the string concatenation at line 896, lines 952 and 995, and concatenate the embedded method.

Deserialization

Deserialization is to convert and restore serialized strings according to certain grammatical rules.

[var_unserialize.c] Line:655static int php_var_unserialize_internal () Line:674 {YYCTYPE yych Static const unsigned char yybm [] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 128, 128, 128, 128, 128, 128, 128, 128, 128, 128, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,} If ((YYLIMIT-YYCURSOR))

< 7) YYFILL(7); yych = *YYCURSOR; switch (yych) { case 'C': case 'O': goto yy4; case 'N': goto yy5; case 'R': goto yy6; case 'S': goto yy7; case 'a': goto yy8; case 'b': goto yy9; case 'd': goto yy10; case 'i': goto yy11; case 'o': goto yy12; case 'r': goto yy13; case 's': goto yy14; case '}': goto yy15; default: goto yy2; }Line:776yy15: ++YYCURSOR; { /* this is the case where we have less data than planned */ php_error_docref(NULL, E_NOTICE, "Unexpected end of serialized data"); return 0; /* not sure if it should be 0 or 1 here? */} 通过内核代码能够看到第655行进入反序列化，反序列化是利用词法扫描，判断各项符号转换对应对象。能够看到反序列化中对于}进行了处理，处理中只是对计数器加一并没有其他操作。 实际作用 反序列化语法的差异，对于安全防护设备判断反序列化产生很大的影响。在Snort中，有段规则如下： alert tcp any any ->

Any [80Magne8080443] (uricontent: ".php"; pcre: "/\ {\ wblo.pig?\} /"; sid:1; msg:php_serialize;)

Most characters can be used instead of {} in the attack payload, resulting in rule invalidation.

So much for the content of "differences between PHP serialization and deserialization syntax". Thank you for reading. If you want to know more about the industry, you can follow the website, the editor will output more high-quality practical articles for you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.