Network Security Internet Technology Development Database Servers Mobile Phone Android Software Apple Software Computer Software News IT Information

In addition to Weibo, there is also WeChat

Please pay attention

WeChat public account

Shulou

Case Analysis of PHP deserialization vulnerability

2025-01-16 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Development >

Share

Shulou(Shulou.com)06/01 Report--

This article introduces the relevant knowledge of "PHP deserialization vulnerability instance Analysis". Many people will encounter such a dilemma in the operation of actual cases, so let the editor lead you to learn how to deal with these situations. I hope you can read it carefully and be able to achieve something!

1. PHP object-oriented programming

In object-oriented programming (Object-oriented programming,OOP)

Object is a whole composed of information and the description of information processing, and it is an abstraction of the real world.

A class is a collection of objects that share the same structure and behavior. The definition of each class begins with the keyword class followed by the name of the class.

Create a PHP class:

Public 、 protected 、 private

PHP's access control to properties or methods is achieved by adding the keywords public (public), protected (protected) or private (private).

Public (public): public class members can be accessed anywhere.

Protected (protected): protected class members can be accessed by themselves as well as by their subclasses and parents.

Private (private): private class members can only be accessed by the class in which they are defined.

Note: with different access control modifiers, the length and value of the serialized attribute will be different, as shown below:

Public: the property value becomes the property name when the property is serialized

Protected: when the property is serialized, the property value becomes the\ x00*\ x00 property name

Private: when the property is serialized, the property value becomes the\ x00 class name\ x00 attribute name

Where:\ x00 represents an empty character, but still occupies a character position (space), as in the following example

Orlando 6: "People": 3: {SRAR2: "id"; SRAV 14: "Hardworking666"; SRAV 9: "* gender"; SRAV 4: "male"; SPLR 11: "People age"; SRAR2: "18";} Magic method (magic function)

A method that begins with two underscores in PHP is called a magic method (Magic methods)

PHP official-Magic method

Detailed explanation of 16 Magic methods in PHP

Classes may contain some special functions: magic functions, which are called automatically in some cases.

_ _ construct () / / the constructor of the class, which triggers the destructor of the _ _ destruct () / / class when the object is created Triggers _ _ call () / / triggers _ _ callStatic () / / triggers _ _ get () / / when reading the value of an inaccessible property when an inaccessible method is called in the context of an object Inaccessible here contains private attributes or undefined _ _ set () / / triggers _ _ isset () when assigning values to inaccessible attributes / / triggers _ _ unset () when isset () or empty () is called on inaccessible attributes / / triggers _ _ invoke () when unset () is used on inaccessible attributes / / when _ _ sleep () / / executes serialize () when trying to call an object by calling a function When the method _ _ wakeup () / / executes unserialize (), the method _ _ toString () / / is called automatically when the deserialized object is output in the template (when converted to a string).

The serialize () function checks to see if a magic method exists in the class. If it exists, the method is called before the serialization operation is performed.

We need to focus on five magic tricks, so emphasize it again:

_ _ construct: constructor, called when an object is created

_ _ destruct: destructor, called when an object is destroyed

_ _ toString: used when an object is treated as a string

_ _ sleep: called when the object is serialized

_ _ wakeup: object wakes up again, that is, when an object is recomposed of binary strings (called when an object is deserialized)

The execution of these functions from serialization to deserialization is as follows:

_ _ construct ()-> _ sleep ()-> _ _ wakeup ()-> _ _ toString ()-> _ _ destruct ()

Output result:

_ _ constructThis is a string__toString__destruct

There are too many factors that can be triggered by the magic method _ _ toString (), so it is necessary to list:

1. Echo ($obj) / print ($obj) will trigger 2. When deserializing objects are concatenated with strings. When deserializing objects participate in formatting strings. When deserializing objects are compared with strings (PHP converts parameter types when comparing with strings) 5. Deserialization objects participate in formatting SQL statements, when binding parameters 6. 5. Deserialization objects are deserialized after php string processing functions, such as strlen (), strops (), strcmp (), addslashes (), etc. In the in_array () method, the first parameter deserializes the object, and _ _ toString () is called when there is a string returned by _ _ toString () in the array of the second parameter. The role of Magic methods in deserialization attacks when deserialized objects are used as parameters of class_exists ()

The entry for deserialization is unserialize (), which can pass in any serialized object as long as the parameter is controllable and the class exists in the current scope, rather than being limited to the class in which the unserialize () function occurs.

If it is limited to the current class, then the attack surface is too small, and deserialization of other class objects can only control properties, if you do not complete the deserialization of the code to call the methods of other class objects, or can not exploit the vulnerability.

However, the attack surface can be expanded by using the magic method, and the magic method is completed automatically at the same time of serialization or deserialization, so that the object properties in deserialization can be used to manipulate some functions that can be used to achieve the purpose of attack.

Use the following example to understand the role of magic in anti-sequence vulnerabilities. The code is as follows:

II. PHP serialization and deserialization PHP serialization

Sometimes an object needs to be transmitted over the network. In order to facilitate transmission, the whole object can be converted into a binary string, and then restored to the original object when it reaches the other end. This process is called serialization (also known as serialization).

Json data use, delimited, intra-data use: separator keys and values

Json data is actually an array, and the purpose of doing this is to facilitate the transfer of data in the front and back end. The back end receives json data, and you can get the original data through json_decode ().

This process of "compressing" the original data by some means and storing it in a certain format can be called serialization.

There are two situations in which an object must be serialized:

Transfer an object over the network

Write objects to a file or database

For related concepts, please refer to my previous article:

Detailed description of Python serialization and deserialization (including json and json module details)

PHP serialization: converts an object to a binary string, using the serialize () function

PHP deserialization: converts binary strings converted by objects into objects, using the unserialize () function

Look at the serialized format of PHP through an example:

Output result:

User Hardworking666 is 18 years old.O:4: "User": 2: {User 3: "age"; iUser 18: "name"; 14: "Hardworking666";}

The following User 4: "User": 2: {SRAV 3: "age"; iRV 18: Srig 4: "name"; Srig 14: "Hardworking666";} is the serialized form of the object user.

"O" indicates an object, "4" indicates that the length of the object name is 4, "User" is the object name, and "2" indicates that there are two parameters.

"{}" contains the key and value of the parameters

"s" represents the string object, "3" indicates the length, "age" means key; "I" is the interger (integer) object, "18" is the value, and the same goes for it.

Serialization format:

A-array array b-boolean Boolean d-double floating point I-integer integer o-common object common object r-objec reference object reference s-non-escaped binary string unescaped binary string S-escaped binary string escaped binary string C-custom object custom object O-class object N-null null R-pointer reference pointer reference U-unicode string Unicode encoded string

Note the following points for PHP serialization:

1. Serialize only sequence attributes, not sequence methods

2. Because serialization does not sequence methods, if we want to use this object normally after deserialization, we must rely on the conditions under which this class will exist in the current scope

3. the only thing we can control is the attributes of the class. The attack is to find the appropriate attributes that can be controlled, and use the method that the scope itself exists to launch attacks based on the attributes.

PHP deserialization

Deserialize the above example:

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

Views: 0

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.

Share To

Development

Wechat

© 2024 shulou.com SLNews company. All rights reserved.

12
Report