当前位置:网站首页>[security attack and Defense] how much do you know about serialization and deserialization?
[security attack and Defense] how much do you know about serialization and deserialization?
2022-07-04 04:30:00 【InfoQ】
1. Serialization and deserialization
First, we need to understand the definition of serialization and deserialization , And the basic functions used in serialization and deserialization .
serialize : The process of converting an object into a sequence of bytes is called object serialization , Equivalent to archiving in the game .
PHP Serialization function in
serialize()**serialize()** Function for serialization
object or
Array , And return a string .
serialize()
Function serializes the object , It can be easily passed to other places that need it , And its
The type and structure will not change
.
Example :
<?php
highlight_file(__FILE__);
$sites=array('I', 'Like', 'PHP');
echo'<br/>';
var_dump(serialize($sites)); // Serialize this object
echo'<br/>';
classman{
public$name="xiaocui";
public$sex="man";
private$age=26;
}
$M=newman();// Create an object
var_dump(serialize($M)); // Serialize this object
?>
The output is :
string(47) "a:3:{i:0;s:1:"I";i:1;s:4:"Like";i:2;s:3:"PHP";}"
string(79) "O:3:"man":3:{s:4:"name";s:7:"xiaocui";s:3:"sex";s:3:"man";s:8:"manage";i:26;}"
Parameter description :
Serialization of arrays :
a Represents an array
3 There are... In the representative array 3 Elements
i Subscripts representing arrays
0 representative I Subscript value of element
s Representative elements I The data type of is character type
1 Representative elements I The length of is 1
object serialization :
O Representation is an object
3 Represents the class name man The length of
3 Represents the number of fields in the class
s Representative attribute name The type of is character type
4 Representative attribute name The length of
// And so on , Serialize the field contents in the string with { Start ,;} end
Deserialization : The process of restoring a byte sequence to an object is called deserialization of the object , Equivalent to reading files in the game .
【 Help safe learning , All resources are obtained from one by one 】
① Network Security Learning Route
②20 Penetration test ebook
③ Safe attack and defense 357 Page notes
④50 A security attack and defense interview guide
⑤ Safety red team penetration Kit
⑥ information gathering 80 Search syntax
⑦100 Three actual cases of vulnerability
⑧ Internal video resources of the safety factory
⑨ Calendar year CTF Analysis of the flag race
PHP Deserialization function in
unserialize()**unserialize()** Function is used to restore the serialized string to
The original array or object The process of .**unserialize()** Function can quickly restore the serialized string , Used to complete its original function .
Sample code :
<?php
highlight_file(__FILE__);
$sites=array('I', 'Like', 'PHP');
echo'<br/>';
echo$ser=serialize($sites).'<br/>'; // Serialize this object
var_dump(unserialize($ser)); // Deserialize the serialized string
echo'<br/>';
classman{
public$name="xiaocui";
public$sex="man";
private$age=26;
}
$M=newman();// Create an object
echo$ser=serialize($M).'<br/>'; // Serialize this object
var_dump(unserialize($ser)); // Deserialize the serialized string
?>
The output is :
a:3:{i:0;s:1:"I";i:1;s:4:"Like";i:2;s:3:"PHP";}
array(3) { [0]=>string(1) "I"[1]=>string(4) "Like"[2]=>string(3) "PHP"}
O:3:"man":3:{s:4:"name";s:7:"xiaocui";s:3:"sex";s:3:"man";s:8:"manage";i:26;}
object(man)#2 (3) { ["name"]=> string(7) "xiaocui" ["sex"]=> string(3) "man" ["age":"man":private]=> int(26) }
You can see the array or object deserialized above , There is no change with the original data .
The role of serialization and deserialization in the system
① Put the byte sequence of the object permanently on disk , It can be called at any time when necessary , Greatly save disk space .
② Byte sequence can be directly transmitted during transmission , Not the object , This can greatly improve the transmission rate .
In the business system , Some objects need to be serialized and stored , Get them out of memory space , In a file , For persistent storage . for example : When the user registers and logs into the system , User information such as user name , password ,cookie Wait for information to be stored through serialization , When the user logs in again, the serialized byte sequence is deserialized into the original object and used in memory , It can greatly save memory overhead .
2. Magic methods
PHP Put all in
__( Two underscores ) Class methods at the beginning remain magic methods . So when defining a class method , In addition to the above magic methods , It is not recommended that
__ The prefix .
PHP Common magic methods in
__construct()
have
__construct
The class of the function will call this method first every time a new object is created , It's suitable to do some initialization work before using objects .
Code example :
<?php
highlight_file(__FILE__);
classdemo{
public$name="xiaocui";
public$sex="man";
private$age=26;
publicfunction__construct()
{
echo"<br/>"." Call me when the class is instantiated !";
}
}
$D=newdemo(); // Instantiate objects
?>
Output results :
Call me when the class is instantiated !
__destruct()
This function will be executed when all references to an object are deleted or when the object is destroyed
Code example :
<?php
highlight_file(__FILE__);
class demo{
public $name="xiaocui";
public $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function num($a,$b){
echo $c = $a + $b.'<br/>';
return $c;
}
public function __destruct(){
echo " Call me when all the methods in the class are destroyed !";
}
public function person($per){
echo "We are $per !!!".'<br/>';
}
}
$D=new demo(); // Instantiate objects
$D->num(5,6); // call num() Method
$D->person(man); // call person() Method
?>
Output results :
Call me when the class is instantiated !
11
Weareman!!!
Call me when all the methods in the class are destroyed !
The above output results can directly see the execution order of the code :
__construct()=>
num(5,6)=>
person(nanren)=>
__destruct() When instantiating an object, first execute the construction method
__construct(), Then, execute the instance in the class
num()、
person(), When all methods are executed and destroyed , Finally, call the destructor method
__destruct().
__wakeup()
In the use of
unserialize() when , Will check if there is one
__wakeup() Magic methods . If there is , Then the method will be called first , Prepare resources needed for objects in advance .
Code example :
<?php
highlight_file(__FILE__);
classdemo{
public$name="xiaocui";
protected$sex="man";
private$age=26;
publicfunction__construct()
{
echo"<br/>"." Call me when the class is instantiated !"."<br/>";
}
publicfunction__destruct(){
echo"<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
publicfunction__wakeup()
{
echo"<br/>"." When the sequence is reversed, first call me !".'<br/>';
}
}
$D=newdemo(); // Instantiate objects
echo$ser=serialize($D); // Serializing objects $D
var_dump(unserialize($ser)); // Deserialize string $ser
?>
Output results :
because
$age For private property , White space characters will be added before and after serialization %00, The original character length is 7, If you add white space characters on both sides, the character length will become 9
Call me when the class is instantiated !
O:4:"demo":3:{s:4:"name";s:7:"xiaocui";s:6:"*sex";s:3:"man";s:9:"demoage";i:26;}
Call me when the sequence is reversed !
object(demo)#2
(3) { ["name"]=> string(7) "xiaocui" ["sex":protected]=>
string(3) "man" ["age":"demo":private]=> int(26) }
Call me when all the methods in the class are destroyed !
Call me when all the methods in the class are destroyed !
The above output results can directly see the execution order of the code :
__construct()=>
serialize($D)=>
__wakeup()=>
unserialize($ser)=>
__destruct()=>
__destruct() When instantiating an object, first execute the construction method
__construct(), Then the serialization is performed
serialize($D), Then, before deserialization, execute
__wakeup() Method , Then perform deserialization
unserialize($ser), When all methods are executed and destroyed, execute finally
__destruct() destructor , After deserialization, the original serialized string is restored and executed again
__destruct().
__toString()
__toString() Method is used to define how a class is treated as a string .
Sample code :
<?php
highlight_file(__FILE__);
class demo{
public $name="xiaocui";
protected $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function __destruct(){
echo "<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
public function __wakeup()
{
echo "<br/>"." Call me when the sequence is reversed !".'<br/>';
}
public function __toString(){
return "<br/>"." Class is called when it is treated as a string !"."<br/>";
}
}
$D=new demo(); // Instantiate objects
echo $D; // Class is output as a string
?>
Output results :
Call me when the class is instantiated !
Class is called when it is treated as a string !
Call me when all the methods in the class are destroyed !
The above output results can be seen , When a class is treated as a string
echo when ,
__toString() Method is called and executed .
If there is no... In this class
__toString() Method , Conduct echo When the output ,PHP Will throw fatal errors , Error is as follows :
Catchablefatalerror: ObjectofclassdemocouldnotbeconvertedtostringinD:\XXXX\phpstudy_pro\WWW\two\demo.phponline30
__sleep()
In the use of
serialize() Function time , The program will check whether there is a
__sleep() Magic methods . If there is , Then the method will be called first , And then perform the serialization operation .
__sleep() Methods are often used to submit uncommitted data , Or similar cleaning operations . meanwhile , If there are some big objects , But it doesn't need to be all saved , This function has a good cleaning effect .
Sample code :
<?php
highlight_file(__FILE__);
class demo{
public $name="xiaocui";
protected $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function __destruct(){
echo "<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
public function __wakeup()
{
echo "<br/>"." Call me when the sequence is reversed !".'<br/>';
}
public function __sleep(){
echo "<br/>"." Call me when the sequence !".'<br/>';
return array("name","sex","age"); // Here you have to return a number , The element inside represents the name of the returned attribute
}
}
$D=new demo(); // Instantiate objects
echo $ser = serialize($D); // Serializing objects
?>
Output results :
Call me when the class is instantiated !
Call me when the sequence !
O:4:"demo":3:{s:4:"name";s:7:"xiaocui";s:6:"*sex";s:3:"man";s:9:"demoage";i:26;}
Call me when all the methods in the class are destroyed !
The above output results can be seen , When the class is serialized, it first calls
__sleep() Method , This function must return a value . If the function does not return properties , When serializing, the attribute will be cleared .
__invoke()
When trying to call an object as a function ,
__invoke Method will be called automatically .(
This feature only exists in PHP 5.3.0 And above are valid
.)
Code example :
<?php
highlight_file(__FILE__);
class demo{
public $name="xiaocui";
protected $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function __destruct(){
echo "<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
public function __wakeup()
{
echo "<br/>"." Call me when deserializing !".'<br/>';
}
public function __sleep(){
echo "<br/>"." Call me when serializing !".'<br/>';
return array("name","sex","age");
}
public function __invoke()
{
echo "<br/>"." When you call an object in a functional way, you will call me !".'<br/>';
}
}
$D=new demo(); // Instantiate objects
$D(); // Call the object as a function
?>
Results output :
Call me when the class is instantiated !
When you call an object in a functional way, you will call me !
Call me when all the methods in the class are destroyed !
The above results can be seen when using the method of a function to call an object , Will call
__invoke() Method .
If there is no such method in the class , that PHP Fatal errors will be reported , as follows :
Fatalerror:
UncaughtError:
FunctionnamemustbeastringinD:\xxxxx\phpstudy_pro\WWW\two\demo.php:42Stacktrace:
#0 {main} thrown in D:\xxxxx\phpstudy_pro\WWW\two\demo.php on line 42
__call()
When calling a nonexistent or inaccessible method in an object ,
__call Will be called .
Code example :
<?php
highlight_file(__FILE__);
class demo{
public $name="xiaocui";
protected $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function num($a,$b){
echo "<br/>".$c = $a + $b.'<br/>';
return $c;
}
public function __destruct(){
echo "<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
public function person($per){
echo "<br/>"."We are $per !!!".'<br/>';
}
public function __wakeup()
{
echo "<br/>"." Call me when deserializing !".'<br/>';
}
public function __sleep(){
echo "<br/>"." Call me when the sequence !".'<br/>';
return array("name","sex","age");
}
public function __call($arg1,$arg2){
echo "<br/>"." Call me when an object calls a method that does not exist or is inaccessible !".'<br/>';
}
}
$D=new demo(); // Instantiate objects
$D->num1(1,2); // Call a method that doesn't exist
?>
Results output :
Call me when the class is instantiated !
Call me when an object calls a method that does not exist or is inaccessible !
Call me when all the methods in the class are destroyed !
__set()
When assigning a value to an inaccessible property ,
__set Will be called .
Code example :
<?php
highlight_file(__FILE__);
class demo extends demo1{
public $name="xiaocui";
protected $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function __destruct(){
echo "<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
public function person($per){
echo "<br/>"."We are $per !!!".'<br/>';
}
public function __set($arg1,$arg2){
echo "<br/>"." Call me when assigning a value to a nonexistent or inaccessible property !"."<br/>";
}
}
class demo1{
private $weight;
public $height;
public function people(){
echo $this->weight;
echo $this->height;
}
}
$D=new demo(); // Instantiate objects
$D->weight=74; // Assign values to inaccessible properties
?>
Output results :
Call me when the class is instantiated !
Call me when assigning a value to a nonexistent or inaccessible property !
Call me when all the methods in the class are destroyed !
__isset()
Call on inaccessible properties
isset() or
empty() when ,
__iset() Will be called .
__unset()
Call on inaccessible properties
unset() when ,
__unset() Will be called .
__get()
When reading the value of an inaccessible property ,
__get Will be called .
Code example :
<?php
highlight_file(__FILE__);
class demo extends demo1{
public $name="xiaocui";
protected $sex="man";
private $age=26;
public function __construct()
{
echo "<br/>"." Call me when the class is instantiated !"."<br/>";
}
public function __destruct(){
echo "<br/>"." Call me when all the methods in the class are destroyed !"."<br/>";
}
public function __get($arg1){
echo "<br/>"." Call me when reading non-existent or inaccessible properties !";
}
}
class demo1{
private $weight = 0;
public $height;
public function people(){
echo $this->weight;
echo $this->height;
}
}
$D=new demo(); // Instantiate objects
$D->weight; // Read inaccessible properties in the parent class
?>
Output results :
Call me when the class is instantiated !
Call me when reading non-existent or inaccessible properties !
Call me when all the methods in the class are destroyed !
3. Deserialization vulnerability
3.1 Deserialization exploit condition
① unserialize() The parameters in the function are controllable
② There are classes available , And there are magic methods in the class
Code example 1:
<?php
highlight_file(__FILE__);
class demo
{
public $arg1 = "0";
public function __destruct()
{
echo $this->arg1; // Output user passed arg1 value
}
}
$a=$_GET['arg']; // Receive the... Transmitted by the front end arg1 Variable
$unser = unserialize($a); // Deserialize passed arg1
?>
The above code meets two conditions of deserialization vulnerability ,
arg Parameter controllable , That is to say
unserialize() The parameters of the function are controllable ; There are classes available
demo, And demo There are magic methods available in class
__destruct(), However
__destruct() Magic method used echo Output variables
arg.
adopt
arg Parameters , Construct serialization string , adopt
unserialize() Function , Finally through
__destruct() Magic method output variable , cause
XSS.
Sample code 2
<?php
highlight_file(__FILE__);
class demo
{
public $arg1 = "0";
public function __destruct()
{
eval($this->arg1); //eval() To execute the user passed arg1 value
}
}
$a=$_GET['arg']; // Receive the... Transmitted by the front end arg1 Variable
$unser = unserialize($a); // Deserialize passed arg1
var_dump($unser);
?>
If magic methods exist
eval(), And the parameters are controllable , Then by constructing a serialized string , Through deserialization vulnerability
RCE.
3.2 __wakeup() Function bypasses
When the attributes of the passed object are larger than those of the actual object during serialization ,
__wakeup() Magic methods will not be performed , This leads to bypassing .
PHP edition <=5.6.25 perhaps PHP edition <=7.0.11
Sample code :
<?php
highlight_file(__FILE__);
class demo
{
public $arg1 = "0";
public function __destruct()
{
eval($this->arg1); //eval() To execute the user passed arg1 value
}
public function __wakeup(){
foreach(get_object_vars($this) as $k => $v) {
$this->$k = ''; // Traverse the passed parameters , All assignments are empty
}
}
}
$a=$_GET['arg']; // Receive the... Transmitted by the front end arg1 Variable
$unser = unserialize($a); // Deserialize passed arg1
var_dump($unser);
?>
If the attribute value is the same as the actual attribute value of the object , Will be executed during deserialization
__wakeup() Function replaces the passed in variable value with null .
If the property value is set to be greater than the actual object property value, it will bypass
__wakeup() function .
边栏推荐
- Detailed explanation of event cycle
- Exercises in quantum mechanics
- (指针)编写函数void fun(int x,int *pp,int *n)
- [microservices openfeign] two degradation methods of feign | fallback | fallbackfactory
- Operation of ES6
- leetcode刷题:二叉树09(二叉树的最小深度)
- 批处理初识
- 普源DS1000Z系列数字示波器在通信原理实验中的应用方案
- 精品网址导航主题整站源码 wordpress模板 自适应手机端
- [webrtc] M98 Ninja build and compile instructions
猜你喜欢
仿《游戏鸟》源码 手游发号评测开服开测合集专区游戏下载网站模板
苹果CMS仿西瓜视频大气响应式视频模板源码
博朗与Virgil Abloh于2021年为纪念博朗品牌100周年而联合打造的“功能性艺术”将在博物馆展出Abloh作品期间首次亮相
Architecture practice camp - graduation project of module 9 of phase 6
Lnk2038 detected a mismatch of "runtimelibrary": the value "md_dynamicrelease" does not match the value "mdd_dynamicdebug" (in main.obj)
ModStartBlog 现代化个人博客系统 v5.2.0 源码下载
Wechat official account infinite callback authorization system source code
【安全攻防】序列化与反序列,你了解多少?
A beautiful API document generation tool
什么是上下文?
随机推荐
精品网址导航主题整站源码 wordpress模板 自适应手机端
【愚公系列】2022年7月 Go教学课程 002-Go语言环境安装
软件测试是干什么的 发现缺陷错误,提高软件的质量
Leetcode brush questions: binary tree 05 (flip binary tree)
毕业设计项目
How to add custom API objects in kubernetes (1)
One click compilation and deployment of MySQL
Three years of graduation, half a year of distance | community essay solicitation
5张图告诉你:同样是职场人,差距怎么这么大?
Redis: hash type data operation command
仿《游戏鸟》源码 手游发号评测开服开测合集专区游戏下载网站模板
2020 Bioinformatics | TransformerCPI
Unity draws the trajectory of pinball and billiards
leetcode刷题:二叉树04(二叉树的层序遍历)
Why use node
[microservice openfeign] @feignclient detailed explanation
西部数据绿盘、蓝盘、黑盘、红盘和紫盘有什么区别
疫情远程办公经验分享| 社区征文
FT2000+下LPC中断绑核使用说明
MIN_RTO 对话