Exploitation of PHP serialization functions unserialize/serialize in vulnerability Mining

Recently, I had heard of the unserialize issue, but I did not study it carefully. During this period of time, I saw the use of the unserialize function while auditing a system. It took me some time to study it. At the same time, I would like to express my special thanks to the black friends who have provided me a lot of help in the process.
 
The functions and usage of the unserialize function do not need to be detailed. After all, this is not the focus of this article, and the official manual is professional and difficult to understand. If you are not familiar with it, you can confidently go to baidu to figure out What serialize and unserialize actually do.
 
The unserialize function is a function with high usage in PHP, But improper use of unserialize will cause serious security risks. First, let's look at an example:
 
// Test. php
 
<? Php
Class Example {
Var $ var = '';
Function _ destruct (){
Eval ($ this-> var );
}
}
Unserialize ($ _ GET ['code']);
?>
The above code is a typical problem. If we can submit data to the unserialize function for deserialization and the program where the unserialize function is located can call the Example class, we can use it successfully. The above code writes the class and unserialize functions in the same file. The actual Example is the same if the page where the unserialize function is located includes the program where Example is located.
 
The above code can be submitted directly () ";} And phpinfo () is executed ().
 
However, it is not so easy in actual applications. The above code is just a program flow we are willing to use. There are still many restrictions on GetShell to successfully use the unserialize function, the following is a restriction, which is also a personal understanding. If there is a mistake, you may want to point it out.
 
The benefit of the userialize function depends on the parsing function _ destruct () in the Custom normal class. This function is automatically called when the class object is created. Therefore, the use of unserialize depends on classes and is not applicable to functions. Other functions that are automatically called when a class object is created can be used in the class.
 
In summary, the successful use of unserialize must first be able to call a custom class, and there is a Magic Methods that is automatically called when an object is created in the class, the most important thing is that Magic Methods has code or program processes that can be used. The above code has an eval function in _ destruct (). Of course it can be other functions here, for example, fwrite fputs and other dangerous functions. If all the above conditions are met, you don't have to worry about variable values. The variables in the class can be customized! In the above Exp, We will assign the var variable value to phpinfo ().
 
All of the above are my personal understanding of unserialize utilization. If there is any mistake, I hope you can point out the discussion. I just had a superficial understanding of unserialize, and I still need to talk with other experienced people.