PHP Serialization Vulnerability Understanding

0x01 What is serialization

serialization is the transformation of our object into a string, saving the value of the object for easy delivery and use. 0x02 Why to serializeif you want to invoke a variable of the previous script in a script, but the previous script has been executed and all the variables and contents are released, how do we do it? Do you want the previous script to loop continuously, waiting for the script to be called later? This is certainly unrealistic. Serialize and unserialize are used to solve this problem. Serialize can convert a variable to a string and save the value of the current variable in the conversion, and Unserialize can transform the serialize generated string back into the variable. 0x03 How to create a loopholeThese are some of the magic methods we have to pay attention to, if the server can receive our deserialized strings, and the non-filtering of the variables directly into these magic methods, it is easy to create a very serious loophole. When the arguments passed to Nserialize () are controllable, we can control the variables and even functions inside the object by passing in a well-constructed serialized string.

• Constructor __construct (): called automatically when an object is created (new). However, it is not automatically called at Unserialize ().

• destructor __destruct (): called automatically when an object is destroyed.
• __wakeup (): As mentioned earlier, Unserialize () is called automatically.
• __tostring () When an object is used as a string
• __sleep () runs before the object is serialized

How 0x04 leverages serialization vulnerabilities

unserialize () will cause a direct call to __wakeup () or __destruct (), without additional procedures in the middle. Therefore, the ideal situation is that some of the vulnerability/hazard codes are in __wakeup () or __destruct (), so that we can trigger them directly when we control the serialization of strings. If the server is able to receive our deserialized strings, and if the variables are not filtered directly into these magic methods, it is easy to create a very serious loophole. 0x05 Serialization Format

• String:s:size:value;
• Integer:i:value;
• Boolean:b:value; (save 1 or 0)
• Null:n;
• Array:a:size:{key definition;value definition; (repeated per element)}
• Object:o:strlen (object name): Object Name:object Size:{s:strlen (property name):p roperty name:property definition; Repeated per property)

0x06 instances

Here's a good example of borrowing from someone else to illustrate the problem. We do experiments on the __wakeup () scene.

Create a index2 php file, as follows:

1<?PHP2 classchybeta{3     var $test= ' 123 ';4     function__wakeup () {5         $fp=fopen("shell.php", "W") ;6         fwrite($fp,$this-test);7         fclose($fp);8     }9 }Ten $class 3=$_get[' Test ']; One Print_r($class 3); A Echo"</br>"; - $class 3_unser=unserialize($class 3); - require"Shell.php"; the //to show the effect, include the shell.php in the -?>

Create an empty shell.php file in the same directory

We can see that there is an obvious loophole, the main is not to accept the test parameter processing, unserialize () after the direct call to the Magic Method __wakeup (), the method will write test directly into the shell.php. So we can exploit the vulnerability directly by passing in a carefully constructed parameter to test, for example, we could construct Test=o:7: "Chybeta": 1:{s:4: "Test"; s:19: "";}, and the command was executed successfully.

This is my first time to write a blog, just hope that I can write to deepen their understanding of knowledge, while writing a blog to increase their own requirements, blog has a lot of shortcomings, I hope that we can correct, I will always study hard.

PHP Serialization Vulnerability Understanding