Three ways to deserialize the session in PHP

There are three configuration items in the php.ini:

Session.save_path= ""--set the session's storage path

Session.save_handler= ""--set user-defined storage function, if you want to use the PHP built-in session storage mechanism can use this function (database, etc.)

Session.auto_start boolen--Specifies whether the session module starts a session at the start of a request default to 0 does not start

Session.serialize_handler string--defines the name of the processor used for serialization/deserialization. Use PHP by default

The options above are those related to session storage and sequence session storage in PHP.

In the installation of the XAMPP component, the configuration items described above are set as follows:

Session.save_path= "D:\xampp\tmp" indicates that all session files are stored under Xampp/tmp

Session.save_handler=files indicates that the session is stored as a file.

Session.auto_start=0 indicates that the session is not started by default

Session.serialize_handler=php indicates that the default sequence session engine for the session is using the PHP sequence session engine

In the above configuration, Session.serialize_handler is used to set the session engine of the sequence, in addition to the default PHP engine, there are other engines, different engines corresponding to the session is stored differently.

Php_binary: Stored by the length of the key name corresponding to the ASCII character + key name + after the Serialize function serialization processing value

PHP: Storage method, key name + vertical bar + value processed by serialize function sequence

Php_serialize (php>5.5.4): stored by the value of the Serialize function serialization process

PHP is used by default PHP engine, if you want to modify the other engine, only need to add code ini_set ('session.serialize_handler', ' need to set the engine ');. The sample code is as follows:

<?php

Ini_set (&apos;session.serialize_handler&apos;&apos;php_serialize&apos;);

Session_Start;

Do something

Storage mechanism

The contents of the session in PHP are not in memory, but are stored in the form of a file, which is determined by the configuration item Session.save_handler, which is stored as a file by default.

The stored file is named after the Sess_sessionid, and the contents of the file are the contents of the sequence of session values.

Assuming our environment is XAMPP, then the default configuration is as described above.

In the case of default configuration:

<?php

Session_Start

$_session[&apos;name&apos;] =&apos;spoock&apos;;

Var_dump;

?>

The last session is stored and displayed as follows:

You can see that the value of PHPSESSID is JO86UD4JFVU81MBG28SL2S56C2, while the file name stored under Xampp/tmp is SESS_JO86UD4JFVU81MBG28SL2S56C2, and the contents of the files are name|s:6: " Spoock ";. Name is the key value, s:6: "Spoock"; is the result of serialize ("Spoock").

Under the Php_serialize engine:

<?php

Ini_set (&apos;session.serialize_handler&apos;&apos;php_serialize&apos;);

Session_Start;

$_session[&apos;name&apos;] =&apos;spoock&apos;;

Var_dump;

?>

The content of the session file is a:1:{s:4: "Name"; s:6: "Spoock";}. A:1 is added by using php_serialize for sequence sessions. Using Php_serialize at the same time will serialize both the key and value in the session.

Under the Php_binary engine:

<?php

Ini_set (&apos;session.serialize_handler&apos;&apos;php_binary&apos;);

Session_Start;

$_session[&apos;name&apos;] =&apos;spoock&apos;;

Var_dump;

?>

The content of the session file is names:6: "Spoock";. Because the length of name is EOT in the ASCII table. According to php_binary storage rules, the last is names:6: "Spoock";. (Suddenly found that the ASCII value of 4 characters can not be displayed on the page, this is to check the ASCII table yourself)

Serialization Simple utilization

test.php

<?php

classsyclover{

Var$func= "";

function__construct{

$this->func= "Phpinfo";

}

function__wakeup{

Eval ($this->func);

}

}

Unserialize ($_get[&apos;a&apos;]);

?>

The passed-in parameters are serialized in 11 rows. We can execute the eval method by passing in a specific string and deserializing to an example of syclover. We visited Localhost/test.php?a=o:8: "Syclover": 1:{s:4: "Func"; s:14: "Echo" Spoock ";";}. Then the deserialization gets the following:

Object (Syclover) [1]

Public&apos;func&apos;=>string&apos;echo "Spoock";&apos; (length=14)

The final page output is Spoock, which shows the final implementation of our definition of echo "Spoock" method.

This is a demonstration of a simple serialized vulnerability

The serialization hazard in PHP session

The implementation of the session in PHP is not a problem, the harm is mainly due to improper use of the programmer's session.

If the engine used by PHP in deserializing the stored $_session data is not the same as the engine used for serialization, it will cause the data to be deserialized incorrectly. With well-constructed packets, you can bypass the validation of the program or implement some system methods. For example:

$_session[&apos;ryat&apos;] =&apos;|o:11: "Peopleclass":0:{}&apos;;

The above $_session data use Php_serialize, then the last storage content is a:1:{s:6: "Spoock"; s:24: "| O:11: "Peopleclass": 0:{} ";}.

But when we were reading, we chose PHP, and the last read was:

Array (size=1)

&apos;a:1:{s:6: "Spoock"; s:24: "&apos;=>

Object (__php_incomplete_class) [1]

There is multiple header layouts available that allow you to utilize background images, office locations and hours and so cial Media links. Multi-lingual sites even has the ability to add a language drop menu. On a related note, Consulting WP comes with seven language files, was compatible with WPML and is Translation-ready.

WordPress Customizer

Consulting WP is compatible with the WordPress customizer, which you can use to preview changes to the theme's options in Real-time.

Create Your Own Layouts

With the included Visual Composer page Builder plugin, you can create your own complex page layouts without have to Touc H code.

Features.

Three ways to deserialize the session in PHP