PHP反序列化漏洞说明
序列化
PHP序列化的函数为serialize,反序列化的函数为unserialize.
举个栗子:
<?php
class Test{
public $a='ThisA';
protected $b='ThisB'
private $c='ThisC';
public function test(){
return "this is a test!";
}
$test1=new Test();
var_dump(searialize($test1))
}
结果:
string(84) "O:4:"Test":3:{s:1:"a";s:5:"ThisA";s:4:"*b";s:5:"ThisB";s:7:"Testc";s:5:"ThisC";}"
O:表示对象
:4:表示对象名称有4个字符
"Test":对象名称
3:3个成员变量
s:1:"a";s:5:"ThisA";: a变量的值为ThisA,有5个字符
s:4:"*b";s:5:"ThisB": protected,ThisC
s:7:"Testc";s:5:"ThisC";: ThisC
反序列化
反序列化就是序列化的逆过程,即对于将对象进行序列化后的字符串,还原其成员变量的过程。
栗子:
<?php
class Test{
public $a = 'ThisA';
protected $b = 'ThisB';
private $c = 'ThisC';
public function test(){
return'this is test';
}
}
$test = new Test();
$sTest = serialize($test);
$usTest = unserialize($sTest);
var_dump($usTest);
?>
结果:
object(Test)#2 (3) { ["a"]=> string(5) "ThisA" ["b":protected]=> string(5) "ThisB" ["c":"Test":private]=> string(5) "ThisC" }
魔术方法
反序列化漏洞的形成通常和以下魔术方法有关:
__construct()
#类似C构造函数,当一个对象创建时被调用,但在unserialize()时是不会自动调