php反序列化利用
Serialization is when an object in a programming language (say, a Java or PHP object) is converted into a format that can be stored or transferred. Whereas deserialization refers to the opposite: it’s when the serialized object is read from a file or the network and converted back into an object.
序列化是指将编程语言中的对象(例如Java或PHP对象)转换为可以存储或传输的格式。 反序列化则相反:从文件或网络读取序列化对象并将其转换回对象时。
Insecure deserialization vulnerabilities happen when applications deserialize objects without proper sanitization. An attacker can then manipulate serialized objects to change the program’s flow.
当应用程序对对象进行反序列化而不进行适当的清理时,就会发生不安全的反序列化漏洞。 然后,攻击者可以操纵序列化的对象来更改程序的流程。
Today, let’s talk about PHP object injections. They are insecure deserialization vulnerabilities that happen when developers deserialize PHP objects recklessly.
今天,让我们谈谈PHP对象注入。 当开发人员不顾一切地反序列化PHP对象时,它们会发生不安全的反序列化漏洞。
PHP中的序列化 (Serialization in PHP)
To understand PHP object injections, you have to first understand how PHP serialize and deserialize objects.
要了解PHP对象注入,您必须首先了解PHP如何序列化和反序列化对象。
序列化 (Serializing)
When you need to store a PHP object or transfer it over the network, you use serialize() to pack it up.
当您需要存储PHP对象或通过网络传输它时,可以使用serialize()打包它。
serialize(): PHP object -> plain old string that represents the obj
When you need to use that data, use unserialize() to unpack and get the underlying object.
当您需要使用该数据时,请使用unserialize()解包并获取基础对象。
unserialize(): string containing object data -> original object
For example, this code snippet will serialize the object “user”.
例如,此代码段将序列化对象“ user”。
<?phpclass User{
public $username;
public $status;
}$user = new User;
$user->username = 'vickie';
$user->status = 'not admin';echo serialize($user);?>
Run the code snippet, and you will get the serialized string that represents the “user” object.
运行代码片段,您将获得表示“用户”对象的序列化字符串。
O:4:"User":2:{s:8:"username";s:6:"vickie";s:6:"status";s:9:"not admin";}
序列化的字符串结构 (Serialized string structure)
Let’s break this serialized string down! The basic structure of a PHP serialized string is “data type: data”. For examp