Remote Command Execution and Deserialization——Deserialization Principle Introduction and Analysis of Vulnerability

Others 2020-04-21 23:28:02 views: null

Introduction of deserialization principle and analysis of the causes of vulnerabilities

What is deserialization

It is to turn an object into a string that can be transmitted, and the purpose is to facilitate transmission.
Suppose, we wrote a class, and there are some variables in this class. When this class is instantiated, some of the variable values ​​have changed during use. This variable will be used at some point in the future. If we let this class never be destroyed and wait for it to be called again the next time it is used, it will waste system resources.

When we write a small project, it may not have much impact, but as the project grows, some small problems will be amplified and a lot of trouble will occur. At this time, PHP told us that you can serialize this object and save it as a string, and just release it when you want to use it.

When we talk about PHP deserialization, it basically revolves around serialize () and unserialize ().

The principle of deserialization vulnerability

There is no problem with serialization and deserialization itself, but if the content of deserialization is user-controllable, there will be problems if the PHP magic function is used improperly in the background -this is the two generated by the deserialization vulnerability An important condition is indispensable!
Two conditions, PHP is less, many
common magic functions in Java
__construct () is called when an object is created
__destruct () is called when an object is destroyed
__toString () when an object is treated as a string
__sleep () Before the object is serialized,
__wakeup will be called immediately after serialization. For
specific code, please refer to pikachu

PHP deserialization vulnerability combat

Online deserialization tool: https://www.w3cschool.cn/tools/index?name=unserialize

O:1:"S":1:{s:4:"test";s:29:"<script>alert('xss')</script>";}

->In PHP is an operator that calls object methods or attributes. In one class, the class's need to call methods or properties itself need $this->to call, in the instance of the class, but also by ->invoked, not just in front of the variable$this

How to construct the payload

By changing the value of the variable after serialization, the payload can then be written into an API that accepts serialized data.

summary

Looking back at the whole process, the object becomes a string through serialization. We work on the string and give it to the vulnerable place for deserialization

Gentle Little Xue
Published 117 original articles · praised 11 · visits 6461
Private letter concerns

Guess you like

Origin blog.csdn.net/weixin_43079958/article/details/105476972
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com