Introduction of deserialization principle and analysis of the causes of vulnerabilities
What is deserialization
It is to turn an object into a string that can be transmitted, and the purpose is to facilitate transmission.
Suppose, we wrote a class, and there are some variables in this class. When this class is instantiated, some of the variable values have changed during use. This variable will be used at some point in the future. If we let this class never be destroyed and wait for it to be called again the next time it is used, it will waste system resources.
When we write a small project, it may not have much impact, but as the project grows, some small problems will be amplified and a lot of trouble will occur. At this time, PHP told us that you can serialize this object and save it as a string, and just release it when you want to use it.
When we talk about PHP deserialization, it basically revolves around serialize () and unserialize ().
The principle of deserialization vulnerability
There is no problem with serialization and deserialization itself, but if the content of deserialization is user-controllable, there will be problems if the PHP magic function is used improperly in the background -this is the two generated by the deserialization vulnerability An important condition is indispensable!
Two conditions, PHP is less, many
common magic functions in Java
__construct () is called when an object is created
__destruct () is called when an object is destroyed
__toString () when an object is treated as a string
__sleep () Before the object is serialized,
__wakeup will be called immediately after serialization. For
specific code, please refer to pikachu
PHP deserialization vulnerability combat
Online deserialization tool: https://www.w3cschool.cn/tools/index?name=unserialize
O:1:"S":1:{s:4:"test";s:29:"<script>alert('xss')</script>";}
->
In PHP is an operator that calls object methods or attributes. In one class, the class's need to call methods or properties itself need $this->
to call, in the instance of the class, but also by ->
invoked, not just in front of the variable$this
How to construct the payload
By changing the value of the variable after serialization, the payload can then be written into an API that accepts serialized data.
summary
Looking back at the whole process, the object becomes a string through serialization. We work on the string and give it to the vulnerable place for deserialization