[Network Security] Detailed Analysis of Deserialization Vulnerabilities

Enterprise 2022-10-03 22:20:36 views: null

Blogger Nickname: Jumping Stairs Penguin
Blogger Home Page Link: Blogger Home Portal

Blogger's column page link: Column Portal -- Network Security Technology
Creation Original Intention: The original intention of this blog is to communicate with technical friends. Everyone's technology has shortcomings, and the same is true for bloggers. Ask for advice with an humility. Friends give guidance.
The blogger's motto: discover the light, follow the light, become the light, and emit the light;
the blogger's research direction: penetration testing, machine learning;
the blogger's message: Thank you for your support, your support is the driving force for me to move forward;

 1. What is serialization?

Serialization is the process of converting a variable or object into a string.

2. Deserialization Vulnerability

1 Introduction

    It is to turn an object into a string that can be transmitted, and the purpose is to facilitate transmission. Suppose, we have written a class with some variables in this class. When the class is instantiated, some variable values ​​in the use process have changed . This variable will be used at some point in the future. If we keep this class from being destroyed and wait for it to be called again the next time it is used, it will waste system resources. When we write a small project, it may not have much impact, but as the project grows, some small problems are magnified and there will be a lot of trouble. At this time, PHP told us that you can serialize this object, save it as a string, and just put it out when you want to use it. When we talk about PHP deserialization, it basically revolves around the two functions serialize() and unserialize().

 

2. The principle of deserialization vulnerability

serialize() and unserialize() have no loopholes in PHP's internal implementation. The reason why deserialization loopholes occur is because the application is dealing with objects, magic functions and serialization-related problems.

When the parameters passed to unserialize() are controllable, then the user can inject a carefully constructed payload. When deserializing, some magic methods in the object may be triggered, causing unexpected harm.

 class S{
        public $test="pikachu";
    }
    $s=new S(); //创建一个对象
    serialize($s); //把这个对象进行序列化

3. Serialization character meaning

The result obtained after serialization is like this: O:1:"S":1:{s:4:"test";s:7:"pikachu";}
        O: represents object
        1: represents the length of the object name A character (ie "S")
        S: the name of the
        object 1: represents a variable in the object
        s: data type (string string)
        4: the length of the variable name
        test: variable name
        s: data type (pikachu is also a string string)
        7: Length of
        variable value pikachu: Variable value

4. Serialized format

O:strlen(class name): class name: the number of variables of the class: {type: length: value; type: length: value...}

The serialized format of other types of data is:

String类型 :s:size:value
Integer类型 :i:value
Boolean类型 : b:value (保存1或0)
Null型 :N
Array :a:size:{key definition;value definition}

Another point to note is: split different fields } at the end, which is very important for deserialization

5. Serialization magic function

There is no problem with serialization and deserialization, but if the content of deserialization is user-controlled, and the magic functions in PHP are used improperly in the background, it will cause security problems.
  Several common magic functions: / / is automatically called in different scenarios
        __construct() is called when an object is created

        __destruct()当一个对象销毁时被调用

        __toString()当一个对象被当作一个字符串使用

        __sleep() 在对象在被序列化之前运行

        __wakeup将在序列化之后立即被调用

6. Examples of vulnerabilities:

  class S{
            var $test = "pikachu";
            function __destruct(){
                echo $this->test;    //一旦S这个类被创建,则将会自动使用魔法函数。当对象被销毁时,则下面的操作会被自动执行} }
        $s = $_GET['test'];
        @$unser = unserialize($a);

      Payload [Effective attack payload is the main function code contained in the ShellCode you use for an exploit]: O:1:"S":1:{s:4:"test";s:29 :"<script>alert('xss')</script>";}
The deserialized content is sent from the front end of the user. If malicious deserialized content is inserted into the content sent from the front end, the background If it is detected that the content will be deserialized, an XSS vulnerability will be caused through the deserialized interface.

Third, the repair of the deserialization vulnerability

1. Securely configure php-related parameters
      . There is a disable_functions = configuration in the Php configuration file. This prohibits some php functions.
The server uses this to prohibit the php execution command function.

For example:
disable_functions =system,passthru,shell_exec,exec,popen disables the use of these functions to execute system commands

2. Upgrade middleware

3. Strictly control incoming variables and use magic functions strictly

Guess you like

Origin blog.csdn.net/weixin_50481708/article/details/127101222
Recommended
Ranking
Reason Codes enhanced accounting documents
The first test case appium
Force command and dispatch emergency communication plan
Interview - What is concurrent programming
21 classic Python interview questions [recommended collection]
[Dahua Data Structure-Introduction to Data Structure ①]
Spring @ConfigurationProperties
Why do we want to broadcast live on WeChat public account? What are the advantages?
How to bring up the toolbar under the desktop of Apple laptop
Dialog: Manually enter information
Daily
More
2024-05-21(35)
2024-05-20(5)
2024-05-19(0)
2024-05-18(31)
2024-05-17(6)
2024-05-16(23)
2024-05-15(5)
2024-05-14(9)
2024-05-13(8)
2024-05-12(28)

Code World

© 2018 codetd.com