This blog post is carried out after a simple basic learning for serialization and de-serialization, a note sorting understand its underlying elements of the knowledge, the main contents refer to the following two articles.
Reference Links:
https://www.freebuf.com/articles/web/167721.html
https://www.cnblogs.com/youyoui/p/8610068.html
0x01 serialization
Php sequence of occurrence values to store or transfer process.
php serialization function is:
String the serialize ( Mixed $ value ) // $ value for the objects to be serialized or array
serialize () function returns a character string, can be easily transferred to other parts of the object is needed, and does not change its structure and type.
Example:
<?php $sites = array('Google', 'Runoob', 'Facebook'); $serialized_data = serialize($sites); echo $serialized_data . PHP_EOL; ?>
The output is:
A:. 3: {I: 0; S:. 6: "the Google"; I:. 1; S:. 6: "Runoob"; I: 2; S:. 8: "Facebook";}
Serialization format:
String : s:size:value;
Integer : i:value;
Boolean : b:value;(保存1或0)
Null : N;
Array : a:size:{key definition;value definition;(repeated per element)}
Object : O:strlen(object name):object name:object size:{s:strlen(property name):property name:property definition;(repeated per property)}
When a serialized object, the class often not retained value, preserves the parent class variables.
Common magic sequence of functions:
__construct () call to create objects
__destruct () is called when the object is destroyed
__toString () When an object is treated as a string using
__sleep () in the object running before being serialized
__wakeup will be called immediately after serialization
Selecting a variable object serialization
The main use of magic methods:
public array __sleep( void )
* If __sleep serialized objects () magic method exists, the priority of the invoked method, typically performed in a class by using override this method magic
* This method returns a value of an array, the array is selected to be serialized the object variable
* if not return any variable name, the sequence of NULL, and an error
* this method can not return private member variable name of the parent class, otherwise it will error, can be used instead of serializable interface
* commonly used in the clean up work to save large objects , avoid saving redundant data
0x02 deserialization
The sequence of the object saved as strings, while providing PHP deserialization function:
mixed unserialize( string $str)
* If the string can not be deserialized, and returns false error
* If the string can be deserialized may be as hereinbefore serialization format type
* variable if the deserialized as an object, the object is re-configured after, php detects if a magic function __wakeup (), and try to call
0x03 serialization and deserialization use
Cache serialize and deserialize data generally used, such as cookie, session caching. As another example, a class project in a number of variables in there, if not been destroyed, resulting in changes to the variables after which the class is instantiated in the course of the next time it is invoked when a waste of system resources, so can the target sequence, is stored as a string, and then wait to be used when calling deserialization.
Serialization and deserialization used in Java relatively large, i.e. as json data.
The main function used in PHP as follows:
json_encode ()
of json_decode ()
All in all, serialization and de-serialization is the object sequence project into a byte stream, convenience store and call.
At this point, only for serialization and de-serialization of basic knowledge and understanding, to be followed by a study of some of the CTF examples deserialization vulnerability, so that in-depth understanding and learn deserialization.