安恒429|web 3 session反序列化
之所以单独的把他拿出来呢,是因为之前接触到的反序列化的洞和题目已经挺多了的,包括p总出的三个白帽啊,某ctf的一些题目都涉及到这个方面的东西。
但是呢,在这道题目里找到了一些新的东西,值得自己思考一下
参考了资料 http://drops.wooyun.org/tips/3909
和p总的提示:
session的序列化是指,存储到session文件中的是经过序列化的字符串,而我们能访问到的$_SESSION是已经被解析的变量
首先我们要了解,php在session存储和读取数据时,都会有一个序列化和反序列化的过程。
而反序列化中会调用对象的magic方法,比如__destruct(),__wakeup()等,都是很常见的东西,不予赘述了。
那么这里有一个配置选项 session.serialize_handler
可以用ini_set或者在php.ini中加以设置
有下面几种用于处理序列化的处理器类型
处理器 对应的存储格式
php 键名 + 竖线 + 经过 serialize() 函数反序列处理的值
php_binary 键名的长度对应的 ASCII 字符 + 键名 + 经过 serialize() 函数反序列处理的值
php_serialize
(php>=5.5.4) 经过 serialize() 函数反序列处理的数组
对于php处理器,如果我们先用php_serialize加以序列化,那么对于这样的一个字符串
a:1:{s:4:"test";s:20:"|O:8:"stdClass":0:{}";}
最后会被解释为:键名为 a:1:{s:4:"test";s:20:"的一个对象
而php处理器序列化,则是把$_SESSION的每个键值都 单独拿出来,比如$_SESSION['test']
就是test|序列化的值
而php_serialize则会直接将整个session数组序列化。最后存储的是一整个数组的序列化数值
那么这样就好理解了,如果在处理器session.serialize_handler=php_serialize的情况下
我们构造带有竖线的字符串,在其他处理器为php的地方,就可以反序列化出伪造的对象。
而我们这里明显是需要去操作session的,文章中为了测试使用的是
$_SESSION['ryat'] = $_GET['ryat'];
然而很多时候没有这个条件的,怎么办呢
http://php.net/manual/zh/session.upload-progress.php
php为了提供一个上传进度的数据
$n=ini_get("session.upload_progress.name");
会把它存储在$_SESSION["$n"] 当中。
这样我们构造一个文件上传页,就可以成功写入session了
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
Working with Flash Session Data in Laravel
Mar 12, 2025 pm 05:08 PM
Laravel simplifies handling temporary session data using its intuitive flash methods. This is perfect for displaying brief messages, alerts, or notifications within your application. Data persists only for the subsequent request by default: $request-
cURL in PHP: How to Use the PHP cURL Extension in REST APIs
Mar 14, 2025 am 11:42 AM
The PHP Client URL (cURL) extension is a powerful tool for developers, enabling seamless interaction with remote servers and REST APIs. By leveraging libcurl, a well-respected multi-protocol file transfer library, PHP cURL facilitates efficient execution of various network protocols, including HTTP, HTTPS, and FTP. This extension offers granular control over HTTP requests, supports multiple concurrent operations, and provides built-in security features.
Simplified HTTP Response Mocking in Laravel Tests
Mar 12, 2025 pm 05:09 PM
Laravel provides concise HTTP response simulation syntax, simplifying HTTP interaction testing. This approach significantly reduces code redundancy while making your test simulation more intuitive. The basic implementation provides a variety of response type shortcuts: use Illuminate\Support\Facades\Http; Http::fake([ 'google.com' => 'Hello World', 'github.com' => ['foo' => 'bar'], 'forge.laravel.com' =>
12 Best PHP Chat Scripts on CodeCanyon
Mar 13, 2025 pm 12:08 PM
Do you want to provide real-time, instant solutions to your customers' most pressing problems? Live chat lets you have real-time conversations with customers and resolve their problems instantly. It allows you to provide faster service to your custom
Discover File Downloads in Laravel with Storage::download
Mar 06, 2025 am 02:22 AM
The Storage::download method of the Laravel framework provides a concise API for safely handling file downloads while managing abstractions of file storage. Here is an example of using Storage::download() in the example controller:
PHP Logging: Best Practices for PHP Log Analysis
Mar 10, 2025 pm 02:32 PM
PHP logging is essential for monitoring and debugging web applications, as well as capturing critical events, errors, and runtime behavior. It provides valuable insights into system performance, helps identify issues, and supports faster troubleshoot
Explain the concept of late static binding in PHP.
Mar 21, 2025 pm 01:33 PM
Article discusses late static binding (LSB) in PHP, introduced in PHP 5.3, allowing runtime resolution of static method calls for more flexible inheritance.Main issue: LSB vs. traditional polymorphism; LSB's practical applications and potential perfo
How to Register and Use Laravel Service Providers
Mar 07, 2025 am 01:18 AM
Laravel's service container and service providers are fundamental to its architecture. This article explores service containers, details service provider creation, registration, and demonstrates practical usage with examples. We'll begin with an ove
