PHP deserialization detailed analysis of character escape

This article brings you relevant knowledge about PHP, which mainly introduces the related issues about deserialization character escape. The string after PHP serialization has been replaced or modified, resulting in When the string length changes, it is always serialized first and then replaced and modified. Let's take a look at it together. I hope it will be helpful to everyone.

Recommended study: "PHP Video Tutorial"

Essence: Closed
Category: More characters, fewer characters
Common points:

1. The string serialized by php has been replaced or modified, resulting in a change in the length of the string
2. Always serialize first, then perform the replacement and modification operation

Classification

Increased characters

• Idea:
  According to the string format after serialization And characteristics, the number of characters identifies the length to be recognized later
  To modify an attribute, it must be replaced, which can be controlled by the passed in string
  To close the preceding double quotes, pass it into the following The character to be constructed
  However, the length of the previous string does not match at this time, and the construction is invalid
  Solution: According to the change in the length of the replacement character, squeeze the constructed string out of the length range and become the next part
  (use The length transformation during replacement fills the gaps in the injected string)
• tips:

1. Judge that each character will have x more characters after filtering than the original
2. Determine the length n of the target substring to be injected
3. The injected characters are repeated n/x times, and the injected characters are included (the length of the construction code ÷the number of extra characters)

• Example:
  Goal: Modify a value in the object, for example, age needs to be changed to 20

<?php function filter($string){
    $filter = &#39;/p/i&#39;;
    return preg_replace($filter,&#39;WW&#39;,$string);
}
$username = &#39;purplet&#39;;
$age = "10";
$user = array($username,$age);

var_dump(serialize($user));
echo "<pre class="brush:php;toolbar:false">";
$r = filter(serialize($user));
var_dump($r);
var_dump(unserialize($r));
?>

The following part can be recorded as a template, output it first when doing the question

var_dump(serialize($user));    # 序列化
echo "<pre class="brush:php;toolbar:false">";
$r = filter(serialize($user)); # 替换后序列化
var_dump($r);
var_dump(unserialize($r));     # 打印反序列化

It can be observed that each substitution changes p to ww, that is, one more character is added each time
This leads to length allocation read errors and output errors during deserialization
Therefore, consider constructing character escape through the nature of its length reading

To change 10 to 20, first determine the string to be constructed later:

原字符串：";i:1;s:2:"10";}
目标子串：";i:1;s:2:"20";}

Determine the length: 16 (that is, pass in The string needs 16 more characters to put these characters into the next attribute)
Each time there is 1 more character, so 16 p
is needed, so pass in:

Result output:

Character reduction

Value escape

Value filtering, the first value includes the last key and value (up to the left bracket)

• Example
  Goal: change age to 20

<?php function filter($string){
    $filter = &#39;/pp/i&#39;;
    return preg_replace($filter,&#39;W&#39;,$string);
}
$username = "ppurlet"
$age = "10";
$user = array($username,$age);

var_dump (serialize($user));    # 序列化
echo "<pre class="brush:php;toolbar:false">";
$r = filter(serialize($user)); # 替换后序列化
var_dump ($r);
var_dump (unserialize($r));     # 打印反序列
?>

is similar to the above code, except that 2 p's are replaced by one w, and the characters are reduced by
If the same value does not correspond, deserialization will fail

username: code required to construct escape
age: construct escape code

A Followed by the incoming age string, calculate the construction length

, which is to occupy these 13 characters
Every 2 p's become 1 w, which is equivalent to escaping one bit. Therefore, enter 13*2=26 p, the character length identifier is 26, which becomes 13 w, and the next 13 characters account for the remaining 13 bits

payload:

username='pppppppppppppppppppppppppp'
age=A";i:1;s:2:"20";}

Summary

1. Increased characters
   1. Look at the length from the quotation mark after the end of the first parameter to the last right bracket (target string) n
   2. Look at each replacement increment
   #Construct with the second parameter
   3. Set the closure at the beginning: A" (we will consider how to construct it later)
Look at how many characters there are from the right quotation mark after the first parameter to A n
2. Replacement reduces x characters
   1. Create object:
   2. The first parameter is passed in n*(x 1) replacement characters
   The second parameter is passed in the constructor String
   5. Recommended learning: "
      PHP Video Tutorial
      "

The above is the detailed content of PHP deserialization detailed analysis of character escape. For more information, please follow other related articles on the PHP Chinese website!