PHP反序列化漏洞之常见魔术方法详解<\/h1>

一、魔术方法概述<\/h2>
PHP中的魔术方法是以双下划线`__<\/code>开头的方法，它们在特定情况下会被自动调用。这些方法在反序列化漏洞利用中扮演着重要角色。<\/p>`

二、构造与析构方法<\/h2>
1. __construct()<\/code><\/h3>

作用<\/strong>：在创建对象时自动调用的构造方法<\/li>
特点<\/strong>：

最先执行的方法<\/li>
用于初始化对象属性<\/li>
<\/ul>
<\/li>
<\/ul>
class<\/span> test<\/span> {
<\/span><\/span>    function<\/span> __construct($filename, $data) {
<\/span><\/span>        $this-><\/span>filename<\/span> =<\/span> $filename;
<\/span><\/span>        $this-><\/span>data<\/span> =<\/span> $data;
<\/span><\/span>        echo<\/span> 'construct function in test class'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$a =<\/span> new<\/span> test<\/span>('test.txt'<\/span>, 'data'<\/span>);
<\/span><\/span><\/code><\/pre>2. __destruct()<\/code><\/h3>

作用<\/strong>：在对象销毁时自动调用的析构方法<\/li>
特点<\/strong>：

最后执行的方法<\/li>
常用于资源释放、文件操作等<\/li>
<\/ul>
<\/li>
<\/ul>
class<\/span> test<\/span> {
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        echo<\/span> 'destruct function in test class'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、属性重载方法<\/h2>
1. __set()<\/code><\/h3>

触发条件<\/strong>：给不可访问或不存在的属性赋值时调用<\/li>
参数<\/strong>：$key<\/code>(属性名), $value<\/code>(属性值)<\/li>
<\/ul>
2. __get()<\/code><\/h3>

触发条件<\/strong>：读取不可访问或不存在的属性时调用<\/li>
参数<\/strong>：$key<\/code>(属性名)<\/li>
<\/ul>
3. __isset()<\/code><\/h3>

触发条件<\/strong>：对不可访问或不存在的属性调用isset()<\/code>或empty()<\/code>时<\/li>
参数<\/strong>：$key<\/code>(属性名)<\/li>
<\/ul>
4. __unset()<\/code><\/h3>

触发条件<\/strong>：对不可访问或不存在的属性调用unset()<\/code>时<\/li>
参数<\/strong>：$key<\/code>(属性名)<\/li>
<\/ul>
class<\/span> test<\/span> {
<\/span><\/span>    private<\/span> $data =<\/span> array<\/span>();
<\/span><\/span>    
<\/span><\/span>    function<\/span> __set($key, $value) {
<\/span><\/span>        $this-><\/span>data<\/span>[$key] =<\/span> $value;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> __get($key) {
<\/span><\/span>        return<\/span> $this-><\/span>data<\/span>[$key] ??<\/span> null<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> __isset($key) {
<\/span><\/span>        return<\/span> isset<\/span>($this-><\/span>data<\/span>[$key]);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> __unset($key) {
<\/span><\/span>        unset<\/span>($this-><\/span>data<\/span>[$key]);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、方法重载方法<\/h2>
1. __call()<\/code><\/h3>

触发条件<\/strong>：调用不可访问或不存在的方法时<\/li>
参数<\/strong>：$funcname<\/code>(方法名), $args<\/code>(参数数组)<\/li>
<\/ul>
2. __callStatic()<\/code><\/h3>

触发条件<\/strong>：调用不可访问或不存在的静态方法时<\/li>
参数<\/strong>：$funcname<\/code>(方法名), $args<\/code>(参数数组)<\/li>
<\/ul>
class<\/span> test<\/span> {
<\/span><\/span>    function<\/span> __call($funcname, $args) {
<\/span><\/span>        echo<\/span> "Called <\/span>$funcname<\/span> with args: "<\/span>.<\/span>implode<\/span>(', '<\/span>, $args);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    static<\/span> function<\/span> __callStatic($funcname, $args) {
<\/span><\/span>        echo<\/span> "Static called <\/span>$funcname<\/span> with args: "<\/span>.<\/span>implode<\/span>(', '<\/span>, $args);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>五、序列化相关方法<\/h2>
1. __sleep()<\/code><\/h3>

触发条件<\/strong>：在对象被序列化(serialize()<\/code>)时调用<\/li>
作用<\/strong>：返回需要被序列化的属性名数组<\/li>
用途<\/strong>：清理或选择需要保存的数据<\/li>
<\/ul>
2. __wakeup()<\/code><\/h3>

触发条件<\/strong>：在对象被反序列化(unserialize()<\/code>)时调用<\/li>
用途<\/strong>：常用于重新建立数据库连接或执行其他初始化操作<\/li>
漏洞利用<\/strong>：反序列化漏洞的关键切入点<\/li>
<\/ul>
class<\/span> test<\/span> {
<\/span><\/span>    function<\/span> __sleep() {
<\/span><\/span>        return<\/span> ['filename'<\/span>, 'data'<\/span>]; \/\/ 指定需要序列化的属性
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    function<\/span> __wakeup() {
<\/span><\/span>        \/\/ 反序列化后执行的操作
<\/span><\/span><\/span><\/span>        \/\/ 漏洞利用常在此处构造恶意代码
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>3. __toString()<\/code><\/h3>

触发条件<\/strong>：当对象被当作字符串使用时<\/li>
用途<\/strong>：定义对象的字符串表示形式<\/li>
漏洞利用<\/strong>：常用于触发其他魔术方法或执行代码<\/li>
<\/ul>
class<\/span> test<\/span> {
<\/span><\/span>    function<\/span> __toString() {
<\/span><\/span>        return<\/span> $this-><\/span>data<\/span>; \/\/ 返回对象的字符串表示
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>六、反序列化漏洞利用要点<\/h2>


关键方法<\/strong>：<\/p>

__wakeup()<\/code>：反序列化时自动执行，是主要攻击入口<\/li>
__destruct()<\/code>：对象销毁时执行，也是常见攻击点<\/li>
<\/ul>
<\/li>

利用链构造<\/strong>：<\/p>

通过控制序列化数据中的属性值<\/li>
触发魔术方法中的危险操作（如文件操作、代码执行等）<\/li>
<\/ul>
<\/li>

典型利用代码<\/strong>：<\/p>
<\/li>
<\/ol>
class<\/span> Exploit<\/span> {
<\/span><\/span>    public<\/span> $filename;
<\/span><\/span>    public<\/span> $data;
<\/span><\/span>    
<\/span><\/span>    function<\/span> __wakeup() {
<\/span><\/span>        file_put_contents<\/span>($this-><\/span>filename<\/span>, $this-><\/span>data<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$payload =<\/span> serialize<\/span>(new<\/span> Exploit<\/span>());
<\/span><\/span>unserialize<\/span>($payload); \/\/ 触发文件写入操作
<\/span><\/span><\/span><\/code><\/pre>七、防御措施<\/h2>

不要反序列化不可信的输入<\/li>
使用json_encode()<\/code>\/json_decode()<\/code>替代序列化<\/li>
实现严格的输入验证<\/li>
对魔术方法中的敏感操作进行权限检查<\/li>
<\/ol>
通过深入理解这些魔术方法的触发条件和执行顺序，可以更好地分析和利用PHP反序列化漏洞。<\/p>

PHP反序列化漏洞之常见魔术方法详解<\/h1>

一、魔术方法概述<\/h2> PHP中的魔术方法是以双下划线__<\/code>开头的方法，它们在特定情况下会被自动调用。这些方法在反序列化漏洞利用中扮演着重要角色。<\/p>

三、属性重载方法<\/h2>

四、方法重载方法<\/h2>

五、序列化相关方法<\/h2>

一、魔术方法概述<\/h2>
PHP中的魔术方法是以双下划线`__<\/code>开头的方法，它们在特定情况下会被自动调用。这些方法在反序列化漏洞利用中扮演着重要角色。<\/p>`