解析PHP对象流入漏洞-PHP Tutorial-php.cn

Home

Backend Development

PHP Tutorial

解析PHP对象流入漏洞

WBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWBOYWB

Jun 13, 2016 pm 12:14 PM

nbspquotunserializeuser

解析PHP对象注入漏洞

0、前言

逛乌云知识库的时候看到一篇有趣的译文：http://drops.wooyun.org/papers/4820。

说的是一种注入方式，叫对象注入。对象也能注入？

是的，只要是存在污染数据，没有什么是不可能注入的，但是这个漏洞有点太古怪了，所以我觉得有趣。

1、原理

在程序编写的时候，往往需要序列化一些运行时数据，所谓序列化就是按照一定的格式将运行时数据写入本地文件。这样做可以对数据进行本地保存，用的时候直接读文件就可以把运行时产生的数据读出。在PHP中就是serialize和unserialize函数了。

能够注入的原理就是在反序列化的时候，引入了污染数据造成的，比如：

$obj = unserialize($_GET[‘injection’]) ;

通过这个语句，我们可以自己按照序列化数据的格式进行构造，得到我们想要的对象$obj。

有人就要问了，你仅仅得到这个对象$obj有啥用？先看看下面的实例。

2、情景

该情景也是来源于译文中的demo，这里还原一下：

<?php header("Content-type:text/html;charset=UTF-8");// … 一些include ...class FileClass{    // 文件名     public $filename = "error.log";     //当对象被作为一个字符串会读取这个文件     public function __toString()    {        echo "filename发生了变化==>" . $this->filename ;        return file_get_contents($this->filename) ;                    }} // Main User class class User{    // Class data     public $age = 0;    public $name = '';     // 允许对象作为一个字符串输出上面的data     public function __toString()    {        return 'User ' . $this->name . ' is ' . $this->age . ' years old. <br>';    }} // 用户可控 $obj = unserialize($_GET['usr_serialized']); // 输出 __toStringvar_dump($obj) ;echo $obj;?>

上面的代码是从用户可控的数据获取一个序列化数据，然后调用unserialize方法对$_GET['usr_serialized']进行反序列化，那么这个$obj就可以被我们控制了。

正常的方式是提交：

http://127.0.0.1/code/objin.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";}

上面的序列化数据是一个User类的对象，其中$age=20, $name=John。

这时，echo $obj ;直接echo对象，就能调用魔术方法__toString，在User类中已经对这个魔术方法进行了重载，即输出一段字符串，运行效果如下：

上面的代码是从用户可控的数据获取一个序列化数据，然后调用unserialize方法对$_GET['usr_serialized']进行反序列化，那么这个$obj就可以被我们控制了。

正常的方式是提交：

http://127.0.0.1/code/objin.php?usr_serialized=O:4:"User":2:{s:3:"age";i:20;s:4:"name";s:4:"John";}

上面的序列化数据是一个User类的对象，其中$age=20, $name=John。

这时，echo $obj ;直接echo对象，就能调用魔术方法__toString，在User类中已经对这个魔术方法进行了重载，即输出一段字符串，运行效果如下：

3、漏洞挖掘

这类漏洞相当隐蔽，但是一旦出现效果很到位。挖掘主要是找找unserialize函数中的参数是否是污染数据。找到相应的控制位置，再看看哪个类可以利用起来完成我们的攻击，比如本情景中的FileClass类。

Statement

The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn

PHP Performance Tuning for High Traffic WebsitesMay 14, 2025 am 12:13 AM

ThesecrettokeepingaPHP-poweredwebsiterunningsmoothlyunderheavyloadinvolvesseveralkeystrategies:1)ImplementopcodecachingwithOPcachetoreducescriptexecutiontime,2)UsedatabasequerycachingwithRedistolessendatabaseload,3)LeverageCDNslikeCloudflareforservin

Dependency Injection in PHP: Code Examples for BeginnersMay 14, 2025 am 12:08 AM

You should care about DependencyInjection(DI) because it makes your code clearer and easier to maintain. 1) DI makes it more modular by decoupling classes, 2) improves the convenience of testing and code flexibility, 3) Use DI containers to manage complex dependencies, but pay attention to performance impact and circular dependencies, 4) The best practice is to rely on abstract interfaces to achieve loose coupling.

PHP Performance: is it possible to optimize the application?May 14, 2025 am 12:04 AM

Yes,optimizingaPHPapplicationispossibleandessential.1)ImplementcachingusingAPCutoreducedatabaseload.2)Optimizedatabaseswithindexing,efficientqueries,andconnectionpooling.3)Enhancecodewithbuilt-infunctions,avoidingglobalvariables,andusingopcodecaching

PHP Performance Optimization: The Ultimate GuideMay 14, 2025 am 12:02 AM

ThekeystrategiestosignificantlyboostPHPapplicationperformanceare:1)UseopcodecachinglikeOPcachetoreduceexecutiontime,2)Optimizedatabaseinteractionswithpreparedstatementsandproperindexing,3)ConfigurewebserverslikeNginxwithPHP-FPMforbetterperformance,4)

PHP Dependency Injection Container: A Quick StartMay 13, 2025 am 12:11 AM

APHPDependencyInjectionContainerisatoolthatmanagesclassdependencies,enhancingcodemodularity,testability,andmaintainability.Itactsasacentralhubforcreatingandinjectingdependencies,thusreducingtightcouplingandeasingunittesting.

Dependency Injection vs. Service Locator in PHPMay 13, 2025 am 12:10 AM

Select DependencyInjection (DI) for large applications, ServiceLocator is suitable for small projects or prototypes. 1) DI improves the testability and modularity of the code through constructor injection. 2) ServiceLocator obtains services through center registration, which is convenient but may lead to an increase in code coupling.

PHP performance optimization strategies.May 13, 2025 am 12:06 AM

PHPapplicationscanbeoptimizedforspeedandefficiencyby:1)enablingopcacheinphp.ini,2)usingpreparedstatementswithPDOfordatabasequeries,3)replacingloopswitharray_filterandarray_mapfordataprocessing,4)configuringNginxasareverseproxy,5)implementingcachingwi

PHP Email Validation: Ensuring Emails Are Sent CorrectlyMay 13, 2025 am 12:06 AM

PHPemailvalidationinvolvesthreesteps:1)Formatvalidationusingregularexpressionstochecktheemailformat;2)DNSvalidationtoensurethedomainhasavalidMXrecord;3)SMTPvalidation,themostthoroughmethod,whichchecksifthemailboxexistsbyconnectingtotheSMTPserver.Impl

See all articles