Home > Article > Backend Development > PHP brief analysis of deserialization structure knowledge points
This article mainly introduces you to the relevant knowledge about PHP. Serialization is actually converting data into a reversible data structure. Naturally, the reverse process is called deserialization. PHP uses two functions to serialize and deserialize data: serialize formats the object into an ordered string, and unserialize restores the string to the original object. I hope it will be helpful to everyone.
(Recommended tutorial: PHP video tutorial)
The purpose of serialization is to facilitate data Transmission and storage. In PHP, serialization and deserialization are generally used for caching, such as session caching, cookies, etc.
__wakeup() //When executing unserialize(), this function will be called first
__sleep() //When executing serialize(), this function will be called first
__destruct() //Triggered when the object is destroyed
__call() //Triggered when an inaccessible method is called in an object context
__callStatic() //Triggered when an inaccessible method is called in a static context
__get() //This method will be called when reading data from inaccessible attributes or if the key does not exist
__set() / /Used to write data to inaccessible properties
\x00*\x00
abc
<?php class test{ protected $a; public function __construct(){ $this->a = 'abc'; } public function __destruct(){ echo $this->a; } } unserialize('O:4:"test":1:{s:1:"a";s:3:"abc";}');
even if there is no
\x00*\x00 Bypass_wakeup(CVE-2016-7124)Version:PHP5 < 5.6.25PHP7 < 7.0.10Exploit Method: When the value representing the number of object attributes in the serialized string is greater than the actual number of attributes, the execution of __wakeup will be skipped For a custom class like the following<?php class test{ public $a; public function __construct(){ $this->a = 'abc'; } public function __wakeup(){ $this->a='666'; } public function __destruct(){ echo $this->a; } }If executed
unserialize('O:4:"test":1:{s:1:"a";s:3:"abc";}');The output result is
666
unserialize('O:4:"test":2:{s:1:"a";s:3:"abc"; }');The output result is
abc
preg_match('/^O:\d /')Match whether the serialized string starts with an object string. This has been a similar test point in the previous CTF.
serialize(array(a ) ) ; / / a));//a));//a is the object to be deserialized (the serialization result starts with a, not Affects the destruction of $a as an array element)
<?php class test{ public $a; public function __construct(){ $this->a = 'abc'; } public function __destruct(){ echo $this->a.PHP_EOL; } } function match($data){ if (preg_match('/^O:\d+/',$data)){ die('you lose!'); }else{ return $data; } } $a = 'O:4:"test":1:{s:1:"a";s:3:"abc";}'; // +号绕过 $b = str_replace('O:4','O:+4', $a); unserialize(match($b)); // serialize(array($a)); unserialize('a:1:{i:0;O:4:"test":1:{s:1:"a";s:3:"abc";}}');Using the reference
<?php class test{ public $a; public $b; public function __construct(){ $this->a = 'abc'; $this->b= &$this->a; } public function __destruct(){ if($this->a===$this->b){ echo 666; } } } $a = serialize(new test());
$b to the reference of
$a, You can make
$a always equal to
$b
The above is the detailed content of PHP brief analysis of deserialization structure knowledge points. For more information, please follow other related articles on the PHP Chinese website!