{"id":112,"date":"2022-02-22T23:16:43","date_gmt":"2022-02-22T15:16:43","guid":{"rendered":"http:\/\/54.254.190.68\/note\/?p=112"},"modified":"2024-04-14T11:22:53","modified_gmt":"2024-04-14T03:22:53","slug":"insecure-deserialization","status":"publish","type":"post","link":"https:\/\/systw.net\/note\/archives\/112","title":{"rendered":"Insecure Deserialization"},"content":{"rendered":"\n

\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u554f\u984c<\/h4>\n

\u99ed\u5ba2\u5c07\u653b\u64ca\u5b57\u4e32\u6ce8\u5165\u5e8f\u5217\u5316\u7684\u7d50\u69cb\u4e2d\uff0c\u4f7f\u5f97\u7db2\u7ad9\u4f3a\u670d\u5668\u89e3\u6790\u5f8c\u51fa\u73fe\u975e\u9810\u671f\u7684\u7d50\u679c\uff0c\u4e26\u57f7\u884c\u99ed\u5ba2\u6307\u5b9a\u7684\u884c\u70ba
\n\u00a0<\/p>\n

\u6f0f\u6d1e\u6210\u56e0<\/h4>\n

\u7531\u65bc\u958b\u767c\u8a8d\u70ba\u7528\u6236\u7121\u6cd5\u8b80\u53d6\u6216\u64cd\u5f04\u9019\u4e9b\u8f03\u5e95\u5c64\u7684\u6578\u64da\uff0c\u6240\u4ee5\u6703\u8a8d\u70ba\u53cd\u5e8f\u5217\u5316\u662f\u53ef\u4fe1\u4efb\u7684\uff0c\u56e0\u6b64\u6c92\u6709\u5c0d\u8f38\u5165\u7684\u5167\u5bb9\u505a\u6821\u6aa2
\n\u00a0<\/p>\n

\u6f0f\u6d1e\u5f71\u97ff<\/h4>\n

\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u5f71\u97ff\u975e\u5e38\u56b4\u91cd\uff0c\u56e0\u70ba\u5b83\u53ef\u4ee5\u5f71\u97ff\u5f8c\u7aef\u7684\u5224\u65b7\u884c\u70ba \uff0c\u5c0e\u81f4\u6b0a\u9650\u63d0\u5347\uff0c\u4efb\u610f\u6587\u4ef6\u5b58\u53d6\uff0c\u963b\u65b7\u670d\u52d9\u653b\u64ca\u7b49\u6f0f\u6d1e\uff0c \u5982\u679c\u5728\u642d\u914d\u5176\u4ed6\u624b\u6cd5\u751a\u81f3\u5141\u8a31\u653b\u64ca\u8005\u88fd\u505a\u66f4\u591a\u5371\u96aa\u6f0f\u6d1e \uff0c\u50cf\u662fRCE\u9060\u7a0b\u57f7\u884c\u4ee3\u78bc
\n\u00a0<\/p>\n

\n

\u00a0<\/p>\n

\u540d\u8a5e\u89e3\u91cb<\/h4>\n

\u25cf \u5e8f\u5217\u5316(Serialization)<\/h5>\n

\u5c07Object\u8f49\u63db\u6210stream of byte\u7684\u904e\u7a0b
\n\u5c07\u8907\u96dc\u7684\u6578\u64da\u7d50\u69cb\u8f49\u63db\u70ba\u66f4\u6241\u5e73\u683c\u5f0f\u7684\u904e\u7a0b\uff0c\u5e38\u898b\u7684\u683c\u5f0f\u6709JSON\u3001YAML\u6216XML<\/p>\n

\n

ex:
\n\u4ee5php\u70ba\u4f8b\uff0c
\nobject\u5982\u4e0b
\n$user->name = \u201ccarlos\u201d; $user->isLoggedIn = false;<\/code>
\n\u900f\u904e serialize()\u8b8a\u6210stream of byte\u7684\u5167\u5bb9\u985e\u4f3c\u5982\u4e0b
\nO:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:0;}<\/code><\/p>\n<\/blockquote>\n

\u25cf \u53cd\u5e8f\u5217\u5316(Deserialization)<\/h5>\n

\u5c07stream of byte\u8f49\u63db\u6210Object\u7684\u904e\u7a0b<\/p>\n

\n

ps:
\n\u4ee5\u4e0a\u8ff0stream of byte\u70ba\u4f8b, \u8aaa\u660e\u5982\u4e0b
\n\u25cf O:4:\u201cUser\u201d – An object with the 4-character class name \u201cUser\u201d
\n\u25cf 2 – the object has 2 attributes
\n\u25cf s:4:\u201cname\u201d – The key of the first attribute is the 4-character string \u201cname\u201d
\n\u25cf s:6:\u201ccarlos\u201d – The value of the first attribute is the 6-character string \u201ccarlos\u201d
\n\u25cf s:10:\u201cisLoggedIn\u201d – The key of the second attribute is the 10-character string \u201cisLoggedIn\u201d
\n\u25cf b:0 – The value of the second attribute is the boolean value false<\/p>\n<\/blockquote>\n

\u25cf \u53cd\u5e8f\u5217\u5316\u554f\u984c(insecure Deserialization)<\/h5>\n

\u4fee\u6539stream of byte\u5c0e\u81f4\u5728\u8f49\u63db\u6210object\u5f8c\u5f71\u97ff\u5f8c\u7aef\u884c\u70ba<\/p>\n

\n

ex\uff1a
\n\u5047\u5982\u5f8c\u7aef\u7684\u908f\u8f2f\u5982\u4e0b<\/p>\n

if ($user->isLoggedIn === true) {\n\/\/ allow access to admin interface\n}\n<\/code><\/pre>\n
\u7576\u653b\u64ca\u8005\u5c07stream of byte\u7684b:0\u4fee\u6539\u70bab:1 \uff0c\u5982\u4e0b
\nO:4:"User":2:{s:4:"name":s:6:"carlos"; s:10:"isLoggedIn":b:1;}<\/code>
\n\u9001\u5230\u5f8c\u7aef\u8f49\u63db\u6210Object\u5f8c\uff0c\u5c31\u6703\u8b93\u5f8c\u7aef\u8a8d\u70ba\u662f\u4ee5\u767b\u5165\u72c0\u614b
\n\u56e0\u70bab:1 \u5728\u8f49\u63db\u5f8c\u5c31\u7b49\u65bc isLoggedIn= true,
\n\u00a0<\/p>\n<\/blockquote>\n
\n
\u00a0<\/p>\n
\u89e3\u6c7a\u65b9\u6cd5<\/h4>\n
\u4e00.\u5728\u958b\u767c\u6642\u675c\u7d55\u554f\u984c<\/h5>\n
*\u4e0d\u8981\u4fe1\u4efb\u7528\u6236\u50b3\u905e\u7684\u5e8f\u5217\u5316\u7d50\u679c \uff0c\u5728\u958b\u767c\u6642\u5c31\u8981\u5f9e\u4e0d\u76f8\u4fe1\u4f7f\u7528\u8005\u7684\u8f38\u5165\u4f86\u8a2d\u8a08\u6574\u500b\u904b\u4f5c\u6d41\u7a0b\u3002
\n*\u8981\u907f\u514d\u5c0d\u53cd\u5e8f\u5217\u5316\u6578\u64da\u932f\u8aa4\u6aa2\u67e5\uff0c\u6709\u4e9b\u958b\u767c\u6703\u5728\u53cd\u5e8f\u5217\u5316\u5f8c\u6aa2\u67e5\u6578\u64da\uff0c\u4f46\u9019\u7a2e\u6aa2\u67e5\u5b58\u5728\u6839\u672c\u6027\u7684\u7f3a\u9677\uff0c\u5728\u8a31\u591a\u60c5\u6cc1\u4e0b\uff0c\u9019\u5c0d\u65bc\u963b\u6b62\u653b\u64ca\u4f86\u8aaa\u70ba\u6642\u5df2\u665a<\/p>\n
\u4e8c\b.\u900f\u904e\u6aa2\u6e2c\u627e\u51fa\u554f\u984c<\/h5>\n
*\u8981\u67e5\u770b\u6240\u6709\u50b3\u905e\u5230\u7db2\u7ad9\u7684\u6240\u6709\u6578\u64da\uff0c\u4e26\u5617\u8a66\u8b58\u5225\u4efb\u4f55\u770b\u8d77\u4f86\u50cf\u5e8f\u5217\u5316\u6578\u64da\u7684\u5167\u5bb9\uff0c\u4e26\u6e2c\u8a66\u662f\u5426\u6709\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u554f\u984c
\n\u00a0
\n\u00a0
\n\u00a0
\nrefer
\nhttps:\/\/www.anquanke.com\/post\/id\/224769
\nhttps:\/\/portswigger.net\/web-security\/deserialization\/exploiting<\/p>\n<\/div>\n\n\n\n
<\/p>\n","protected":false},"excerpt":{"rendered":"","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"","fifu_image_alt":"","_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[38],"tags":[],"class_list":["post-112","post","type-post","status-publish","format-standard","hentry","category-serverside"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/112","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/comments?post=112"}],"version-history":[{"count":0,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/posts\/112\/revisions"}],"wp:attachment":[{"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/media?parent=112"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/categories?post=112"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/systw.net\/note\/wp-json\/wp\/v2\/tags?post=112"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}