One ： summary

First understand what serialization is ？

Simply speaking , The process of converting an object into a sequence of transportable bytes is called serialization .

So deserialization is ？
The process of restoring a byte sequence to an object is called deserialization .

Explanation on Baidu Encyclopedia ：
serialize (Serialization) It is the process of transforming the state information of an object into a form that can be stored or transmitted . During serialization , Object writes its current state to a temporary or persistent store . in the future , You can read or deserialize the state of an object from the store , Recreate the object .

Two ：PHP Serialization and deserialization in

PHP The deserialization vulnerability is also called PHP Object injection , Is a very common vulnerability , Although this type of vulnerability is somewhat difficult to exploit , But once used successfully, it will have very dangerous consequences . The root cause of the vulnerability is that the program does not detect the deserialized string entered by the user , Cause the deserialization process to be maliciously controlled , This leads to code execution 、getshell And a series of uncontrollable consequences . The deserialization vulnerability is not PHP specific , It also exists in java,python And other languages . But its principle is basically the same .

PHP Serialization and deserialization in , It's all about serialize() and unserialize() The expansion of two functions . Before introducing these two functions , Let's take a simple example .

 A simple example ：
	 We can use json Encoding and decoding of format data , To understand the process of serialization and deserialization . although json Data has nothing to do with deserialization vulnerabilities , But this example will help us understand .
	 The test code is as follows ：
		<?php
			$stu=array('name'=>'xxx','age'=>18,'sex'=>true,'score'=>90);
			echo $stu;
			echo "<hr />";
			$stu_json=json_encode($stu);
			echo $stu_json;
		?>
		 We define an array , Arrays are abstract data structures , To facilitate cross platform data transmission , It can be json code .json Format data is in the form of key value pairs . The browser page displays the following results ：
			Array
			——————————————————————————————————————————————————————————
			{"name":"xxx","age":18,"sex":true,"score":90}

3、 ... and ： serialize Demo

Serialization converts an abstract object into a string .
We could write one demo To illustrate the serialization process , First create a class , The code is as follows

<?php
	class Stu{
    
	public $name;
	public $sex;
	public $age;
	public $score;
	}
?>

The name of the class is Stu, There are four variables in this class . Next , We can instantiate this class , That is to create an object , And assign values to variables in the object . The code is as follows ：

<?php
	include "classStu.php";
	$stu1 = new Stu();
	$stu1->name = "q_q";
	$stu1->sex = true;
	$stu1->age = 18;
	$stu1->score = 90;
	echo serialize($stu1);
?>

And finally we use serialize(), take $stu1 This object is serialized into a string . Such a string . It's easy to transfer and store . as follows ：

O:3:"Stu":4:{
    s:4:"name";s:3:"q_q";s:3:"sex";b:1;s:3:"age";i:18;s:5:"Score";i:90;}
O:3:"Stu":4:		// O representative object object ,3 Represents that the object name has three characters ,4 There are... In the representative object 4 A variable 

Again , We can use unserialize() function , Deserialize a string into an object . Because the string contains double quotation marks , So you can use the delimiter method to define the string here . The code is as follows ：

<?php
	include "classStu.php";
	$stu1=
	<<<STR
	O:3:"Stu":4:{
    s:4:"name";s:3:"q_q";s:3:"sex";b:1;s:3:"age";i:18;s:5:"score";i:90;}
	STR;
	$stu1=unserialize($stu1);
	var_dump($stu1);
?>

Run this script file , We can see the deserialized object .

Four ： Deserialization injection , Case description

 Create a new one loudong1.php file , The code is as follows ：
	<?php
		class Test{
    		#  Create a class 
			public $str='xxx';
			function __destruct(){
    
				// echo "this is function __construct()";
				@eval($this->str);
			}
		}
		#  Create an object of a class , And serialize it 
		$test = new Test();
		#  Get a string 
		echo serialize($test);		# O:4:"Test":1:{s:3:"str";s:3:"xxx";}
		echo "<hr />";
		$test2 = serialize($test);		#  The serialized characters are represented by variables 
		#  Deserialization , Deserialize the resulting serialized string into an object 
		var_dump(unserialize($test2));		# object(Test)#2 (1) { ["str"]=> string(3) "xxx" } 
	?>


 Next, deserialize and inject 
	 Create a new one loudong2.php, Source content ：
	<?php
		class Test{
    
			public $str='xxx';
			function __destruct(){
    
				// echo "this is function __construct()";
				@eval($this->str);
			}
		}
		$test = new Test();
		echo serialize($test);
		echo "<hr />";
		$test2 = serialize($test);		#  Serializing objects  O:4:"Test":1:{s:3:"str";s:3:"xxx";}
		/**  Deserialization injection   Construct serialized characters O:4:"Test":1:{s:3:"str";s:10:"phpinfo();";}, Pass in 777 Parameters ,phpinfo(); Will be performed  **/
		var_dump(unserialize($_GET[777]));
	?>
	
 And then through the browser access http://192.168.100.250/code/loudong2.php?777=O:4:"Test":1:{s:3:"str";s:10:"phpinfo();";}
 that , Why is this so ？

 The string we injected [phpinfo();], Why as php Statement to execute ？ Observation Code , Found a function in the class __destruct() And this function calls eval sentence , perform $this->str Variable .
 Why? __destruct() Not called , The statement in the function is executed ？

 We found that , When destroying instantiated classes ,__destrutc() The function will be called automatically , And output string [this is function __destruct()]


 Magic methods ：
	 With __ Opening method , yes PHP The magic method in , Magic methods in class , It will be called automatically under certain circumstances . The main magic methods are as follows ：
	__construct				 Automatically call... When an object is created 
	__destruct				 Called automatically when an object is destroyed 
	__call()				 When an invocation method is invoked in an object ,__call() Will be called 
	__callStatic()			 Call when an invocable method is invoked in a static context 
	__get()					 When reading the value of an inaccessible property ,__get() Will be called 
	__set()					 When assigning an inaccessible property ,__set() Will be called 
	__isset()				 When called on an inaccessible property isset() or empty() when ,__isset() Will be called 
	__unset()				 When called on an inaccessible property unset() when ,__unset() Will be called 
	__sleep()				serialize() Function to check if there is a magic method in the class __sleep(), If there is , This method is called first , And then operate .
	__wakeup()				unserialize() Will check if there is one __wakeup() Method , If it exists, it will call __wakeup Method , Prepare resources needed for objects in advance 
	__toString()			__toString() How to respond when a class is treated as a string 
	__invoke()				 When trying to call an object as a function ,__invoke() Method will be called automatically .
	__set_state()			 from PHP5.1.0 Start , call var_export() When exporting a class , This static method will be called 
	__clone()				 When the copy is complete , If you define __clone Method , The newly created object （ Copy the generated object ） Medium __clone() Method will be called , Can be used to modify the value of a property .
	__debugInfo()			this is method is called by var_dump() when dumping anobject to get the properties that should be shown.
							if the method isn't defined on an object,then all public,protected and private propertieswill be shown.