应用程序级别的漏洞可能允许攻击者尝试执行多种恶意攻击,例如路径遍历攻击、代码注入、应用程序拒绝服务、SQL 注入等,称为 PHP 对象注入或PHP 反序列化和此漏洞的原因是用户向 PHP 中的 unserialize() 函数提供的输入未经过正确清理,攻击者可以通过传递通过易受攻击的 unserialize() 临时序列化的字符串,将任意 PHP 对象注入到应用程序中。 ) 函数,PHP 中的此漏洞会导致远程代码执行。
开始您的免费软件开发课程
网络开发、编程语言、软件测试及其他
语法
PHP中声明serialize()函数的语法如下:
unserialize(value);
其中 value 是要反序列化的值,可能会导致对象注入。
PHP 中对象注入的工作原理如下:
以下是示例:
PHP 程序演示对象注入,将给定值转换为位序列,以便可以将其存储在任何位置,然后使用 unserialize() 函数对其进行反序列化:
代码:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Welcome", "to", "PHP"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>输出:
在上面的程序中,要序列化的数据数组被传递给序列化函数,返回的字符串存储在一个名为 value 的变量中。然后,serialize() 函数返回的字符串将作为输出显示在屏幕上。然后序列化的数据通过 unserialize 函数传递,并将结果存储在名为 result 的变量中。然后,未序列化的数据将作为输出显示在屏幕上。输出如上面的快照所示。
PHP 程序演示对象注入,将给定值转换为位序列,以便可以将其存储在任何位置,然后使用 unserialize() 函数对其进行反序列化:
代码:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("Learning", "is", "fun"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>输出:
在上面的程序中,要序列化的数据数组被传递给序列化函数,并将返回的字符串存储在名为 value 的变量中。然后,serialize() 函数返回的字符串将作为输出显示在屏幕上。然后序列化的数据通过 unserialize 函数传递,并将结果存储在名为 result 的变量中。然后,未序列化的数据将作为输出显示在屏幕上。输出如上面的快照所示。
PHP 程序演示对象注入,将给定值转换为位序列,以便可以将其存储在任何位置,然后使用 unserialize() 函数对其进行反序列化:
代码:
<html>
<body>
<?php
#The array of data to be serialized is passed to the serialize function and the returned string is stored in a variable called value
$value = serialize(array("We", "love", "India"));
#The returned string from the serialize() function is displayed as the output on the screen
echo "The data after serialization using serialize() function is as follows:\n";
echo $value;
#the serialized data is passed through the unserialize function and the result is stroed in a variable called result
$result = unserialize($value);
echo "<br>";
#The unserialized data is displayed as the output on the screen
echo "The data after deserialization using unserialize() function is as follows:\n";
echo "<br>";
var_dump($result);
?>
</body>
</html>输出:
在上面的程序中,要序列化的数据数组被传递给序列化函数,并将返回的字符串存储在名为 value 的变量中。然后,serialize() 函数返回的字符串将作为输出显示在屏幕上。然后序列化的数据通过 unserialize 函数传递,并将结果存储在名为 result 的变量中。然后,未序列化的数据将作为输出显示在屏幕上。输出如上面的快照所示。
以上是PHP 对象注入的详细内容。更多信息请关注PHP中文网其他相关文章!
