对所有系统来说,反序列化真的不安全吗? [英] Is unserialize really unsafe for all systems?
问题描述
根据文档,使用不可信任的输入来取消序列化是不安全的。
作为一个测试,我写道:
<?php
全局$秘密;
$ secret ='SuperSecret';
class Thing {
public static function __wakeup(){
var_dump($ GLOBALS);
}
public function __unserialize(){
return'okay';
}
}
if(isset($ _ GET ['s'])){
echo'serializing ='
echo serialize(new Thing());
}
$ unser = unserialize($ _ GET ['thing']);
首先转到?s,然后显示:O:5:Thing:0: }
转到?thing = O:5:Thing:0:{},它将显示所有全局变量 - 安全风险。 b
$ b
但是如果没有类有这样不安全的__wakeup()函数呢?对于没有不安全__wakeup函数的(大多数)系统,不是unserialize安全的?
文章。
https://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
基本上可以使用反序列化重写或更改对PHP或您的脚本很重要的类。
According to the documentation, it's unsafe to use unserialize with untrusted input.
As a test, I wrote:
<?php
global $secret;
$secret = 'SuperSecret';
class Thing {
public static function __wakeup() {
var_dump($GLOBALS);
}
public function __unserialize() {
return 'okay';
}
}
if (isset($_GET['s'])) {
echo 'serializing=';
echo serialize(new Thing() );
}
$unser = unserialize($_GET['thing']);
First go to ?s, then it shows: O:5:"Thing":0:{}
Go to ?thing=O:5:"Thing":0:{} and it will show all global variables - a security risk.
But what if there is no class that has such unsafe __wakeup() function? Isn't unserialize safe for (most) systems that don't have 'unsafe' __wakeup functions?
Here is a good article on it.
https://www.alertlogic.com/writing-exploits-for-exotic-bug-classes/
Basically the unserialize can be used to rewrite or change classes that are important to PHP or your script.
这篇关于对所有系统来说,反序列化真的不安全吗?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!