{"id":477613,"date":"2023-08-09T09:18:01","date_gmt":"2023-08-09T09:18:01","guid":{"rendered":""},"modified":"2023-09-05T11:15:06","modified_gmt":"2023-09-05T11:15:06","slug":"insecure-deserialization","status":"publish","type":"wiki","link":"https:\/\/oneproxy.pro\/cn\/wiki\/insecure-deserialization\/","title":{"rendered":"\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316"},"content":{"rendered":"

\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u662f Web \u5e94\u7528\u7a0b\u5e8f\u4e2d\u5b58\u5728\u7684\u4e00\u4e2a\u6f0f\u6d1e\uff0c\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u6765\u64cd\u7eb5\u6570\u636e\u5e76\u53ef\u80fd\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002\u5f53\u5e94\u7528\u7a0b\u5e8f\u76f2\u76ee\u5730\u5c06\u5e8f\u5217\u5316\u6570\u636e\u8f6c\u6362\u4e3a\u5bf9\u8c61\u800c\u6ca1\u6709\u8fdb\u884c\u9002\u5f53\u7684\u9a8c\u8bc1\u65f6\uff0c\u5c31\u4f1a\u51fa\u73b0\u6b64\u5b89\u5168\u6f0f\u6d1e\uff0c\u4ece\u800c\u5bfc\u81f4\u4e25\u91cd\u540e\u679c\uff0c\u4f8b\u5982\u672a\u7ecf\u6388\u6743\u7684\u8bbf\u95ee\u3001\u6570\u636e\u7be1\u6539\u548c\u8fdc\u7a0b\u4ee3\u7801\u6267\u884c\u3002<\/p>\n

\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u7684\u8d77\u6e90\u5386\u53f2\u4ee5\u53ca\u9996\u6b21\u63d0\u53ca\u5b83<\/h2>\n

\u5e8f\u5217\u5316\u7684\u6982\u5ff5\u53ef\u4ee5\u8ffd\u6eaf\u5230\u8ba1\u7b97\u673a\u53d1\u5c55\u7684\u65e9\u671f\uff0c\u5f53\u65f6\u5f00\u53d1\u4eba\u5458\u9700\u8981\u4e00\u79cd\u9ad8\u6548\u5b58\u50a8\u548c\u4f20\u8f93\u6570\u636e\u7684\u65b9\u6cd5\u3002\u7b2c\u4e00\u6b21\u63d0\u5230\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u662f\u4e00\u4e2a\u5b89\u5168\u95ee\u9898\u53ef\u4ee5\u8ffd\u6eaf\u5230 Philippe Delteil \u548c Stefano Di Paola \u5728 2006 \u5e74 OWASP AppSec \u4f1a\u8bae\u4e0a\u7684\u4e00\u6b21\u6f14\u8bb2\u3002\u4ed6\u4eec\u5f3a\u8c03\u4e86\u4e0e\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u76f8\u5173\u7684\u98ce\u9669\uff0c\u4e3a\u5b89\u5168\u793e\u533a\u7684\u8fdb\u4e00\u6b65\u7814\u7a76\u548c\u8ba4\u8bc6\u94fa\u5e73\u4e86\u9053\u8def\u3002<\/p>\n

\u6709\u5173\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u7684\u8be6\u7ec6\u4fe1\u606f<\/h2>\n

\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u662f\u6307\u5e94\u7528\u7a0b\u5e8f\u83b7\u53d6\u5e8f\u5217\u5316\u6570\u636e\uff08\u901a\u5e38\u91c7\u7528 JSON\u3001XML \u6216 PHP \u7684\u539f\u751f\u5e8f\u5217\u5316\u683c\u5f0f\uff09\u5e76\u5c06\u5176\u8f6c\u6362\u56de\u5bf9\u8c61\u6216\u6570\u636e\u7ed3\u6784\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u5229\u7528\u6b64\u8fc7\u7a0b\uff0c\u901a\u8fc7\u5236\u4f5c\u6076\u610f\u64cd\u7eb5\u7684\u5e8f\u5217\u5316\u6570\u636e\u6765\u6b3a\u9a97\u5e94\u7528\u7a0b\u5e8f\u6267\u884c\u4efb\u610f\u4ee3\u7801\u3002<\/p>\n

\u5728\u53cd\u5e8f\u5217\u5316\u8fc7\u7a0b\u4e2d\uff0c\u5e94\u7528\u7a0b\u5e8f\u901a\u5e38\u901a\u8fc7\u8c03\u7528\u76f8\u5e94\u7684\u7c7b\u6784\u9020\u51fd\u6570\u6216\u5de5\u5382\u65b9\u6cd5\u4ece\u5e8f\u5217\u5316\u6570\u636e\u4e2d\u91cd\u5efa\u5bf9\u8c61\u3002\u4e3b\u8981\u95ee\u9898\u5728\u4e8e\u6b64\u8fc7\u7a0b\u4e2d\u7f3a\u4e4f\u9002\u5f53\u7684\u8f93\u5165\u9a8c\u8bc1\u548c\u5b89\u5168\u68c0\u67e5\u4e0d\u8db3\u3002\u653b\u51fb\u8005\u53ef\u4ee5\u7be1\u6539\u5e8f\u5217\u5316\u6570\u636e\uff0c\u6ce8\u5165\u6709\u5bb3\u8d1f\u8f7d\u6216\u4fee\u6539\u5bf9\u8c61\u5c5e\u6027\uff0c\u4ece\u800c\u5bfc\u81f4\u610f\u5916\u884c\u4e3a\u751a\u81f3\u5b8c\u5168\u7834\u574f\u5e94\u7528\u7a0b\u5e8f\u3002<\/p>\n

\u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u7684\u5185\u90e8\u7ed3\u6784\u53ca\u5176\u5de5\u4f5c\u539f\u7406<\/h2>\n

\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u6f0f\u6d1e\u6e90\u4e8e\u5e8f\u5217\u5316\u6570\u636e\u7684\u5904\u7406\u65b9\u5f0f\u3002\u4ee5\u4e0b\u6b65\u9aa4\u8bf4\u660e\u4e86\u5176\u5de5\u4f5c\u539f\u7406\uff1a<\/p>\n

    \n
  1. \n

    \u5e8f\u5217\u5316\uff1a\u5e94\u7528\u7a0b\u5e8f\u5c06\u5bf9\u8c61\u6216\u6570\u636e\u7ed3\u6784\u8f6c\u6362\u4e3a\u5e8f\u5217\u5316\u683c\u5f0f\uff08\u4f8b\u5982JSON\u6216XML\uff09\uff0c\u4ee5\u65b9\u4fbf\u5b58\u50a8\u6216\u4f20\u8f93\u3002<\/p>\n<\/li>\n

  2. \n

    \u53cd\u5e8f\u5217\u5316\uff1a\u5e94\u7528\u7a0b\u5e8f\u83b7\u53d6\u5e8f\u5217\u5316\u7684\u6570\u636e\u5e76\u91cd\u5efa\u539f\u59cb\u5bf9\u8c61\u6216\u6570\u636e\u7ed3\u6784\u3002<\/p>\n<\/li>\n

  3. \n

    \u7f3a\u4e4f\u9a8c\u8bc1\uff1a\u5f53\u5e94\u7528\u7a0b\u5e8f\u65e0\u6cd5\u9a8c\u8bc1\u4f20\u5165\u7684\u5e8f\u5217\u5316\u6570\u636e\u65f6\uff0c\u5c31\u4f1a\u51fa\u73b0\u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\uff0c\u5047\u8bbe\u5b83\u59cb\u7ec8\u6765\u81ea\u53d7\u4fe1\u4efb\u7684\u6765\u6e90\u3002<\/p>\n<\/li>\n

  4. \n

    \u6076\u610f\u8d1f\u8f7d\uff1a\u653b\u51fb\u8005\u7cbe\u5fc3\u5236\u4f5c\u64cd\u7eb5\u7684\u5e8f\u5217\u5316\u6570\u636e\uff0c\u5d4c\u5165\u6709\u5bb3\u4ee3\u7801\u6216\u4fee\u6539\u5e8f\u5217\u5316\u5bf9\u8c61\u7684\u5c5e\u6027\u3002<\/p>\n<\/li>\n

  5. \n

    \u4ee3\u7801\u6267\u884c\uff1a\u5f53\u88ab\u64cd\u7eb5\u7684\u5e8f\u5217\u5316\u6570\u636e\u88ab\u53cd\u5e8f\u5217\u5316\u65f6\uff0c\u5e94\u7528\u7a0b\u5e8f\u4f1a\u5728\u4e0d\u77e5\u60c5\u7684\u60c5\u51b5\u4e0b\u6267\u884c\u6076\u610f\u4ee3\u7801\uff0c\u4ece\u800c\u5bfc\u81f4\u6f5c\u5728\u7684\u6f0f\u6d1e\u3002<\/p>\n<\/li>\n<\/ol>\n

    \u4e0d\u5b89\u5168\u53cd\u5e8f\u5217\u5316\u7684\u5173\u952e\u7279\u5f81\u5206\u6790<\/h2>\n

    \u4e0d\u5b89\u5168\u7684\u53cd\u5e8f\u5217\u5316\u7684\u4e3b\u8981\u7279\u5f81\u53ef\u4ee5\u6982\u62ec\u5982\u4e0b\uff1a<\/p>\n