Question

Insecure deserialization vulnerabilities happen when applications deserialize program objects without proper precaution. An attacker can then manipulate serialized objects to change the program’s behavior.

应用程序在未采取适当预防措施的情况下对程序对象进行反序列化时，会发生不安全的反序列化漏洞。攻击者随后可以操纵序列化对象以更改程序行为。

Insecure deserialization bugs have always fascinated me. They’re hard to find and exploit, because they tend to look different depending on the programming language and libraries used to build the application. These bugs also require deep technical understanding and ingenuity to exploit. Although they can be a challenge to find, they are worth the effort. Countless write-ups describe how researchers used these bugs to achieve RCE on critical assets from companies such as Google and Facebook.

不安全的反序列化漏洞一直吸引着我。由于构建应用程序使用的编程语言和库不同，它们很难被找到和利用，因为它们通常具有不同的外观。这些漏洞还需要深入的技术理解和独创性的利用。尽管它们很难被找到，但它们是值得努力寻找的。无数的文献描述了研究人员如何利用这些漏洞来实现 RCE，从 Google 和 Facebook 等公司的关键资产。

In this chapter, I’ll talk about what insecure deserialization is, how insecure deserialization bugs happen in PHP and Java applications, and how you can exploit them.

在这一章中，我将谈论什么是不安全的反序列化，以及在 PHP 和 Java 应用程序中如何发生不安全的反序列化漏洞，以及如何利用它们。