In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-30 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)05/31 Report--
Editor to share with you the example analysis of thinkphp 5.1 deserialization utilization chain, I believe that most people do not know much about it, so share this article for your reference, I hope you can learn a lot after reading this article, let's go to know it!
Thinkphp 5.1deserialization pop chain Analysis
Here we choose 5.1 for analysis, and 5.2 is not much different from this, so I'll choose one.
Because there is a public poc on the Internet, we can use poc to reverse analyze the pop chain. A way to write poc first:
As you can see, this poc finally serializes an Windows instance, so the trigger point of deserialization must be the magic methods in Windows, such as weakup (), destruct (), and so on. Let's take a look at the source code. In the Windows class, there is a magic method _ _ destruct (), which is called when the object is destroyed, in which two functions are called
Public function _ destruct () {$this- > close (); $this- > removeFiles ();}
There are no operations we are interested in in the close function, but the removeFiles () function is more interesting:
Private function removeFiles () {foreach ($this- > files as $filename) {if (file_exists ($filename)) {@ unlink ($filename);}} $this- > files = [];}
The object's files variable is traversed, and if the value is a path to an existing file, delete is performed. We can control the $this- > files variable, so if there is a deserialization point, here is an arbitrary file deletion vulnerability. To demonstrate this vulnerability more clearly, let's construct the PoC ourselves:
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 220
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.