Shulou(Shulou.com)06/01 Report--

Thinkphp v5.1.41 deserialization vulnerability analysis and EXP, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.

TP5141 deserialization # Author: 4ut15m# Date: April 11, 2021 22 4ut15m# Date 45 Version: thinkphp v5.1.41LTS# Install: composer create-project topthink/think tp5141 5.1.41-- prefer-dist

Looking back at the previous deserialization loopholes in tp in the evening, I found that it seemed to be a new POP chain. I didn't see other masters publish this chain on the Internet.

POP chain Windows- > _ _ destruct-- > Windows- > removeFiles-- > Conversion- > _ toString-- > Conversion- > toJson-- > Conversion- > toArray-- > Attribute- > getAttrConversion- > ModelModel- > Pivot

Take a look at the command execution office first. If both $closure and $value are controllable, you can execute the command.

POP chain header has the same starting point as tp5.0 deserialization vulnerability, Windows- > _ _ destruct

Windows- > removeFiles, control Windows- > files, you can delete any file.

The file_exists function can trigger the _ _ toString magic method to find the toString of Conversion

Follow up Conversion- > toArray,$this- > append controllable

Follow up the getRelation so that the method returns null to enter the if

Follow up the getAttr and find the key points

To get the code to 493 lines, you need to set $this- > withAttr [$fileName]. $closure is controlled by $this- > withAttr [$fileName], $this- > withAttr is controllable, and $fileName is controlled by our parameter $name, which is the key control of the $this- > append we passed in.

Value is obtained by getData

Line 269 of the code, if there is a $name key in $this- > data, assign the value of $this- > data [$name] to value,$this- > data and $name are controllable, so value is controllable.

The ideas are as follows

Conversion- > append = ["4ut15m" = > []] Conversion- > relation = falseConversion- > withAttr = ["4ut15m" = > "system"] Conversion- > data = ["4ut15m" = > "cmd"] / / the command to be executed

Because convertion is a trait class, just find a class that uses conversion, and globally search conversion to find the Model class

Since Model is an abstract class, we have to find the implementation class of Model and global search to find Pivot

At this point, you can write exp

Windows- > files = new Pivot () Pivot- > relation = falsePivot- > data = ["4ut15m" = > "cmd"] / / Command to be executed Pivot- > withAttr = ["4ut15m" = > "system"] exp

Add a deserialization point to tp

Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.