In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-09-24 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
Thinkphp v5.1.41 deserialization vulnerability analysis and EXP, many novices are not very clear about this, in order to help you solve this problem, the following editor will explain in detail for you, people with this need can come to learn, I hope you can gain something.
TP5141 deserialization # Author: 4ut15m# Date: April 11, 2021 22 4ut15m# Date 45 Version: thinkphp v5.1.41LTS# Install: composer create-project topthink/think tp5141 5.1.41-- prefer-dist
Looking back at the previous deserialization loopholes in tp in the evening, I found that it seemed to be a new POP chain. I didn't see other masters publish this chain on the Internet.
POP chain Windows- > _ _ destruct-- > Windows- > removeFiles-- > Conversion- > _ toString-- > Conversion- > toJson-- > Conversion- > toArray-- > Attribute- > getAttrConversion- > ModelModel- > Pivot
Take a look at the command execution office first. If both $closure and $value are controllable, you can execute the command.
POP chain header has the same starting point as tp5.0 deserialization vulnerability, Windows- > _ _ destruct
Windows- > removeFiles, control Windows- > files, you can delete any file.
The file_exists function can trigger the _ _ toString magic method to find the toString of Conversion
Follow up Conversion- > toArray,$this- > append controllable
Follow up the getRelation so that the method returns null to enter the if
Follow up the getAttr and find the key points
To get the code to 493 lines, you need to set $this- > withAttr [$fileName]. $closure is controlled by $this- > withAttr [$fileName], $this- > withAttr is controllable, and $fileName is controlled by our parameter $name, which is the key control of the $this- > append we passed in.
Value is obtained by getData
Line 269 of the code, if there is a $name key in $this- > data, assign the value of $this- > data [$name] to value,$this- > data and $name are controllable, so value is controllable.
The ideas are as follows
Conversion- > append = ["4ut15m" = > []] Conversion- > relation = falseConversion- > withAttr = ["4ut15m" = > "system"] Conversion- > data = ["4ut15m" = > "cmd"] / / the command to be executed
Because convertion is a trait class, just find a class that uses conversion, and globally search conversion to find the Model class
Since Model is an abstract class, we have to find the implementation class of Model and global search to find Pivot
At this point, you can write exp
Windows- > files = new Pivot () Pivot- > relation = falsePivot- > data = ["4ut15m" = > "cmd"] / / Command to be executed Pivot- > withAttr = ["4ut15m" = > "system"] exp
Add a deserialization point to tp
Is it helpful for you to read the above content? If you want to know more about the relevant knowledge or read more related articles, please follow the industry information channel, thank you for your support.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
The market share of Chrome browser on the desktop has exceeded 70%, and users are complaining about
The world's first 2nm mobile chip: Samsung Exynos 2600 is ready for mass production.According to a r
A US federal judge has ruled that Google can keep its Chrome browser, but it will be prohibited from
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
About us Contact us Product review car news thenatureplanet
More Form oMedia: AutoTimes. Bestcoffee. SL News. Jarebook. Coffee Hunters. Sundaily. Modezone. NNB. Coffee. Game News. FrontStreet. GGAMEN
© 2024 shulou.com SLNews company. All rights reserved.