You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The file has been generated in the directory in public
and
Vulnerability Analysis
First one starts with __destruct, autosave can be bypassed by assigning a value of true
Next we call the save method, because this is an abstract class so we need to find the method that implements it
abstract class AbstractCache implements CacheInterface
Here I choose vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php
adapter variables are controllable and it feels like write may have a write operation so we globally search for the write method
finally at vendor\league\flysystem\src\Adapter\Local.php
The has method determines if the value in the location variable is an existing file, in order to bypass it we need a non-existent file name, the path is completely controllable
And this one happens to have the file_put_contents method in it
The value of contents comes from what we passed in earlier and can see is $this->getForStorage();
The parameters are all controllable, but we need to bypass the json_encode method, otherwise if we pass in escape symbols it will also output
Here I pass in */<?php phpinfo();? > will be commented out in front and followed by ? > is separated, causing the vulnerability, analysis is complete
The text was updated successfully, but these errors were encountered:
thinkphp6.0.8 has a unserialize vulnerability
Vulnerability Demo
Create Routing at
controller/Index.php
this is my poc
The file has been generated in the directory in public
and
Vulnerability Analysis
First one starts with __destruct, autosave can be bypassed by assigning a value of true
Next we call the save method, because this is an abstract class so we need to find the method that implements it
Here I choose
vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php
adapter
variables are controllable and it feels like write may have a write operation so we globally search for the write methodfinally at
vendor\league\flysystem\src\Adapter\Local.php
The
has
method determines if the value in thelocation
variable is an existing file, in order to bypass it we need a non-existent file name, the path is completely controllableAnd this one happens to have the file_put_contents method in it
The value of contents comes from what we passed in earlier and can see is
$this->getForStorage();
The parameters are all controllable, but we need to bypass the
json_encode
method, otherwise if we pass in escape symbols it will also outputHere I pass in
*/<?php phpinfo();? >
will be commented out in front and followed by? >
is separated, causing the vulnerability, analysis is completeThe text was updated successfully, but these errors were encountered: