The file has been generated in the directory in public
and
Vulnerability Analysis
First one starts with __destruct, autosave can be bypassed by assigning a value of true
Next we call the save method, because this is an abstract class so we need to find the method that implements it
abstract class AbstractCache implements CacheInterface
Here I choose vendor\league\flysystem-cached-adapter\src\Storage\Adapter.php
adapter variables are controllable and it feels like write may have a write operation so we globally search for the write method
finally at vendor\league\flysystem\src\Adapter\Local.php
The has method determines if the value in the location variable is an existing file, in order to bypass it we need a non-existent file name, the path is completely controllable
And this one happens to have the file_put_contents method in it
The value of contents comes from what we passed in earlier and can see is $this->getForStorage();
The parameters are all controllable, but we need to bypass the json_encode method, otherwise if we pass in escape symbols it will also output
Here I pass in */<?php phpinfo();? > will be commented out in front and followed by ? > is separated, causing the vulnerability, analysis is complete
The text was updated successfully, but these errors were encountered:
thinkphp6.0.8 has a unserialize vulnerability
Vulnerability Demo
Create Routing at
controller/Index.phpthis is my poc
The file has been generated in the directory in public

and

Vulnerability Analysis
First one starts with __destruct, autosave can be bypassed by assigning a value of true

Next we call the save method, because this is an abstract class so we need to find the method that implements it
Here I choose
vendor\league\flysystem-cached-adapter\src\Storage\Adapter.phpadaptervariables are controllable and it feels like write may have a write operation so we globally search for the write methodfinally at
vendor\league\flysystem\src\Adapter\Local.phpThe
hasmethod determines if the value in thelocationvariable is an existing file, in order to bypass it we need a non-existent file name, the path is completely controllableAnd this one happens to have the file_put_contents method in it
The value of contents comes from what we passed in earlier and can see is
$this->getForStorage();The parameters are all controllable, but we need to bypass the

json_encodemethod, otherwise if we pass in escape symbols it will also outputHere I pass in
*/<?php phpinfo();? >will be commented out in front and followed by? >is separated, causing the vulnerability, analysis is completeThe text was updated successfully, but these errors were encountered: