Shulou(Shulou.com)06/03 Report--

This article is about how to analyze ThinkPHP6 arbitrary file operation vulnerabilities, the editor thinks it is very practical, so I share it with you to learn. I hope you can get something after reading this article. Let's take a look at it with the editor.

Introduction of loopholes

On January 10, 2020, the ThinkPHP team released a patch update that fixed an arbitrary file manipulation vulnerability caused by an insecure SessionId. The vulnerability allows an attacker to create and delete arbitrary files with session enabled in the target environment, as well as getshell under certain circumstances.

The specific affected version is ThinkPHP6.0.0-6.0.1.

Loophole recurrence

The local environment is reproduced by ThinkPHP 6.0.1+PHP7.1.20+Apache. You can write a webshell by executing the test validator under certain circumstances, as shown in the following figure:

Loophole analysis

According to the official github commit:

Https://github.com/topthink/framework/commit/1bbe75019ce6c8e0101a6ef73706217e406439f2

Therefore, it is speculated that the file writing may be caused when the session is stored. Then, track: vendor/topthink/framework/src/think/session/Store.php:254.

A write function is called here to follow up: vendor/topthink/framework/src/think/session/driver/File.php:210.

Call the writeFile function and follow in:

Sure enough, it is an operation to write to a file.

Continue to look backwards to see if the file name is controllable, which comes from the value of $sessionId obtained by the original getId (). Now that there is getId, there will be setId. Take a look at the contents of the function:

When the parameter $id passed in satisfies the 32-bit length, the value is set to $this- > id. Take a look at the place where setId is called: vendor/topthink/framework/src/think/middleware/SessionInit.php:46.

The value of $cookieName here is PHPSESSID.

And $sessionId is the value named PHPSESSID in cookie, so it is controllable by the attacker, resulting in a controllable filename being written.

The file name of the write is controllable, so is the content of the write controllable? The analysis found that what was written was the content used to create the session. However, the creation of session is determined by the actual back-end business logic, and the session is not created by default. Therefore, arbitrary file writing cannot be done by default.

In the process of in-depth analysis of the vulnerability, we found that the vulnerability can also achieve arbitrary file deletion, and file deletion is less dependent on back-end business logic.

Or in vendor/topthink/framework/src/think/session/Store.php:254:

Through analysis and verification, we found that vulnerabilities (such as the figure above) can also cause arbitrary file deletions.

When the target environment is Windows and session is enabled, it is vulnerable to arbitrary file deletion attacks.

When session is enabled in the target environment and the written session is controllable, it is vulnerable to arbitrary file write attacks.

It is recommended that relevant users upgrade to the ThinkPHP6.0.2 version in time to avoid attack.

The above is how to analyze ThinkPHP6 arbitrary file operation vulnerabilities, the editor believes that there are some knowledge points that we may see or use in our daily work. I hope you can learn more from this article. For more details, please follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.