Shulou(Shulou.com)05/31 Report--

Today, I will talk to you about how to analyze ThinkPHP command execution vulnerabilities. Many people may not know much about it. In order to let everyone know more, Xiaobian summarizes the following contents for everyone. I hope everyone can gain something according to this article.

vulnerability analysis

Patch information:

The fix point for its patch is in the method function, var_method constant, initialized to_method in application/config.php. This means that POST parameters in the request are filtered.

Therefore, place a breakpoint in this function.

Payload triggered:

A Request class is instantiated first

Since scheduling information is not set, the url route detection function will be entered.

self::routeCheck($request, $config)

According to the $request->path() function, get the path as captcha, and then enter the route detection function check()

In the check() function, the method function is called again, that is, the vulnerable function.

Since the_method parameter we entered is__construct, we will call this function to assign parameters.

method='get',filter[]='system',get[]='whoami'

Since THINKPHP5 has an automatic class loading mechanism, it will automatically load some files in the vendor directory. In particular, there is a helper.php file in the topthink/think-captcha/src folder:

The\think\Route::get function is called here to register the route. Let self::rules have the value: ! [f88659a580a65a09158d7b3c9b2fcbc9.png](evernotecid://34243 D5A-0080-4 E5B-82D3-EF8A5533BD45/appyinxiangcom/23351960/ENResource/p191) Then go back to the above and get the value of item as captcha according to the passed URL, so that the value of rules[item] is captcha routing array, you can further call the self::parseRule function. Because the value of route is\think\captcha\CaptchaController@index, it will eventually route to the method.

After the final layers are returned, the call information in the run function $dispatch is:

Then execute param method in instance object:

Eventually, the order was executed.

After reading the above, do you have any further understanding of how to analyze ThinkPHP command execution vulnerabilities? If you still want to know more knowledge or related content, please pay attention to the industry information channel, thank you for your support.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.