Shulou(Shulou.com)06/02 Report--

In this issue, the editor will bring you about how to create Getshell reproduction of ThinkPHP6.0 arbitrary files. The article is rich in content and analyzes and narrates for you from a professional point of view. I hope you can get something after reading this article.

About 0x01 ThinkPHP framework is an open source PHP framework of MVC structure, which is released in accordance with Apache2 open source protocol. It is born for agile WEB application development and simplifying enterprise application development. The vulnerability stems from a logic vulnerability in ThinkPHP 6.0. an attacker who successfully exploits this vulnerability can achieve "arbitrary" file creation, which could lead to GetShell in special scenarios.

Overview of 0x02 vulnerabilities

On January 10, 2020, the ThinkPHP team released a patch update that fixed an arbitrary file manipulation vulnerability caused by an insecure SessionId. The vulnerability allows an attacker to create and delete arbitrary files with session enabled in the target environment, as well as getshell under certain circumstances.

0x03 affects version

0x04 environment building

1. Install Composer and download Composer-Setup.exe

Https://getcomposer.org/download/

Execute the installation file and select the php.exe location to install successfully.

The composer pull environment may sometimes get stuck, and the domestic image can be changed.

Composer config-g repo.packagist composer https://packagist.phpcomposer.com

If an error occurs, please refer to:

Http://www.jrnw.net/index.php/2019/05/30/thinkphp6%E6%A1%86%E6%9E%B6%E6%BA%90%E7%A0%81%E7%9A%84%E4%B8%8B%E8%BD%BD%E4%B8%8E%E5%AE%89%E8%A3%85%E8%AF%A6%E7%BB%86%E6%95%99%E7%A8%8B/

Change the "topthink/framework": "^ 6.0.0" of the tp6/composer.json file to version 6.0.0 and execute the update command

Enter the tp6 directory cd tp6composer update

PS:

If it is linux, execute the startup environment again:. / think run-- host=0.0.0.0-- port=8000

If the environment cannot be pulled, reply "tp60 environment" in the official account to get it.

0x05 vulnerability exploitation

First of all, get the controllable session parameter name, which is locally constructed, and the actual combat needs its own fuzz.

Construction location: tp60\ app\ controller\ Index.php

The content of the construction needs to be added:

Use think\ facade\ Session;Session::set ('user',$_GET [' username'])

Enable session and write session controllable / tp6/app/middleware.php file enable session to remove comments session / /

Construction request: username is the accept parameter we just constructed, and then change the value of PHPSESSID to a 32-bit save path.

After we have typed through poc, we can access the files under public.

0x06 pit spot

1. Local test localhost failed

Question:

When we use localhost to test poc, cookie is included in the request, and it is useless to modify it.

Resolve:

Test through IP, 127.0.0.1 or private network IP

2. Shell selection

Question:

Failed to test the kitchen knife horse in the latest version of phpstudy

Resolve:

Ice scorpion shell can be used.

0x07 repair mode

The official gives a plan.

Add a filter to session id, using ctype_alnum ()

$this- > id = is_string ($id) & & strlen ($id) = 32 ctype_alnum ($id) & &? $id: md5 (microtime (true). Session_create_id (); the above is how to create Getshell reproduction of any ThinkPHP6.0 file shared by the editor. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.