In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Internet Technology >
Share
Shulou(Shulou.com)06/02 Report--
In this issue, the editor will bring you about how to create Getshell reproduction of ThinkPHP6.0 arbitrary files. The article is rich in content and analyzes and narrates for you from a professional point of view. I hope you can get something after reading this article.
About 0x01 ThinkPHP framework is an open source PHP framework of MVC structure, which is released in accordance with Apache2 open source protocol. It is born for agile WEB application development and simplifying enterprise application development. The vulnerability stems from a logic vulnerability in ThinkPHP 6.0. an attacker who successfully exploits this vulnerability can achieve "arbitrary" file creation, which could lead to GetShell in special scenarios.
Overview of 0x02 vulnerabilities
On January 10, 2020, the ThinkPHP team released a patch update that fixed an arbitrary file manipulation vulnerability caused by an insecure SessionId. The vulnerability allows an attacker to create and delete arbitrary files with session enabled in the target environment, as well as getshell under certain circumstances.
0x03 affects version
0x04 environment building
1. Install Composer and download Composer-Setup.exe
Https://getcomposer.org/download/
Execute the installation file and select the php.exe location to install successfully.
The composer pull environment may sometimes get stuck, and the domestic image can be changed.
Composer config-g repo.packagist composer https://packagist.phpcomposer.com
If an error occurs, please refer to:
Http://www.jrnw.net/index.php/2019/05/30/thinkphp6%E6%A1%86%E6%9E%B6%E6%BA%90%E7%A0%81%E7%9A%84%E4%B8%8B%E8%BD%BD%E4%B8%8E%E5%AE%89%E8%A3%85%E8%AF%A6%E7%BB%86%E6%95%99%E7%A8%8B/
Change the "topthink/framework": "^ 6.0.0" of the tp6/composer.json file to version 6.0.0 and execute the update command
Enter the tp6 directory cd tp6composer update
PS:
If it is linux, execute the startup environment again:. / think run-- host=0.0.0.0-- port=8000
If the environment cannot be pulled, reply "tp60 environment" in the official account to get it.
0x05 vulnerability exploitation
First of all, get the controllable session parameter name, which is locally constructed, and the actual combat needs its own fuzz.
Construction location: tp60\ app\ controller\ Index.php
The content of the construction needs to be added:
Use think\ facade\ Session;Session::set ('user',$_GET [' username'])
Enable session and write session controllable / tp6/app/middleware.php file enable session to remove comments session / /
Construction request: username is the accept parameter we just constructed, and then change the value of PHPSESSID to a 32-bit save path.
After we have typed through poc, we can access the files under public.
0x06 pit spot
1. Local test localhost failed
Question:
When we use localhost to test poc, cookie is included in the request, and it is useless to modify it.
Resolve:
Test through IP, 127.0.0.1 or private network IP
2. Shell selection
Question:
Failed to test the kitchen knife horse in the latest version of phpstudy
Resolve:
Ice scorpion shell can be used.
0x07 repair mode
The official gives a plan.
Add a filter to session id, using ctype_alnum ()
$this- > id = is_string ($id) & & strlen ($id) = 32 ctype_alnum ($id) & &? $id: md5 (microtime (true). Session_create_id (); the above is how to create Getshell reproduction of any ThinkPHP6.0 file shared by the editor. If you happen to have similar doubts, please refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.