Shulou(Shulou.com)05/31 Report--

This article introduces you how to achieve ThinkAdmin loophole reproduction, the content is very detailed, interested friends can refer to, hope to be helpful to you.

Introduction to 0x00

ThinkAdmin is a general backend management system based on ThinkPHP framework. ThinkAdmin is very suitable for rapid secondary development. It integrates Wechat development components by default and supports Wechat service number, WeChat Pay, Alipay, Aliyun OSS storage, Qiniuyun storage, and local server storage. The authority management of ThinkAdmin is simplified based on the standard RBAC, which removes the complicated node management and makes the rights management simpler, including node management, rights management, menu management and user management.

Overview of 0x01 vulnerabilities

There is a path traversal vulnerability in ThinkAdmin V6 version. The vulnerability is mainly due to the existence of dangerous functions in api without any restrictions. These two dangerous functions in api can be called directly without any authentication. An attacker can exploit this vulnerability to arbitrarily read files on a remote server by requesting encoding parameters.

0x02 affects version

ThinkAdmin version is less than ≤ 2020.08.03.01

0x03 vulnerability name and number

CVE-2020-25540

ThinkAdmin directory traversal / file read vulnerability

0x04 environment building

Phpstudy2018+ThinkAdmin v6.0

Composer command

1) install the Composer command, set PHP in phpstudy to version 7.1 or above, and put the corresponding folder in the environment variable path

2) Open the php.ini file in the phpstudy server and find the semicolon before extension=php_openssl.dll, which means to open the ssl extension in order to access it in the cmd command.

3) install composer.phar, find the place to download the content, download the latest version of composer.phar, and double-click to install it. Do not check it.

Download address https://getcomposer.org/Composer-Setup.exe

4) automatically selected after configuring the environment variable

And then go on to the next step, the installation is complete.

5) enter composer on the cmd command line after the installation is completed to see if the installation is successful

6) set Aliyun Composer proxy

Due to the slow access to Composer in China, it is recommended to set up Ali Cloud Composer image and run the following command to set Ali Cloud proxy

Composer config-g repo.packagist composer https://mirrors.aliyun.com/composer

7) search and download the vulnerable version of ThinkAdminV6 locally

8) enter the ThinkAdmin directory to install

Composer install

9) then modify the configuration file in the config/database.php directory to create a database

10) php to run php think run

Http://ip:8000 opens the page

Recurrence of 0x05 vulnerabilities

1. Directory traversal

1.1 use burp to grab the first page of the packet and send it to the Repeater module to construct the packet acquisition directory

1.2 modify GET to POST,url to / admin.html?s=admin/api.Update/node in the Repeater module, enter rules=%5b%22%2f%22%5d / / to encode as url and decode to ["/"] below.

1.3 Click "Send" to send, and you can see that there is a directory list in the return package.

Note: if there is no return list, you can modify the path in payload, and then use url encoding

two。 Arbitrary file reading

2.1 We create the file flag.txt in the root directory with the content flag {s4d6f54s}

2.2 after using the encryption function to encrypt flag.txt, use php to run the encryption function to get the 2u302p2v1a383c38 file name

2.3 you can read flag.txt by visiting the link below (same as reading other files)

Http://127.0.0.1:8000/admin.html?s=admin/api.Update/get/encode/2u302p2v1a383c38

2.4 A string encrypted with base64 is copied and decoded into the content of flag.txt.

0x06 repair mode

1. Upgrade to version after 2020.08.03.01

two。 Use the official temporary repair plan

Https://github.com/zoujingli/ThinkAdmin/issues/244

On how to achieve ThinkAdmin loophole recurrence is shared here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.