Shulou(Shulou.com)06/01 Report--

This article will explain in detail how to use Getshell to create arbitrary files in ThinkPHP6.0. The content of the article is of high quality, so the editor will share it for you as a reference. I hope you will have a certain understanding of the relevant knowledge after reading this article.

Introduction to 0x01

ThinkPHP is a fast, compatible and simple lightweight domestic PHP development framework, born in early 2006, formerly known as FCS. In 2007, New Year's Day officially changed his name to ThinkPHP, released in accordance with the Apache2 open source agreement, transplanted from Struts structure and made improvements and improvements. At the same time, it also draws lessons from many excellent foreign frameworks and patterns, using object-oriented development structure and MVC pattern. It integrates the idea of Struts and TagLib (tag library), ORM mapping of RoR and ActiveRecord mode.

ThinkPHP can support server environments such as windows/Unix/Linux. The official version needs the support of PHP5.0 or above, and supports MySql, PgSQL, Sqlite databases and PDO extensions. ThinkPHP framework itself does not have any special module requirements. The specific application system running environment requirements depend on the modules involved in the development.

The vulnerability stems from a logic vulnerability in ThinkPHP 6.0. an attacker who successfully exploits this vulnerability can achieve "arbitrary" file creation, which could lead to GetShell in special scenarios.

Overview of 0x02 vulnerabilities

On January 10, 2020, the ThinkPHP team released a patch update that fixed an arbitrary file manipulation vulnerability caused by an insecure SessionId. The vulnerability allows an attacker to create and delete arbitrary files with session enabled in the target environment, as well as getshell under certain circumstances.

0x03 scope of influence

ThinkPHP6.0.0-6.0.1

0x04 environment building

Set PHP to version 7.2 in 1.phpstudy and put the corresponding folder in the environment variable path

Click here to add picture caption

two。 Open the php.ini file in the Phpstudy server and find the semicolon before extension=php_openssl.dll, which means to open the ssl extension in order to access it in the cmd command.

Click here to add picture caption

3. Install composer.phar, find the place to download the content, and download the latest version of composer.phar

Download address https://getcomposer.org/download/

Click here to add picture caption

4. Double-click the installation, do not need to check, select the next step

Click here to add picture caption

5. Automatically selected after configuring the environment variable

Click here to add picture caption

And then go on to the next step, the installation is complete.

Click here to add picture caption

Enter composer to check whether the installation is successful

Click here to add picture caption

6. Install tp6 php composer.phar create-project topthink/think tp 6.0.*

Click here to add picture caption

At this time, the latest version of Thinkphp is 6.0.3. Download framework with the above command is version 6.0.3. We need to execute another command, enter the downloaded directory tp6, and use the cmd command.

Composer require topthink/framework:6.0.0

Click here to add picture caption

8. Visit the browser.

Click here to add picture caption

Recurrence of 0x05 vulnerabilities

First of all, get the controllable session parameter name, which is locally constructed, and the actual combat needs its own fuzz.

Construction location: tp6\ app\ controller\ index.php

Content of the structure

Use think\ facade\ Session

Session::set ('user',$_GET [' username'])

Click here to add picture caption

Enable session and the written session is controllable. In / tp6/app/middleware.php file, open session and remove the comment session / /

Click here to add picture caption

Using Burp to grab the package on the front page to construct payload:username is the accept parameter we just constructed, and then change the value of PHPSESSID to a 32-bit save path.

Click here to add picture caption

Click send to visit in the browser

Click here to add picture caption

0x06 repair mode

The official method of repair

Add a filter to session id using ctype_alnum ()

$this- > id = is_string ($id) & & strlen ($id) = 32 ctype_alnum ($id) & &? $id: md5 (microtime (true). Session_create_id ()

On how to use Getshell in ThinkPHP6.0 to create arbitrary files to share here, I hope the above content can be of some help to you, can learn more knowledge. If you think the article is good, you can share it for more people to see.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.