The website was escalated a few days ago, and it was only a few days after the website was built. It shouldn’t be done deliberately. It may be batch scanning of getshell.
To make it easier for me to find the open source system thinkcmf, I created a blog. It looked pretty good, because thinkcmf was developed using the framework of thinkphp5.0. I went to thinkphp.cn to check it out. It turned out that there was a privilege escalation vulnerability.
Modules, controllers, and methods in libaray/think/app.php file are distinguished by /.
Then there is no filtering of the controller, so that various functions can be constructed and executed
I built a virtual host locally to test http://cmf.com
Construct a url access, you can print out phpinfo directly:
http://cmf.com/index.php?s=portal/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Then you can replace phpinfo with other functions, such as using the file_put_content function to create a variety of Malaysian pony files.
The official TP repair 5.0 method is:
In the think\Appclass modulecode behind the method of acquisition controller plus
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}The version of thinkcmf I use is: ThinkCMF 5.0.180901
Then I took a look at Thinkcmf's official website which has been updated to 5.0.190111, and the latest version has also been updated from tp5.0 to the latest version 5.0.24 to include security updates, and of course there is no such privilege escalation vulnerability.