Foreword: When I reproduced, I was fooled by a vulnerability article written by a certain laboratory. I inserted the plug-in for a long time and it still didn’t break. I went to review it after sleeping and found that the vulnerability point in that article was wrong.... ....
1. Vulnerability points
A loophole at the front desk is
Inside line 310 of ajaxlogin
Just looking at the url is pseudo-static.
The most important thing is here
The user's parameters are turned into an array and passed directly to the where method for splicing, and a piece of data is returned using the find method without the security processing of the I method.
2. Utilization
You can directly use thinkphp 3.2.3 exp (expression) injection
The above vulnerability point is to deal with account. We directly set the parameter transfer account[0]=exp, so that the sentence after account[1]= will be parsed.
The following is an example. All fields in the database are echoed... It is also possible to display errors.
You can also use the where function to find some unfiltered parameters.
For example, in the first one, although a function is used,
However, the closing of brackets does not affect the execution of malicious statements.
That is to say, the brackets are not filtered, resulting in sql injection.
Take a closer look at the configuration file of this cms
The I function uses htmlspeciachars by default
reference:
Detailed explanation of ThinkPHP functions: I method - ThinkPHP framework
Detailed explanation of where method of ThinkPHP CURD method - ThinkPHP framework
Thinkphp3 vulnerability summary-Y4er's blog
YxtCMF background injection and getshell analysis-Tencent Cloud Developer Community-Tencent Cloud
5.3 update
The two injections listed above can be stacked (both use the find function, which means they are all OK?)
This means that after secure_file_priv has made import/export restrictions on files, you can use other methods to getshell
For example, insert malicious data into the data table and match the file containing
Or directly log getshell
