thinkphp6 arbitrary file creation vulnerability reappears

01 Background

QiAnXin recently released a security risk notice for the "arbitrary" file creation vulnerability in ThinkPHP 6.0. In response, DYSRC immediately analyzed the vulnerability and successfully Reproduce the vulnerability.

Vulnerability scope: top-think/framework 6.x

02 Location problem

Based on the creation of arbitrary files and recent commit history, it can be inferred that 1bbe75019 is the patch for this problem. It can be seen that the patch restricts the sessionid to only consist of letters and numbers, which makes the problem more obvious.

03 Principle Analysis

Putting aside the above issues first, let’s take a look at how thinkphp stores sessions.

The system defines the interface thinkcontractSessionHandlerInterface

SessionHandlerInterface::write method is executed when localizing session data, and the system will automatically execute it at the end of each request. implement.

Let’s take a look at how the thinksessiondriverFile class is implemented.

First generate the file name based on $sessID through getFileName, and then writeFile to write the file.

Follow up getFileName and directly concatenate the incoming $sessID as the file name. Since $sessID is controllable, the file name is controllable.

04 Demonstration

At this point in the analysis, the entire vulnerability process is basically clear. The local demonstration results are given below.

php Chinese website, a large number of free thinkphp introductory tutorials, welcome to learn online!

The above is the detailed content of thinkphp6 arbitrary file creation vulnerability reappears. For more information, please follow other related articles on the PHP Chinese website!