Home > PHP Framework > ThinkPHP > thinkphp6 arbitrary file creation vulnerability reappears

thinkphp6 arbitrary file creation vulnerability reappears

藏色散人
Release: 2020-01-20 14:07:46
forward
5395 people have browsed it

01 Background

QiAnXin recently released a security risk notice for the "arbitrary" file creation vulnerability in ThinkPHP 6.0. In response, DYSRC immediately analyzed the vulnerability and successfully Reproduce the vulnerability.

Vulnerability scope: top-think/framework 6.x

02 Location problem

Based on the creation of arbitrary files and recent commit history, it can be inferred that 1bbe75019 is the patch for this problem. It can be seen that the patch restricts the sessionid to only consist of letters and numbers, which makes the problem more obvious.

thinkphp6 arbitrary file creation vulnerability reappears

03 Principle Analysis

Putting aside the above issues first, let’s take a look at how thinkphp stores sessions.

The system defines the interface thinkcontractSessionHandlerInterface

thinkphp6 arbitrary file creation vulnerability reappears

SessionHandlerInterface::write method is executed when localizing session data, and the system will automatically execute it at the end of each request. implement.

Let’s take a look at how the thinksessiondriverFile class is implemented.

thinkphp6 arbitrary file creation vulnerability reappears

First generate the file name based on $sessID through getFileName, and then writeFile to write the file.

Follow up getFileName and directly concatenate the incoming $sessID as the file name. Since $sessID is controllable, the file name is controllable.

thinkphp6 arbitrary file creation vulnerability reappears

04 Demonstration

At this point in the analysis, the entire vulnerability process is basically clear. The local demonstration results are given below.

thinkphp6 arbitrary file creation vulnerability reappears

php Chinese website, a large number of free thinkphp introductory tutorials, welcome to learn online!

The above is the detailed content of thinkphp6 arbitrary file creation vulnerability reappears. For more information, please follow other related articles on the PHP Chinese website!

Related labels:
source:斗鱼安全应急响应中心
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Popular Tutorials
More>
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template