Vulnerability Introduction
On January 10, 2020, the ThinkPHP team released a patch update to fix an arbitrary file operation vulnerability caused by an unsafe SessionId. This vulnerability allows an attacker to create and delete arbitrary files if the session is enabled in the target environment. Under certain circumstances, the attacker can also get the shell.
The specific affected version is ThinkPHP6.0.0-6.0.1.
Vulnerability Reproduction
The local environment uses ThinkPHP 6.0.1 PHP7.1.20 Apache for reproduction. To execute the test verification program under certain circumstances, you can write a webshell, as shown below:
Vulnerability Analysis
According to the official github commit:
https://github.com/topthink/framework/commit/1bbe75019ce6c8e0101a6ef73706217e406439f2
Therefore, it is speculated that the file writing may be caused when the session is stored. Then, trace: vendor/topthink/framework/src/think/session/Store.php:254
.
A write function is called here, follow up: vendor/topthink/framework/src/think/session/driver/File.php:210.
Call the writeFile function and follow:
It is indeed an operation of writing a file.
Continue to reverse the process to see if the file name is controllable. The file name comes from the value of $sessionId obtained by the initial getId(). Since there is getId, there will be setId. Take a look at the function content:
When the incoming parameter $id meets the length of 32 bits, the value is set to $ this->id. Take a look at where setId is called: vendor/topthink/framework/src/think/middleware/SessionInit.php:46.
The value of $cookieName here is PHPSESSID.
And $sessionId is the value named PHPSESSID in the cookie, so it is controllable by the attacker, resulting in the written file name being controllable.
The written file name is controllable, but is the written content controllable? Analysis found that the written content is the content used to create the session. However, the creation of a session is determined by the actual back-end business logic, and a session is not created in the default environment. Therefore, arbitrary file writing is not possible in the default environment.
During the in-depth analysis of this vulnerability, we found that this vulnerability can also achieve arbitrary file deletion, and file deletion has low dependence on back-end business logic.
Still in vendor/topthink/framework/src/think/session/Store.php:254:
Through analysis and verification, we found the vulnerability ( As shown above) can also cause arbitrary file deletion.
Summary
When the target environment is Windows and the session is enabled, it is vulnerable to arbitrary file deletion attacks.
When the session is opened in the target environment and the written session is controllable, it is vulnerable to arbitrary file writing attacks.
It is recommended that relevant users upgrade to ThinkPHP6.0.2 version in time to avoid being attacked.
php Chinese website, a large number of free thinkphp introductory tutorials, welcome to learn online!
The above is the detailed content of ThinkPHP6 Arbitrary File Operation Vulnerability Analysis. For more information, please follow other related articles on the PHP Chinese website!