thinkphp版本:v5.0.5
下载地址 https://www.thinkphp.cn/down/870.html
poc:?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
带poc访问index.php以后经过初始化以后,流程执行到App类中的run方法
在一百多行左右对路由信息进行了处理,跟入进去
![v2-9315797fcc78d03fd217d387d659fa6d_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic2.zhimg.com/v2-9315797fcc78d03fd217d387d659fa6d_b.jpg)
![v2-4236a3c4a9a8a1c7efffef0007000ec9_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic2.zhimg.com/v2-4236a3c4a9a8a1c7efffef0007000ec9_b.jpg)
![v2-cb131ee7d0bd6476378885cf4d8be1e2_b.png](http://img-03.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic3.zhimg.com/v2-cb131ee7d0bd6476378885cf4d8be1e2_b.png)
跟进到module方法
一直到354行出现关键位置,绿色的注释的就是tp官方的修复代码。
![v2-ace8bd42e6f36492f11df704ed9b1d9d_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic2.zhimg.com/v2-ace8bd42e6f36492f11df704ed9b1d9d_b.jpg)
![v2-e8d6f6e5dcc4a5eea4e0a466bbe36794_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic1.zhimg.com/v2-e8d6f6e5dcc4a5eea4e0a466bbe36794_b.jpg)
![v2-48b051359ff688380fec2caaa2b0a598_b.png](http://img-02.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic1.zhimg.com/v2-48b051359ff688380fec2caaa2b0a598_b.png)
在Loader类中对传入的恶意类进行反射
![v2-a71c1452ed677404873a6fb15a1c6185_b.jpg](http://img-03.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic2.zhimg.com/v2-a71c1452ed677404873a6fb15a1c6185_b.jpg)
![v2-62ecb41f72926627fdd7429de6d237dc_b.jpg](http://img-02.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic1.zhimg.com/v2-62ecb41f72926627fdd7429de6d237dc_b.jpg)
反射执行类方法
![v2-be2030420887e44dbe7f3ba2a6045cc6_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic3.zhimg.com/v2-be2030420887e44dbe7f3ba2a6045cc6_b.jpg)
获取到参数
![v2-0d873c6a122cad7c784f9e5b37304ebb_b.jpg](http://img-03.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic4.zhimg.com/v2-0d873c6a122cad7c784f9e5b37304ebb_b.jpg)
反射执行方法 call_usser_func_array
参数phpinfo
![v2-645de5b55b20bcc3bc9d8d7b4ed8aae2_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic3.zhimg.com/v2-645de5b55b20bcc3bc9d8d7b4ed8aae2_b.jpg)
![v2-efeea58d464583df9762a8abceb4ebf6_b.jpg](http://img-03.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic3.zhimg.com/v2-efeea58d464583df9762a8abceb4ebf6_b.jpg)
到这里 phpinfo执行成功
![v2-49d25b978471acd2171a14e2c22c1a89_b.jpg](http://img-01.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic2.zhimg.com/v2-49d25b978471acd2171a14e2c22c1a89_b.jpg)
漏洞调用堆栈
![v2-59c73559c82dfd4e9d96aa213ccab3b4_b.jpg](http://img-03.proxy.5ce.com/view/image?&type=2&guid=b55cb740-192a-eb11-8da9-e4434bdf6706&url=https://pic1.zhimg.com/v2-59c73559c82dfd4e9d96aa213ccab3b4_b.jpg)
漏洞产生的主要原因就是think框架应该是通过/
,来分割路由,但是因为没有考虑的情况,导致可以通过路由传入thinkApp这样的任意类, 然后再反射执行invokeFunction方法实现任意函数的执行。
官方的修复方法,也就是对路由里面的特殊字符串进行过滤。
漏洞修复方案:
Thinkphp v5.0.x补丁:
library/think/App.php
$controller = strip_tags($result[1] ?: $config['default_controller']);
后添加
if (!preg_match('/^[A-Za-z](w)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}
Thinkphp v5.1.x补丁:
library/think/route/dispatch/Module.php
$controller = strip_tags($result[1] ?: $this->rule->getConfig('default_controller'));
替换为
$controller = strip_tags($result[1] ?: $this->rule->getConfig('default_controller'));
if (!preg_match('/^[A-Za-z](w)*$/', $controller)) {
throw new HttpException(404, 'controller not exists:' . $controller);
}