Vulnerability Details

show Method parameter controllable rce

Loophole recurrence

Controller write demo

<?php
namespace Home\Controller;
use Think\Controller;
class IndexController extends Controller {
    public function index($n){
        $this->show($n);
        }
}

When template engine (TMPL_ENGINE_TYPE) There are not two cases at the same time 1.php 2. Think

One 、php

Pass in Utilization mode ：eval Execute code

url/?n=<?php system('whoami');?> 

Two 、Think
Pass in Utilization mode ： Subsequent generation of cache file utilization include Execute code

?n=<?php system('whoami');?>  or  /?n=<php>phpinfo();</php>

Vulnerability analysis

When the template is php:

Get into display Method $countent Is the command code

Get into fetch Method

stay fetch In the method if Judge Because the template is php So do the following eval Code

When the template is Think:
Still enter fetch Method
Merge variables into an array $params Then enter listen Method

listen Method $name$tag Take us $params Pass in exec Method

here $tag Set to run End up in ParseTemplateBehavior Class run Method

Run In the method , First, check whether the cache is valid , For the first time , So to enter else Branch

To follow up Template Class fetch Method , call loadTemplate Method

loadTemplate Middle pass compiler Generate cache code after , call put Method

call File Class put Method , Write code

All the way back to Template Class fetch Method to call load

Storage::load($templateCacheFile,$this->tVar,null,'tpl');

include Cache file Execute code , When the same code is executed , Because of the same content md5 identical , So the cache file exists , So I'm entering run In the method , Call directly load

That is, when the command is called for the first time , Generate a cache file and include it , When called again , Include files directly