Home >PHP Framework >ThinkPHP >ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

藏色散人
藏色散人forward
2020-01-20 14:13:594430browse

Vulnerability Introduction

On January 10, 2020, the ThinkPHP team released a patch update to fix an arbitrary file operation vulnerability caused by an unsafe SessionId. This vulnerability allows an attacker to create and delete arbitrary files if the session is enabled in the target environment. Under certain circumstances, the attacker can also get the shell.

  1. The specific affected version is ThinkPHP6.0.0-6.0.1.

Vulnerability Reproduction

The local environment uses ThinkPHP 6.0.1 PHP7.1.20 Apache for reproduction. To execute the test verification program under certain circumstances, you can write a webshell, as shown below:

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

Vulnerability Analysis

According to the official github commit:

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

https://github.com/topthink/framework/commit/1bbe75019ce6c8e0101a6ef73706217e406439f2

Therefore, it is speculated that the file writing may be caused when the session is stored. Then, trace: vendor/topthink/framework/src/think/session/Store.php:254.

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

A write function is called here, follow up: vendor/topthink/framework/src/think/session/driver/File.php:210.

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

Call the writeFile function and follow:

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

It is indeed an operation of writing a file.

Continue to reverse the process to see if the file name is controllable. The file name comes from the value of $sessionId obtained by the initial getId(). Since there is getId, there will be setId. Take a look at the function content:

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

When the incoming parameter $id meets the length of 32 bits, the value is set to $ this->id. Take a look at where setId is called: vendor/topthink/framework/src/think/middleware/SessionInit.php:46.

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

The value of $cookieName here is PHPSESSID.

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

And $sessionId is the value named PHPSESSID in the cookie, so it is controllable by the attacker, resulting in the written file name being controllable.

The written file name is controllable, but is the written content controllable? Analysis found that the written content is the content used to create the session. However, the creation of a session is determined by the actual back-end business logic, and a session is not created in the default environment. Therefore, arbitrary file writing is not possible in the default environment.

During the in-depth analysis of this vulnerability, we found that this vulnerability can also achieve arbitrary file deletion, and file deletion has low dependence on back-end business logic.

Still in vendor/topthink/framework/src/think/session/Store.php:254:

ThinkPHP6 Arbitrary File Operation Vulnerability Analysis

Through analysis and verification, we found the vulnerability ( As shown above) can also cause arbitrary file deletion.

Summary

When the target environment is Windows and the session is enabled, it is vulnerable to arbitrary file deletion attacks.

When the session is opened in the target environment and the written session is controllable, it is vulnerable to arbitrary file writing attacks.

It is recommended that relevant users upgrade to ThinkPHP6.0.2 version in time to avoid being attacked.

php Chinese website, a large number of free thinkphp introductory tutorials, welcome to learn online!

The above is the detailed content of ThinkPHP6 Arbitrary File Operation Vulnerability Analysis. For more information, please follow other related articles on the PHP Chinese website!

Statement:
This article is reproduced at:seebug.org. If there is any infringement, please contact admin@php.cn delete