Record the getshell vulnerability of thinkphp5.0 and 5.1

The following is the thinkphp framework tutorial column to introduce the getshell vulnerability of thinkphp5.0 and 5.1. I hope it will be helpful to friends in need!

The website was revoked before. At that time, the website was only built a few days ago. There shouldn’t be anyone doing it on purpose. It might be a batch scan of getshell. To make it easier for me to find it. The open source system thinkcmf created a blog, which looked pretty good, because thinkcmf was developed using the thinkphp5.0 framework. I went to thinkphp.cn and took a look, and it turned out that there was a privilege escalation vulnerability.

The modules, controllers, and methods in the libaray/think/app.php file are distinguished by /.

Then the controller is not filtered, resulting in various functions being constructed and executed

I built a virtual host locally to test http://cmf.com

Construct a url access, you can directly print out phpinfo:

http://cmf.com/index.php?s=portal/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

Then you can replace phpinfo with other functions, such as using the file_put_content function to create various Malaysian and pony files.

TP official fix 5.0 method is:

Add # after the code to obtain the controller in the module method of the think\App class ##

if (!preg_match('/^[A-Za-z](\w|\.)*$/', $controller)) {
    throw new HttpException(404, 'controller not exists:' . $controller);
}

---

The version of thinkcmf I use is: ThinkCMF 5.0.180901

Then I checked the official website of thinkcmf and it has been updated to 5.0.190111, and the latest version has also been updated to tp5.0 The latest version 5.0.24 contains security updates, and of course there is no such privilege escalation vulnerability.

The above is the detailed content of Record the getshell vulnerability of thinkphp5.0 and 5.1. For more information, please follow other related articles on the PHP Chinese website!